CYBERSECURITY LOSSES – FBI CRIME REPORT 2022

Written by Mike Olivier 6/6/23

The latest FBI annual Internet Crime Complaint Center (IC3) report was released this March. The report is based on self-reporting by organizations and individuals who were the victims of internet crime. The FBI has been collecting and reporting on this data since May 2000. Throughout these twelve years, the total number of cyber incidents has grown annually; as of the end of 2022, there have been over seven-million cybercrime reports; this number is most likely an undercount as many victims do not report. From 2018 to 2022, the IC3 received 3.2 million complaints associated with a loss of $27.6 billion. In 2022, the number of reported crimes decreased, but the financial losses were up by $3 billion. The purpose of the report is to identify trends in cybercrime and focus efforts on combating these trends; it is to use that information to educate the public and reduce the cyber threat. As illustrated in the report, most of these cybercrimes begin with email; recognizing the threats that originate from malicious email is one of the best ways to avoid becoming a victim of a cybercrime. In addition, the information gathered by the report allows for allocating resources in defending against these crimes; the data helped establish the IC3 Recovery Asset Team (RAT). The RAT was established in 2018 to stop fraudulent bank transfers resulting from successful cyberattacks. In 2002 the IC3 RAT stopped or froze the transfer of $433 million of funds, a 73% recovery rate.
By identifying and highlighting the cybercrime type or class, the report is able to identify defensive measures that can reduce the probability of a successful attack. In doing so, the report listed the 2022 top five cyber-crime classes by the number of complaints; they were phishing (300,497), personal data breach (58,859), non-payment/delivery (51,679), extortion (39,416), and tech support fraud (35,536). Phishing is the criminal using email, text messages, and telephone calls purportedly from a legitimate company requesting personal, financial, and/or login credentials. A Personal Data Breach is a leak/spill of personal data from a secure location into an untrusted environment, or it can be a security incident in which an individual’s sensitive or protected data is stolen or used by an unauthorized individual. Non-payment is when goods or services are delivered and payment is never received; non-delivery is when payment is sent, and the goods or services are never received, or lesser quality goods are delivered. Extortion is the extraction of money or property through intimidation or undue exercise of authority; it may include threats of physical harm, false threats of criminal prosecution, or public exposure. Tech Support Fraud is when the criminal poses as technical or customer support/service; they are paid for no support, or they access and compromise your computer. When evaluating the most common types of attacks, almost all of them involve email. The lone exception is a Personnel Data Breach when personal data is stolen and compromised. Then again, the entry point for personnel data theft is often email.
Cybercriminals use many avenues to separate people from their money. The most important point made in the FBI reports is that cybercriminals’ preferred means of communication is email. From the criminal’s perspective, email is easy to use and extremely easy to scale. The best defense against fraudulent email is education; gaining the knowledge to recognize fake email is almost a battle won. One of the primary ways to do this is to look at the sender’s address; if the domain does not match the bank, utility company, etc., it is a scam.
No matter the precautions, people make mistakes, and they become compromised. To address email compromise and fraud, the IC3 stood up the RAT recovery team to assist people who have been swindled. The RAT can stop the money transfer and assist with its recovery. However, time is of the essence; if the victim waits too long to report, the money may be lost. The advice is to act immediately and execute these steps at the same time, take action. First, contact the originating financial institution and request a recall or reversal of the transaction, you want to stop the transaction. Then request a Hold Harmless Letter or Letter of Indemnity. Immediately after a call to the financial institution, file a detailed complaint with www.ic3.gov. It is extremely important to fill out all required data fields, including the banking information. A rule in dealing with financial transactions is to ensure you are addressing a legitimate financial entity, not a fraud. You should never make or send any payments without verifying the email addresses, phone numbers, and people to ensure you are dealing with a legitimate business.
Since beginning reporting in May of 2000, every year has seen an increase in the money lost to cybercrime. Cybercrime is an international business employing 100,000s worldwide, all fighting to take your money. Your best defense is knowledge; understanding how to avoid email compromise will significantly reduce the likelihood of a successful attack. Knowing to report quickly will increase your odds of recovery. As with many things, the victim of cybercrime must take the initiative to report and fight to recover.