IC3.gov 2019 Internet Crime Report: Its All About that BEC
CyberCrime & Doing Time 2020-11-19
For years I have been encouraging people to report their instances of Cybercrime to the FBI's Internet Crime & Complaint Center, IC3.gov. Based on the number of reports, people are finally doing just that. The growth in reporting over the last two years is remarkable -- driven in part by the desperation people are facing regarding two major cybercrime trends: Ransomware and Business Email Compromise. State and local authorities seem powerless to do anything about either of these, so finally they are encouraging (and in many cases helping) to get these crimes reported to the IC3, where we can use pattern matching to identify trends that reveal top criminals. 
ic3.gov annual report Comparing 2015 to 2019, cybercrime reports are up 61% ... with 467,361 complaints received just in calendar 2019. An average of 1280 complaints per day! But while the NUMBER of complaints has gone up by 61%, the dollars lost in those complaints has more than tripled! While Ransomware is certainly an important topic, the key difference in the financial impact has been Business Email Compromise. During calendar 2019, BEC complaints only accounted for 5% of the complaint volume (23,775 out of 467,361) that 5% of complaints accounted for 48.5% of all financial losses experienced by the victims ($1.7 Billion of 3.5 Billion!) The good news on the BEC front is that the FBI has a stream-lined internationally successful process for recovering funds. Started in February 2018, the FBI's Recovery Asset Team has been getting better and better at their process. In Calendar 2019, the RAT was invoked on 1,307 cases, and were successful at recovering funds 79% of the time. Out of $384,237,651 stolen, they recovered $304,930,696! That is an amazing improvement over times past! 
ic3.gov annual report While Phishing, a crime that I've been personally invested in chasing for at least 15 years, remains the most commonly experienced crime, with 114,702 cases reported to the ic3.gov in 2019, from a financial perspective, it just isn't even close to BEC and Romance Scams, the two categories we also called out as most important in our review of the 2018 IC3.gov Report. (See our blog post: IC3.gov: BEC Compromises and Romance Fraud 2018 from last April.) By victim count, BEC came in as the #6 category, while Romance Scams came in at #7. But by dollars lost, BEC is clearly #1 and Romance Scams are clearly #2. Crime Type# Cases......Crime Type$$s LostPhishing114,702BEC$1,776,549,688Non-Payment61,832Romance Scams$475,014,032Extortion43,101Spoofing$300,478,433Spoofing25,789Investment$222,186,195BEC23,775Real Estate$221,365,911Romance Scams19,473Non-Payment/Non-Delivery$196,563,497......Identity Theft16,053Credit Card Fraud$111,491,163......Credit Card Fraud14,378Phishing$57,836,379......Tech Support13,873Tech Support$54,041,053......Ransomware2,047Ransomware$8,965,847 While these losses seem staggering, please remember that these are ONLY THE REPORTED losses. Especially in the area of Romance Scams, we believe the number is dramatically under-reported. Often this is because the victim is an elderly person who either hides their victimization because they are embarrassed by the loss, or perhaps never realizes that they've been scammed, especially in the case of a person who may be experiencing mental decline, but has no caretaker. The Financial Crimes Enforcement Network, FinCEN, used a far different approach to trying to identify the scale of BEC attacks, as we reported last year in our blog article: FinCEN: BEC far worse than previously believed. FinCEN performed analysis on the Suspicious Activity Reports that are required of financial institutions in the United States and looked for tell-tale signs that the activity may have been a Business Email Compromise instance, whether reported to IC3 or not. Based on FinCEN's numbers, we estimated the amount of money stolen by BEC criminals to be $8.7 Million per day -- JUST IN THE United States! Our friends at Agari, (Hi John! Hi Crane! Hi Ronnie! Hi Patrick!), do a great deal of work in the BEC space, including running the Business Email Compromise Working Group. Ronnie shared some stats in his blog last fall about how long it would take BEC crime to surpass each of several other crime types. I encourage the interested reader to check it out here: Business Email Compromise (BEC): Putting $26 Billion in Known Losses into Context.
ic3.gov annual report Comparing 2015 to 2019, cybercrime reports are up 61% ... with 467,361 complaints received just in calendar 2019. An average of 1280 complaints per day! But while the NUMBER of complaints has gone up by 61%, the dollars lost in those complaints has more than tripled! While Ransomware is certainly an important topic, the key difference in the financial impact has been Business Email Compromise. During calendar 2019, BEC complaints only accounted for 5% of the complaint volume (23,775 out of 467,361) that 5% of complaints accounted for 48.5% of all financial losses experienced by the victims ($1.7 Billion of 3.5 Billion!) The good news on the BEC front is that the FBI has a stream-lined internationally successful process for recovering funds. Started in February 2018, the FBI's Recovery Asset Team has been getting better and better at their process. In Calendar 2019, the RAT was invoked on 1,307 cases, and were successful at recovering funds 79% of the time. Out of $384,237,651 stolen, they recovered $304,930,696! That is an amazing improvement over times past! 
ic3.gov annual report While Phishing, a crime that I've been personally invested in chasing for at least 15 years, remains the most commonly experienced crime, with 114,702 cases reported to the ic3.gov in 2019, from a financial perspective, it just isn't even close to BEC and Romance Scams, the two categories we also called out as most important in our review of the 2018 IC3.gov Report. (See our blog post: IC3.gov: BEC Compromises and Romance Fraud 2018 from last April.) By victim count, BEC came in as the #6 category, while Romance Scams came in at #7. But by dollars lost, BEC is clearly #1 and Romance Scams are clearly #2. Crime Type# Cases......Crime Type$$s LostPhishing114,702BEC$1,776,549,688Non-Payment61,832Romance Scams$475,014,032Extortion43,101Spoofing$300,478,433Spoofing25,789Investment$222,186,195BEC23,775Real Estate$221,365,911Romance Scams19,473Non-Payment/Non-Delivery$196,563,497......Identity Theft16,053Credit Card Fraud$111,491,163......Credit Card Fraud14,378Phishing$57,836,379......Tech Support13,873Tech Support$54,041,053......Ransomware2,047Ransomware$8,965,847 While these losses seem staggering, please remember that these are ONLY THE REPORTED losses. Especially in the area of Romance Scams, we believe the number is dramatically under-reported. Often this is because the victim is an elderly person who either hides their victimization because they are embarrassed by the loss, or perhaps never realizes that they've been scammed, especially in the case of a person who may be experiencing mental decline, but has no caretaker. The Financial Crimes Enforcement Network, FinCEN, used a far different approach to trying to identify the scale of BEC attacks, as we reported last year in our blog article: FinCEN: BEC far worse than previously believed. FinCEN performed analysis on the Suspicious Activity Reports that are required of financial institutions in the United States and looked for tell-tale signs that the activity may have been a Business Email Compromise instance, whether reported to IC3 or not. Based on FinCEN's numbers, we estimated the amount of money stolen by BEC criminals to be $8.7 Million per day -- JUST IN THE United States! Our friends at Agari, (Hi John! Hi Crane! Hi Ronnie! Hi Patrick!), do a great deal of work in the BEC space, including running the Business Email Compromise Working Group. Ronnie shared some stats in his blog last fall about how long it would take BEC crime to surpass each of several other crime types. I encourage the interested reader to check it out here: Business Email Compromise (BEC): Putting $26 Billion in Known Losses into Context.