Cyber Resilience

FBI IC3 report: cybercrime cases up 69 percent

09 October 2021 | Scott Nursten

Welcome to the world's fastest growing industry. 69 percent growth since last year and worth $2 trillion. Can you guess what it is?

The FBI’s Internet Crime Complaint Center (IC3) reported 791,790 cybercrime cases in 2020 with direct losses of almost $4.2 billion. Many more cases are unreported or unknown - the Solarwinds breach compromised the entire supply chain and went undetected for months.

 The IC3 report aims to use data to catch cyber criminals and recover stolen funds. To some degree, it is working. But cybercrime is slippery; criminals hide behind foreign IP addresses and cloaking technologies.

It’s also incredibly lucrative. With 69 percent growth, cybercrime is the fastest growing industry on the planet. Is your business prepared for the war that is coming?


Cyber defence spend vs cybercrime profits

Global cybersecurity spend was $153 billion in 2020 (Juniper research). Sound impressive? Cyber criminals took $2 trillion from their victims during the same time.

IBM puts the average cost of a corporate breach at $3.86 million, yet businesses are not even investing 10 percent of this amount in cyber defences on average.

The biggest single reported payout in the year was a wire fraud business email compromise costing $60 million. Another case cost $2 million and yet another cost $977,000. These three cases, each costing a million dollars plus, show the scale of loss is growing dramatically.

The $4.2 billion losses do not include consequential costs such as lost time, lost earnings etc. This is the amount paid directly to criminals from American companies and individuals desperate to fix a problem they could have prevented for far less.

Global significance

The IC3 report is the only one of its kind to categorise cybercrimes, attack methods, direct losses and criminal patterns. It shows how crimes are escalating across the world, many with international links.

Excluding the US, the UK leads the top 20 international victim countries by a wide margin. 216,633 known attacks were UK-based. In second place, Canada is 40 times less likely to fall victim to an attach with 5,000 cases.

New call-to-action

How 5 percent of victims paid 50 percent of the losses

Of all reported cases, 95 percent (33 types of crime) mainly effect consumers and count for just over half of the losses. The remaining 5 percent (4 types of crime), those reported mainly by businesses, account for the other half. This means the average business paid more than $100,000 compared with the average consumer paying $5,000.


Top 4 losses to businesses

  1. Business Email Compromise (BEC) 19,369 cases - $1,866,642,107 lost
    While phishing can lead to BEC, it’s more likely that executive email accounts are hacked or spoofed, leading to identity theft and funds being diverted or converted to cryptocurrency.
  1. Tech support fraud 15,421 cases - $146,477,709 lost
    Criminals usually targeting older people at home used the same tactics to gain access to corporate networks. Playing to doubts and insecurities, they pressure people into making a decision, say they’ll get in trouble if they don’t act fast. It’s powerful stuff if you’re new to remote working and get a call from ‘tech support’ saying they need your login to fix an urgent issue.
  2. Phishing 241,243 cases - $54,241,075 lost
    Phishing aims to get onto the network, rather than directly accessing cash. Once access is gained, the real attack is carried out. IC3 received 241,243 phishing-related complaints last year, making the $54 million price tag relatively small compared with BEC for example, but phishing is often simply how they pick your lock. This means losses often get attributed to other crimes further down the line.
  1. Ransomware 2,474 cases - $29,157,405
    IC3 have added a special note to the ransomware loss rate, indicating a much higher average cost than the $12,000 indicated here.

They state that adjusted losses do not include lost business, time, wages, equipment, or remediation services. Cases or losses are often unreported or made directly to the FBI, creating an artificially low loss rate here.

We work with a business that lost millions of pounds following a ransomware attack earlier this year. In my opinion, these losses are definitely under-accounted.


What does future cyber resilience look like?

The IC3 report is incredibly useful, but it only looks backwards. Training your staff in cyber awareness is a great start but we have to prepare for advanced, layered and persistent attacks.

Criminals access your network first, find out everything they can about you, stealing valuable data, maybe trying email scams. Once they’ve exhausted every avenue, they’ll encrypt everything and ransom you. After you think “phew, it’s over”, they may still sell your exfiltrated data as well.

Layered attacks are already happening. Only the criminals know what they have planned for tomorrow, which is why strategy is so important.

Because BEC is top of the danger list, it may be tempting to race out and buy email security software. But that alone is not enough, because once email security is fixed, attackers will use something else. Then what?

May 21 FBI IC3

This article originally appeared in Platinum Business Magazine