Since May 2000, the FBI has collected internet crime data in the Internet Crime Complaint Center (IC3). The annual reporting shows that internet crime continues to be a profitable growth industry. For example, the number of reported internet crimes for the last five reporting periods has more than doubled, from 2016 (298,728) to 2020 (791,790). In 2020 the loss to internet crime reported was over four billion dollars. The information collected by the FBI IC3 is through public self-reporting (www.ic3.gov). Most of the reporting was from the United States. However, twenty countries contributed to the report. As the information is gathered, trends emerge, and best practices are identified to protect individuals and businesses. A consideration is that the actual number of criminal acts and the amount of money extorted is much greater than what is reported. A reason is that not all victims report internet crime; for some, they do not know where or how to report, or the victim is unwilling to report because they are too embarrassed or fearful due to threats. Interesting is that most business and individual victims are re-attacked within a year, often through the same means.
What has become apparent is that criminals never pass up an opportunity to make money from holidays, social disruptions, war, pestilence, or the plague. In 2020 the Covid-19 pandemic was accompanied by cyber assaults that leveraged off Covid-fear and the government’s financial response. The Covid-fear scams were related to promised cures, tests, and protective equipment. These attacks are lumped into the category of what is too good to be true is not, or you are really not that lucky. Most lucrative was taking advantage of the government’s financial response by fraudulently submitting online loan applications and submitting unemployment insurance claims. For the most part, the victims were unaware of these fraudulent claims until they submitted a claim and were denied. These scams all begin the criminals collecting and using personal or business information, most often gathered through email. One of the most common ways for people to provide personal information was for the criminal to appear as a government agent or authority. Often people fall for scams through carelessness or ignorance. Nevertheless, protecting information is a foundation in cybersecurity and being cynical and suspicious of email from all sources is a commonsense approach.
The top three 2020 categories of cybercrime were Business Email Compromise / Email Account Compromise (BEC/EAC) ($1,8 billion), Tech Support Fraud ($145 million), and Ransomware ($29.1 million. BEC/EAC involves transferring money from a personal or business account to another due to fraud. The money is transferred to an international account, where the account is closed and the funds stolen. These are very sophisticated and targeted attacks, and they take time to unravel. They succeed when the victim is fooled into thinking the transfer is legitimate and required. These, too, begin with email. Tech Support Fraud is when criminals pose as routine tech maintenance or claim they are solving a problem where one does not exist. Many of these originate in India through call centers. They begin with email notification of the problem and end with the victim sending money for nonexistent services or the victim sending their bank account information which is cleaned out. Ransomware is the third of the top three; it is the criminal encrypting data on a computer system and then demanding a ransom for the decryption key. Rarely is the decryption key provided, even if there is a ransom paid. The attack will usually occur through an infected email that the victim opened, with the malware downloading onto the system. Other means are the attackers using known exploits against systems with outdated software or misconfigured systems.
What you can do to protect yourself and your business from these attacks is first to recognize that email is the most common attack vector. Know that all emails from all sources must be treated as suspect until proven otherwise, do not download anything until you are sure of its origin. In addition, make sure you have antivirus software and it is up to date. Make sure all of your software is updated, including the operating system, router, and application software. Known vulnerabilities, or bugs, for software, are published and exploited. If these essential actions that protect your computer systems seem to be always the same, it is because they are. This points to the fact that most users ignore them. The adage is to be proactive, do the simple things well, and protect yourself.
Mike Olivier is President of 171 Comply, a cybersecurity expert and member of the GovFlex freelance consultant network