FBI: Cybercrime losses exceeded $4.2 billion in 2020

The Federal Bureau of Investigation has released its yearly internet crime report, and according to the US government, 2020 was a record year for cybercrime operations.

According to the 2020 Internet Crime Report [PDF], the FBI said it received 791,790 internet and cybercrime complaints in 2020, more than 69% than the 467,361 reports it received in 2019.

Total losses were also up. The FBI said victims reported more than $4.2 billion in lost funds last year, 20% up from the $3.5 billion reported in 2019.

Both figures —complaints and total losses— represent the fifth consecutive year when cybercrime activity broke the previous year’s numbers.

Image: FBI IC3

BEC tops cybercrime charts again with record losses

Like in prior years, cybercrime groups engaging in BEC (business email compromise) and EAC (email account compromise) scams were the most successful, accounting for $1.8 billion in losses, which amounted to around 43% of all of last year’s total lost funds.

These scams rely on compromising an individual’s email account and then using that account’s persona to trick others (employees or business partners) into sending funds to an attacker’s account.

Image: FBI IC3

But the FBI said it also saw a new trend in the BEC/EAC world. While in previous years BEC groups would send money to their own bank accounts, FBI investigators said they’ve seen scammers use stolen IDs to create bank accounts to receive funds from BEC scams, which are then immediately transferred into a cryptocurrency account in order to prevent authorities from recovering the funds through the safety mechanisms built into banking systems.

BEC scammers and other forms of cybercrime operators are adopting this tactic after the FBI set up the IC3 Recovery Asset Team (RAT) in 2018, a team of agents specifically trained into recovering stolen funds.

This team, the FBI says, was able to freeze and then recover more than $380 million in 2020, across 1,303 incidents where the stolen funds were still trackable.

Ransomware incidents greatly under-reported

But besides BEC scams, the FBI IC3 team also reported a huge spike in terms of losses caused by ransomware attacks, which increased 225% from $8.9 million in 2019 to around $29.1 million last year.

These numbers are, however, woefully inaccurate, as The Record is aware that multiple companies paid in 2020 ransom demands in the realm of tens of millions of US dollars, on multiple occasions.

The discrepancy in the FBI numbers and what’s seen by security firms in the real world comes from the fact that not all individuals or companies who suffer a ransomware attack report the incident to authorities, and most pay the ransom and never even disclose the incident to acquaintances or customers.

This is specifically true for business entities, most of which also want to avoid the legal consequences of admitting to a security breach, such as lawsuits, fines, and reputational damage.


Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

Recent Posts

Facebook testing end-to-end encryption as a default on Messenger

Facebook has long been criticized for not using end-to-end encryption as a default option for…

18 hours ago

CISA orders civilian agencies to patch Zimbra bug after mass exploitation

The Cybersecurity and Infrastructure Security Agency added two vulnerabilities found in products from digital collaboration…

20 hours ago

AT&T denies connection to database of 23 million SSNs, says it may be tied to credit agency breach

Telecommunications giant AT&T denied any connection to a database of stolen information that included the…

21 hours ago

U.S. shares photo of alleged Conti suspect, offers $10 million for intel

The U.S. State Department on Thursday said that it was offering a $10 million reward…

21 hours ago

Suspected Tornado Cash developer arrested in Netherlands

Financial crime authorities in the Netherlands announced Friday that they had arrested a 29-year-old man…

1 day ago

NHS working with U.K. cyber authorities to assess ransomware attack on IT vendor

The United Kingdom’s National Health Service said it is working with the country’s National Cyber…

2 days ago