The FBI’s Internet Crime Complaint Center (“IC3”) recently released its annual report, the 2020 Internet Crime Report (“Report”), which gathers statistics from nearly 800,000 complaints of suspected cybercrimes that the department received in 2020. This is a record number of complaints—a 69% increase from 2019—with reported losses exceeding $4.2 billion. According to the FBI, the three most reported crimes in 2020 were phishing scams, non-payment/non-delivery scams, and extortion/ransomware. It identified the costliest scams as business email compromise scams, romance and confidence schemes, and investment fraud. And unsurprisingly, 2020 saw criminals exploit the COVID-19 pandemic to target businesses and individuals in new ways.
2020 Report Highlights:
- COVID-19 Fraud: The IC3 received over 28,500 complaints from victims related to emerging financial crime around government stimulus programs, unemployment insurance, Paycheck Protection Program (PPP) loans, and Small Business Economic Injury Disaster Loans, among others. The most prevalent scheme, however, involved government impersonation; as in, criminals reaching out to victims pretending to be from the government in order to gather personal information or illicit money. Other prolific scams involved criminals asking individuals to pay out of pocket or sign in with their Office 365 credentials to place their name on a waiting list for fake COVID-19 vaccinations. The Report encouraged individuals to protect themselves by not providing their personal information to unknown sources and to rely only on trusted sources such as an individual’s doctor or the CDC for medical information. Additional IC3 recommendations included using “extreme caution” in online communication and verifying external email senders, attachments, and links.
- Business Email Compromise (BEC): BEC schemes topped the list of costliest scams reported by victims in 2020 with adjusted losses exceeding $1.8 billion and making up nearly half of all losses reported. This type of attack targets businesses and frequently involves criminals using social engineering or computer intrusion techniques to compromise legitimate business email accounts to conduct unauthorized transfers of funds. In 2020, the IC3 observed an increase in the number of BEC complaints relating to the use of identity theft and funds being converted to cryptocurrency. 2020 complaints involved criminals posing as tech support or engaging in romantic fraud to lure a victim into providing their ID, which the criminal then used to establish a bank account to receive the stolen BEC funds and then transfer those funds to a cryptocurrency account. The IC3 Recovery Asset Team (“RAT”), which works as a liaison between victims, financial institutions, and FBI field offices to assist in reducing financial losses resulting from BEC scams, recommends that BEC victims: (i) contact the originating financial institution as soon as fraud is recognized to request a recall or reversal and a Hold Harmless Letter or Letter of Indemnity; (ii) file a detailed complaint of the incident with the IC3; (iii) monitor incident trends on IC3’s website; and (iv) never make payment changes without verifying the intended recipient.
- Tech Support Fraud: Tempered only slightly by pandemic lockdowns, the IC3 identified that tech support fraud continues to be a growing problem in 2020. The IC3 received 15,421 tech support fraud complaints from victims in 60 countries in 2020, with losses exceeding $146 million—up 171% from 2019. Notably, the majority of victims reported to be over the age of 60 and experienced over 84% of the losses. This type of attack involves criminals attempting to defraud consumers by posing as support or service representatives offering to resolve technical, security, or customer issues to elicit fraudulent payments or access to consumers’ computers. 2020 complaints involved criminals posing as customer support for financial institutions, utility companies, or virtual currency exchanges. Readers are encouraged to visit the IC3 website for additional information on tech support fraud.
- Ransomware: The IC3 highlighted ransomware as another growing area in 2020 after receiving 2,474 complaints with adjusted losses of $29.1 million, which is nearly triple the amount of ransomware-related losses identified in 2019. This type of attack frequently involves criminals deploying malicious software, or malware, that encrypts and blocks access to data on a computer system until payment of the ransom is made. Among the most common means of infection in 2020, as identified by the IC3, involved targeted email phishing campaigns and exploitation of remote desktop protocol or software vulnerabilities. “The FBI does not encourage paying a ransom to criminal actors[,]” the Report stated, as payment does not guarantee that a victim’s files will be recovered. Payment may instead “embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and /or fund illicit activities.” Even so, the Report emphasizes that the decision to pay the ransom should not discourage a business or individual from reporting the incident to the local FBI field office or IC3.
In addition to providing statistics, the Report highlights the FBI’s accomplishments in combatting cybercrime with several recent case examples, and it offers guidance to individuals on how to avoid scams and report potential cybercrimes. It also explains the IC3 mission and functions.
The full 2020 Report is available here.