Hacking and entering
Cybercrime complaints are rising: FBI report
First they took over CEOs' email accounts or made fake ones, then wrote to employees and told them to wire money.
Later they logged on as lawyers, firing off forceful demands for secret, time-sensitive payments.
After that came the W-2 scam, where they tricked victims into giving up personally identifiable information.
The FBI calls it "business email compromise," and its evolution through the years is among the "hot topics" in a new report that analyzes cyber incidents reported to the bureau's Internet Crime Complaint Center. Other trends identified in the report include ransomware, fraudulent technical services, elder fraud and extortion. The message: cyber crime is always changing, and defenses must adapt accordingly.
"As cyber criminals become more sophisticated in their efforts to target victims, we must continue to transform and develop in order to address the persistent and evolving cyber threats we face," FBI Cyber Division Assistant Director Scott S. Smith wrote.
The report says the Internet Crime Complaint Center – a hub for reporting cybercrime and a database for law enforcement – fielded 301,580 complaints in 2017, with losses of more than $1.4 billion. Both those numbers were up slightly over 2016, when the center received 298,728 complaints with combined losses surpassing $1.3 billion.
Those statistics are in step with Raytheon's recent survey of IT security professionals, in which more than two-thirds of the respondents said they expect an increase in cyber extortion and data breaches over the next three years.
"Many people, including those at organizations' highest levels, assume cybersecurity has become a problem we cannot fix. But we can," Raytheon wrote in a series of recommendations to business leaders. The company has decades of experience in government and commercial cybersecurity, with services including virtual security operations centers, cybersecurity assessments and incident response.
The most common incidents reported to the FBI in 2017 were failure to pay for or deliver an item or service; personal data breach and phishing, or the use of email to secretly infect a computer with malware, the report says. The three costliest crimes were business email compromise, non-payment/non-delivery and confidence/romance fraud, where the perpetrator earns the victim's trust and exploits it for money, personal information or something else of value.
THE BIGGER PICTURE
While the FBI report focuses on crimes against individual people or businesses – as opposed to the broad nation-state cyberattacks addressed in other government advisories – cyber experts say the two are often related. Smaller-scale cybercrime, such as commandeering computers to mine cryptocurrency, is often a way to finance more nefarious activity and gain access to other computer networks.
"By tracking smaller incidents and bringing the perpetrators to justice, we will not only discourage people from committing the lesser cybercrimes, but we will also disrupt the infrastructure used by criminals to stage more significant attacks," said Michael Daly, chief technology officer for cybersecurity and special missions at Raytheon.
The FBI report also urges people to notify authorities about cybercrime just as they would a residential break-in or any other offense. It cites two cases from FBI field offices – an international investment scam in Houston and a corporate extortion case in Los Angeles – that were reported to the Internet Crime Complaint Center and allowed authorities to identify perpetrators.
“We want to encourage everyone who suspects they have been victimized by online fraudsters to report it to us,” Donna Gregory, who leads the complaint center, said in a statement. “The more data we have, the more effective we can be in raising public awareness, reducing the number of victims who fall prey to these schemes, and increasing the number of criminals who are identified and brought to justice.”