The Federal Bureau of Investigation has published its annual report on cybercrime affecting victims in the U.S., noting a record number of complaints and financial losses in 2020 compared to the previous year.
The Internet Crime Complaint Center (IC3) received last year 791,790 complaints - up by 69% from 2019 - of suspected internet crime causing more than $4 billion in losses.
While most complaints were for phishing, non-payment/non-delivery scams, and extortion, about half of the losses are accounted by business email compromise (BEC), romance and confidence scams, and investment fraud.
According to the IC3 report, BEC or email account compromise (EAC) scams recorded 19,369 complaints in 2020, which is 19% less than last year. However, this type of cybercrime alone caused $1.8 billion in losses, up from $1.7 billion in 2019.
Crane Hassold, senior director of threat research at Agari, told BleepingComputer that the difference could be explained by many threat actors “pivoting to unemployment/SBA/PPP fraud in the middle of the year.”
Referring to BEC scams, the Hassold said that when considering spoofing as a subset of this cybercriminal activity, the financial impact is closer to $2.1 billion.
BEC scams are carried out by compromising business email accounts and to modify transaction details so that funds are transferred to a bank account controlled by the attacker.
A trend observed in 2020 was the use of identity theft and converting funds to cryptocurrency. In these cases, an initial victim (extortion, tech support, romance scam) provided their ID to the fraudster.
BEC scammers would use the ID to open bank accounts and receive BEC funds that would be quickly converted to cryptocurrency to lose track of the money.
Since 2018, the FBI has a Recovery Asset Team specialized in freezing accounts used for unauthorized BEC transfers and recovering money that can still be tracked.
Las year, RAT was able to freeze and recover a little over 82% from almost $463 million in losses reported in 1,303 incidents.
One case involved an illegal wire transfer of $60 million from a victim company in St. Louis to a bank account in Hong Kong controlled by the fraudsters.
One type of cybercrime that is grossly misrepresented in FBI’s annual report is ransomware, with 2,474 complaints and adjusted losses of more than $29.1 million.
Although the figures are small, they represent an increase compared to 2019, when IC3 received 2,047 complaints and the losses were above $8.9 million.
Ransomware is a multi-billion cybercriminal business that has not stopped growing, with some actors’ demands averaging upward of $1million.
In just five months, the Netwalker ransomware gang made $25 million from paying victims last year. One of its affiliates, charged in the U.S., is believed to have made more than $27 million from this activity.
Other ransomware operations - Maze, Conti, Egregor, REvil, Ryuk, Doppel Paymer - were responsible for a larger number of attacks last year and higher profits.
These gangs target big-revenue companies that would stand to lose more from downtime or data leaks than from paying the ransom. Many of these attacks remain unreported to avoid legal complications.
Looking at the raw figures in FBI’s Internet Crime Complaint Center latest report, cybercrime has recorded a significant growth in 2020, both in terms of filed complaints and money lost by victims in the U.S.