A new report released by the FBI’s Internet Crime Complaint Center (IC3) shows that financial losses due to suspected cybercrime continued to rise sharply over the course of 2021, to a total of $6.9 billion in that year alone, with 847,000 complaints lodged by victims.
Five years ago, the same report showed that internet-based crime accounted for $1.4 billion, on 301,580 complaints. The sharpest and most consistent growth was seen in the area of phishing and other types of credential-based attacks, which rose from about 25,000 incidents in 2017 to nearly 324,000 in 2021.
By value, the FBI said, the most damaging internet-based crime in 2021 was business email compromise — the IC3 said that nearly 20,000 complaints about email compromises were received in 2021, and placed total adjusted losses at almost $2.4 billion. This type of scam has evolved considerably from its roots in faked emails and fraudulent wire payment transactions, according to the report.
“Now, fraudsters are using virtual meeting platforms to hack emails and spoof business leaders’ credentials to initiate the fraudulent wire transfers,” according to the FBI report. “These fraudulent wire transfers are often immediately transferred to cryptocurrency wallets and quickly dispersed, making recovery efforts more difficult.”
These attacks can be highly sophisticated, according to the report. When a CEO or CFO’s email is compromised, hackers can use it to invite employees to a video conference. While in the meeting, the attacker uses a deepfake of the executive’s voice, perhaps coupled with a claim that the video isn’t working, to instruct employees to transfer funds, or even just use the email address to send those fraudulent instructions directly.
COVID-19, clearly, gave this type of attack much more traction by causing an explosion in the use of teleconferencing of various kinds, and the fact that those business practices haven’t gone away even in the face of the pandemic’s lessening severity means that attacks targeting virtual meetings are likely to stick around, as well.
The FBI also issued guidance for victims of email compromise attacks, namely to immediately contact originating financial institutions to request a reversal and a Hold Harmless letter, file a complaint with IC3, and to avoid making any kind of payment change without verifying on the intended recipient’s end.
On a state-by-state level, the hardest-hit U.S. jurisdiction in 2021 was California, with a reported $1.2 billion in losses. Second place was held by Texas with $606 million, and New York was in third place at $559 million.