Getty Images

FBI: $3.5B Lost to Cybercrime in 2019, Led by Business Email Compromise

Cybercriminals are rapidly improving the sophistication of their attacks. The FBI estimates $3.5 billion was lost to cybercriminals last year; business email compromise caused the most damage.

The FBI estimates that cybercrime cost individuals and US businesses $3.5 billion in losses last year, as estimated in the 2019 Internet Crime Report published by the FBI Internet Crime Complaint Center (IC3). The most expensive complaints were caused by business email compromise.

In 2019, the FBI received 467,361 complaints, up from its average 340,000 complaints it receives each year. In fact, there were more incidents were reported to the FBI than any previous year.

Since its foundation in May 2000, the IC3 has received more than 1,200 complaints each day for the last five years, or a total of 4.88 million in the last decade. The total number of recorded losses for the last five years was $10.2 billion.

The FBI noted that despite increased awareness around the country, cybercrime continues to boom given that hackers are improving upon previously successful campaigns with new techniques and tactics.

Email continues to be a common entry point, but these fraud attempts are also being launched through text messages or even fake websites.

“Criminals are getting so sophisticated,” IC3 Chief Donna Gregory, said in statement. “It is getting harder and harder for victims to spot the red flags and tell real from fake.”

“You may get a text message that appears to be your bank asking you to verify information on your account,” she added. “Or you may even search a service online and inadvertently end up on a fraudulent site that gathers your bank or credit card information.”

Most complaints were caused by phishing and similar ploys, non-payment/non-delivery scams, and extortion.

But business email compromise was determined to be the costliest threat actor, resulting in $1.7 billion in losses last year. IC3 explained these attacks typical leverage the criminal spoofing or mimicking of legitimate email addresses.

Throughout 2019, researchers noted the attempts have more than doubled from 2018, and hackers have been using compromised accounts to launch lateral phishing attacks.

According to Barracuda Networks, business email compromise attacks make up only 7 percent of spear-phishing attempts. But the targeted nature of the impersonation emails make the threat actor at least three times more successful than traditional phishing attempts.

IC3’s report shows there has also been an uptick in the number of these complaints related to the diversion of payroll funds. Hackers will send emails to a company’s human resources or payroll division that appears to be from an employee requesting an update to their direct deposit information for the current pay period. If changed, the paycheck will be sent instead to the cybercriminal.

After business email compromise, IC3 noted the most losses from romance or confidence fraud, and spoofing, or mimicking the account of a person or vendor known to the victim to gather personal or financial information.

Also notable: the number of ransomware attacks decreased last year. IC3 received 2,047 complaints from ransomware in 2019 with an estimated $8.9 million in losses. The amount of losses increased, as the threat spiked toward the end of the year.

A recent report showed half of US organizations were breached by ransomware or phishing in 2019. Malwarebytes Lab also found that hackers are ramping up the sophistication of their attacks, finding a concerning number of ransomware detections and a rapid rise in hack tools.

“Regarding ransomware adjusted losses, this number does not include estimates of lost business, time, wages, files, or equipment, or any third-party remediation services acquired by a victim,” according to the IC3 report. “In some cases victims do not report any loss amount to the FBI, thereby creating an artificially low overall ransomware loss rate. Lastly, the number only represents what victims report to the FBI via the IC3 and does not account for victim direct reporting to FBI field offices/agents.”

In fact, recent calculations from Emsisoft show that US organizations spend a minimum of $343 million and up to $1.4 billion to recover from ransomware. The researchers received 24,770 ransomware submissions last year.

“Information reported to the IC3 plays a vital role in the FBI’s ability to understand our cyber adversaries and their motives, which, in turn, helps us to impose risks and consequences on those who break our laws and threaten our national security,” Matt Gorham, assistant director of the FBI’s Cyber Division said in a statement. “It is through these efforts we hope to build a safer and more secure cyber landscape.”

The FBI once again stressed that organizations should avoid paying ransoms and to report all incidents of malicious activity to local field offices.

Next Steps

Dig Deeper on Cybersecurity strategies