The FBI's Internet Crime Complaint Center (IC3) logged more than 301,000 complaints of Internet crimes last year that resulted in losses of more than $1.4 billion — and that's just from consumers and businesses that reported incidents to the bureau.
Victims who reported attacks to the IC3 mostly were hit with so-called non-payment/non-delivery scams, personal data breaches, and phishing attacks. The most-costly types of Internet crimes reported to the FBI were business email compromise (BEC), confidence/romance fraud, and non-payment/non-delivery scams.
Ransomware, the darling of the cybercrime and nation-state hacker scenes, actually declined in 2017, according to the FBI IC3 data, from 2,673 complaints in 2016 to 1,783 last year. Victims of ransomware lost more than $2.3 million last year, versus $2.4 million in 2016.
But that data may well be skewed by shifts in ransomware targets: the drop in ransomware reports to the FBI could be due to the rise in those attacks on more lucrative targets than consumers — larger organizations. It also could reflect larger organizations not reporting their attacks to IC3.
"The FBI IC3 only reports on what is given to them. In the case of ransomware specifically, victims seem even less inclined to report — to the point where it hampers our ability to go after the bad guy," says John Bambenek, vice president of security research and intelligence at ThreatSTOP.
Bambenek says many large enterprises may have the resources in-house to handle the incident without law enforcement, and some corporate counsels may advise reporting a ransomware attack if it's not required. In addition, he notes, cryptojacking's recent rise also has contributed to lower ransomware numbers as attackers have found a simpler and more lucrative way to make money than relying on ransom payments.
Meanwhile, reported BEC and email account compromise (EAC) attacks netted the most losses to victims last year, with 15,690 BEC complaints and losses of more than $675 million. These types of attacks dupe business users into transferring money, purportedly to their supplier or other business partner. EAC is where an attacker wrests control of a legitimate user's business email account rather than use a phony account.
So-called confidence fraud/romance schemes, where a fraudster poses online as a love interest or other trusted person to squeeze money from the target, netted attackers more than $211 million last year, according to the IC3's report. Scams where victims paid for an item or service online that never arrived or they didn't receive payment for an item (non-payment/non-delivery) resulted in more than $141 million in losses to victims.
Another popular scam last year was tech support fraud, which increased by 90% over 2016. The IC3 logged nearly 11,000 complaints of attacks that resulted in losses of $15 million.
The top 10 US states with the most victims of Internet crime were California (41,974), Florida (21,887), Texas (21,852), New York (17,622), Pennsylvania (11,348), Virginia (9,436), Illinois (9,381), Ohio (8,157), Colorado (7,909), and New Jersey (7,657).
"We want to encourage everyone who suspects they have been victimized by online fraudsters to report it to us," says Donna Gregory, chief of the IC3. "The more data we have, the more effective we can be in raising public awareness, reducing the number of victims who fall prey to these schemes, and increasing the number of criminals who are identified and brought to justice."