FBI IC3: Victims Racked Up $10.3B in Losses Tied to Internet Crime Last Year

The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) issued its 2022 Internet Crime Report, which revealed key trends that emerged in the cyber threat landscape last year. The IC3 received 800,944 complaints in 2022, signifying a 5 percent decrease from 2021.

Despite this decrease, the potential total loss grew from $6.9 billion in 2021 to more than $10.2 billion in 2022. Ransomware alone racked up $34.3 million in losses in 2022.

“While the number of reported ransomware incidents has decreased, we know not everyone who has experienced a ransomware incident has reported to the IC3,” the report noted.

“As such, we assess ransomware remains a serious threat to the public and to our economy, and the FBI and our partners will remain focused on disrupting ransomware actors and increasing the risks of engaging in this activity.”

The healthcare sector reported the most ransomware attacks to IC3 in 2022 compared to any other critical infrastructure, accounting for 210 of the 870 complaints tied to critical infrastructure. IC3 data shows that 14 of the 16 critical infrastructures had at least one member that fell victim to a ransomware attack last year.

LockBit, ALPHV/BlackCat, and Hive were the top ransomware variants that impacted critical infrastructure in 2022, the IC3 found. All three groups have been linked to healthcare ransomware attacks in the past, though Hive has since been shut down by the Department of Justice (DOJ).

“Although cyber criminals use a variety of techniques to infect victims with ransomware, phishing emails, Remote Desktop Protocol (RDP) exploitation, and exploitation of software vulnerabilities remained the top initial infection vectors for ransomware incidents reported to the IC3,” the report stated.

“Once a ransomware threat actor has gained code execution on a device or network access, they can deploy ransomware. In 2022, the IC3 has seen an increase in an additional extortion tactic used to facilitate ransomware. The threat actors pressure victims to pay by threatening to publish the stolen data if they do not pay the ransom.”

The IC3 recommended that organizations immediately update operating systems and software, implement user training and phishing exercises, and secure and monitor RDP to mitigate risk.

Phishing remained the top crime type in 2022, followed by personal data breaches and non-payment or non-delivery scams. Business email compromise (BEC) remained a lucrative attack method for threat actors in 2022, as it was in 2021.

“As fraudsters have become more sophisticated and preventative measures have been put in place, the BEC scheme has continually evolved in kind,” the IC3 noted.

“The scheme has evolved from simple hacking or spoofing of business and personal email accounts and a request to send wire payments to fraudulent bank accounts.”

Other common schemes included impersonation of tech and customer support call centers and cryptocurrency investment scams.

Threat actors continued to evolve in 2022, leading to an average of 2,175 complaints daily to the IC3.

“The information submitted to the IC3 can be impactful in the individual complaints, but it is most impactful and in the aggregate. That is, when these individual complaints are combined with other data, it allows the FBI to connect complaints, investigate reported crimes, track trends and threats, and, in some cases, even freeze stolen funds,” the IC3 noted.

“Just as importantly, the IC3 shares reports of crime throughout its vast network of FBI field offices and law enforcement partners, strengthening our nation’s collective response both locally and nationally.”

As internet crime continues to impact US critical infrastructure and other businesses around the world, threat sharing and incident reporting is becoming an increasingly crucial tool in identifying trends and mitigating risk.