Security industry leader Brian Johnson, Chief Security Officer for Amorblox looks into the FBI Internet Crime Complaint Center (IC3) Report for 2020, which was released during March 2021. The IC3 produces its annual report in order to aggregate and highlight the data provided by the general public.
This annual report reveals 791,790 complaints of suspected internet crime in 2020. This is a step-change rise in excess of 300,000 complaints from 2019. Moreover, reported losses exceeding $4.2 billion. The top three crimes reported within the report are: Phishing scams, non-payment and non-delivery scams, and extortion. Notably, 2020 saw the emergence of scams exploiting the coronavirus pandemic as a lure.
The 2020 FBI report has outlined an interesting business e-mail compromise (BEC) pattern. While complaints have fallen from 20,373 in 2018 to 19,369 in 2020, the reported losses have increased year-over-year, from $1.29 billion in 2018 up to $1.86 billion in 2020.
According to Johnson’s review: “It’s likely that attackers have refined their email target tactics and are emboldened enough now to go after the bigger fish and ask people for higher dollar amounts in their scams. While other forms of cybercrime continue to present a danger, BEC remains the forerunner in harming organization bank balances.”
Johnson draws specific attention to scams that exploit trust in a year of uncertainty. With this the analyst notes: “2020 was a year filled with uncertainty due to coronavirus, and during such times, we lean into trusting people we know, entities with authority, and anyone who can help reduce our uncertainty. Hence, it is not surprising to see the rising volume of government impersonation attacks reported by the IC3 in 2020.”
Looking at specific attack patterns, Johnson says: “Scammers also exploited trust by replicating processes that the government had already instituted. Whether it was unemployment insurance, small business loans, vaccination programs, or stimulus checks – scammers hijacked the context behind all these government measures to steal money and data.”
Furthermore, he finds, somewhat concerningly: “Fraudsters did not have to employ any sophisticated tradecraft, but rather just ask for money or personally identifiable information by pretending to be someone else.”
