The Federal Bureau of Investigation has released its yearly internet crime report, and according to the US government, 2020 was a record year for cybercrime operations.
According to the 2020 Internet Crime Report [PDF], the FBI said it received 791,790 internet and cybercrime complaints in 2020, more than 69% than the 467,361 reports it received in 2019.
Total losses were also up. The FBI said victims reported more than $4.2 billion in lost funds last year, 20% up from the $3.5 billion reported in 2019.
Both figures —complaints and total losses— represent the fifth consecutive year when cybercrime activity broke the previous year’s numbers.
BEC tops cybercrime charts again with record losses
Like in prior years, cybercrime groups engaging in BEC (business email compromise) and EAC (email account compromise) scams were the most successful, accounting for $1.8 billion in losses, which amounted to around 43% of all of last year’s total lost funds.
These scams rely on compromising an individual’s email account and then using that account’s persona to trick others (employees or business partners) into sending funds to an attacker’s account.
But the FBI said it also saw a new trend in the BEC/EAC world. While in previous years BEC groups would send money to their own bank accounts, FBI investigators said they’ve seen scammers use stolen IDs to create bank accounts to receive funds from BEC scams, which are then immediately transferred into a cryptocurrency account in order to prevent authorities from recovering the funds through the safety mechanisms built into banking systems.
BEC scammers and other forms of cybercrime operators are adopting this tactic after the FBI set up the IC3 Recovery Asset Team (RAT) in 2018, a team of agents specifically trained into recovering stolen funds.
This team, the FBI says, was able to freeze and then recover more than $380 million in 2020, across 1,303 incidents where the stolen funds were still trackable.
Ransomware incidents greatly under-reported
But besides BEC scams, the FBI IC3 team also reported a huge spike in terms of losses caused by ransomware attacks, which increased 225% from $8.9 million in 2019 to around $29.1 million last year.
These numbers are, however, woefully inaccurate, as The Record is aware that multiple companies paid in 2020 ransom demands in the realm of tens of millions of US dollars, on multiple occasions.
The discrepancy in the FBI numbers and what’s seen by security firms in the real world comes from the fact that not all individuals or companies who suffer a ransomware attack report the incident to authorities, and most pay the ransom and never even disclose the incident to acquaintances or customers.
This is specifically true for business entities, most of which also want to avoid the legal consequences of admitting to a security breach, such as lawsuits, fines, and reputational damage.