Endpoint //

Privacy

5/9/2018
09:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

FBI: Reported Internet Crimes Topped $1.4 Billion Last Year

Business email compromise (BEC) campaigns outnumbered ransomware cases.

The FBI's Internet Crime Complaint Center (IC3) logged more than 301,000 complaints of Internet crimes last year that resulted in losses of more than $1.4 billion — and that's just from consumers and businesses that reported incidents to the bureau.

Victims who reported attacks to the IC3 mostly were hit with so-called non-payment/non-delivery scams, personal data breaches, and phishing attacks. The most-costly types of Internet crimes reported to the FBI were business email compromise (BEC), confidence/romance fraud, and non-payment/non-delivery scams.

Ransomware, the darling of the cybercrime and nation-state hacker scenes, actually declined in 2017, according to the FBI IC3 data, from 2,673 complaints in 2016 to 1,783 last year. Victims of ransomware lost more than $2.3 million last year, versus $2.4 million in 2016.

But that data may well be skewed by shifts in ransomware targets: the drop in ransomware reports to the FBI could be due to the rise in those attacks on more lucrative targets than consumers — larger organizations. It also could reflect larger organizations not reporting their attacks to IC3.

"The FBI IC3 only reports on what is given to them. In the case of ransomware specifically, victims seem even less inclined to report — to the point where it hampers our ability to go after the bad guy," says John Bambenek, vice president of security research and intelligence at ThreatSTOP.

Bambenek says many large enterprises may have the resources in-house to handle the incident without law enforcement, and some corporate counsels may advise reporting a ransomware attack if it's not required. In addition, he notes, cryptojacking's recent rise also has contributed to lower ransomware numbers as attackers have found a simpler and more lucrative way to make money than relying on ransom payments.

BEC
Meanwhile, reported BEC and email account compromise (EAC) attacks netted the most losses to victims last year, with 15,690 BEC complaints and losses of more than $675 million. These types of attacks dupe business users into transferring money, purportedly to their supplier or other business partner. EAC is where an attacker wrests control of a legitimate user's business email account rather than use a phony account.

So-called confidence fraud/romance schemes, where a fraudster poses online as a love interest or other trusted person to squeeze money from the target, netted attackers more than $211 million last year, according to the IC3's report. Scams where victims paid for an item or service online that never arrived or they didn't receive payment for an item (non-payment/non-delivery) resulted in more than $141 million in losses to victims.

Another popular scam last year was tech support fraud, which increased by 90% over 2016. The IC3 logged nearly 11,000 complaints of attacks that resulted in losses of $15 million.

The top 10 US states with the most victims of Internet crime were California (41,974), Florida (21,887), Texas (21,852), New York (17,622), Pennsylvania (11,348), Virginia (9,436), Illinois (9,381), Ohio (8,157), Colorado (7,909), and New Jersey (7,657).

"We want to encourage everyone who suspects they have been victimized by online fraudsters to report it to us," says Donna Gregory, chief of the IC3. "The more data we have, the more effective we can be in raising public awareness, reducing the number of victims who fall prey to these schemes, and increasing the number of criminals who are identified and brought to justice."

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.