Why Cybercrime Losses Continue to Soar

Companies are devoting more resources than ever to combat cybercrime, but so far it seems like the criminals are winning.

Losses related to cybercrime have steadily climbed from $1.1 billion in 2015 to $3.5 billion in 2019, according to the FBI’s Internet Crime Complaint Center, or IC3. The organization tracks hundreds of thousands of incidents reported to law enforcement every year, and works with field offices and victims to recover assets associated with scams and other forms of digital theft.

One reason why cybercrime losses are increasing is that there are more cyberattacks than ever. In 2015, there were about 288,000 cybercrime-related complaints to the FBI, which increased to about 300,000 in 2016 and 2017. Complaints soared to 350,000 in 2018 and hit a whopping 467,000 in 2019, according to IC3 statistics.

“The more people come online, the more attackers there are. The more online the world gets the more vulnerable we become,” said Jonathan Reiber, senior director of cybersecurity strategy and policy at AttackIQ and a former chief strategy officer for cyber policy at the U.S. Office of the Secretary of Defense. “There are more devices to hack, there’s faster ways to do it, there’s AI to help you do it and now you’ve got 5G that speeds up the pace of doing it.”

But in addition to an increase in total number attacks, the amount of losses associated with each individual attack is also increasing—the ratio of losses to complaints was about $3,800 in 2015, compared to $7,500 in 2019.

Although it’s difficult to pin down exactly why attacks seem to be getting more costly, two recent cybersecurity trends can help explain the situation: Attackers are able to extract bigger paydays with their attacks than ever before, and businesses are becoming increasingly vulnerable to attacks as they rely more on computers and the internet to function normally.

For example, with ransomware—perhaps the fastest-growing cybersecurity threat over the last five years—the average payment demanded in each attack has steadily climbed. One study suggests that demands are doubling every six months, propelled by targeted attacks that are designed to maximize damage so victims will pay up. In 2015, hackers may have given victims decryption keys for a few hundred dollars, while today some attackers demand seven or eight-figure sums.

Other attack methods such as business email compromise scams, which trick employees into wiring funds to a bank account owned by an attacker, have also been associated with multimillion-dollar losses in recent years and could drive up the average cost of a cyberattack.

The increase in losses can also be attributed in part to a growing reliance on computers and the internet, said Reiber. In other words, the same attack can cause more damage now than ever before, because it can have a wide-reaching impact on various parts of a business.