2017 FBI Internet Crime Report Shows Harm Caused by BEC Attacks

The FBI 2017 Internet Crime Report has been released. The report is based on the complaints received by the FBI’s Internet Crime Complaints Center (IC3). It details the most prevalent online scams, the scale of internet criminal activity and the losses resulting from these crimes. In 2017, IC3 received 301,580 complaints related to Internet crime. The total losses for the year exceeded $1.4 billion. Since 2013, the total losses to online scams is over $5.52 billion. To date, over 1.4 million complaints have been received.

The most prevalent types of online crime in 2017 are non-payment/non-delivery, personal data breaches, and phishing scams; but, the biggest losses were due to business email compromise (BEC) attacks and email account compromise scams, with over $675 million in losses. The second biggest cause of loss are confidence scams/romance fraud, followed by non-payment/non-delivery scams.

2017 saw 25,344 phishing incidents reported to IC3 and corresponding losses of $29,703,421. Since phishing is often used in other categories of crime such as credit card scams and company/ personal data breaches, the losses are likely to be far higher. Health-care related crimes, such as bogus insurance cards, defrauding private and government healthcare programs, diversion/pill mill practices and theft of health data, resulted in at least $925,849 in losses. There were 406 complaints received about these types of scams.

The FBI report also talked about the most prevalent types of crime that have led to substantial losses. BEC scams typically involve a phishing attempt on a company’s senior executives such as the CEO or CFO. Using social engineering techniques, the executive is convinced to disclose his/her login credentials. The attacker then accesses the person’s email account and emails employees and requests sensitive data such as W-2 Forms or attempts to get them to make wire transfers. The attacker does not necessarily need access to the senior executive’s email account. This scam may simply involve the spoofing of a CEOs email address.

Spam filtering solutions are not effective when emails are sent in house using a compromised account. Employing 2-factor authentication is a better defense. When someone accesses an email account using an unfamiliar device, the system requires an extra form of identification. Other policies and procedures may be implemented to avert these scams. For example, transfers higher than a certain amount should be validated by phone. Policies should also be introduced to prohibit the sending of sensitive data via email.

Cybercriminals are now moving to cryptocurrency mining rather than using ransomware, although there were several major attacks in 2017 and the healthcare industry was extensively targeted in 2017. Healthcare organizations are employing solutions such as spam filters, user-behavior monitoring solutions, and intrusion detection software to prevent these attacks and limit the harm caused. Employee security awareness training can also help to reduce the potential for successful attacks. Network segmentation can limit the harm caused and good data backup policies will ensure data can be recovered without paying the ransom. The FBI discourages payment of ransom, but in case there’s no other solution, it could be considered as an option.

There were many reports of tech support scams in 2017, increasing by 90% from 2016. These scams try to get users to pay fraudsters money to fix fictional problems such as getting rid of screen lockers or fake viruses. In the process, fraudsters also get remote access to the user’s device or are able to install malware and steal credentials and sensitive data.

Another growing problem is elder fraud. 49,523 reports were filed by victims over 60 years old in 2017 with recorded losses of over $342 million. In February, the Department of Justice introduced the Elder Justice Initiative to tackle the problem. According to Attorney General Jeff Sessions, the Justice Department is committed to protecting elderly Americans. Criminals that steal the hard-earned savings of senior Americans will be punished to the full extent of the law.

Other internet crimes on the rise include extortion scams, impersonation schemes, loan scams, sextortion, and hitman schemes. There were 14,938 extortion-related complaints received by IC3 in 2017 with losses amounting to over $15 million. The states with the most cases of internet crime are California, Florida, Texas, New York and Pennsylvania.