How cybercrime losses have more than doubled in 2 years
This story originally appeared on Drata and was produced and distributed in partnership with Stacker Studio.
How cybercrime losses have more than doubled in 2 years
There's been a surge in the cybercrime business in a post-pandemic landscape.
Cybercrime losses more than doubled from 2020 to 2022, according to the FBI's 2022 Internet Crime Report.
While the number of complaints remained mostly constant (652,000 annually on average), the overall volume of losses soared. The average loss per complaint jumped from $5,300 in 2020 to nearly $12,900 in 2022.
The IC3 report found phishing as the most commonly reported cybercrime. In this scheme, an attacker sends an email that appears to be from a real person or organization, but a link in the message takes the recipient—if they are unsuspecting enough to click on it—to a site that also appears legitimate but is not. On that site, the victim is tricked into handing over their login, financial, or other personal information. The email or text could appear to be from an employer, a bank, a friend, or an organization the user trusts, using an email address or other header information that may be one character or digit off from a legitimate email address.
Using data from the FBI's 2022 Internet Crime Report, Drata analyzed the rapid increase in losses reported by victims of cybercrime. The data only includes cyberattacks that were reported to the FBI's Internet Crime Complaint Center.
Total and average losses among cybercrime victims are rising
The pandemic's increase in remote work and time spent online, along with the uncertainty and fear about the global health crisis, likely resulted in increased attack opportunities for cybercriminals to exploit.
"Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19," Jürgen Stock, INTERPOL secretary-general, said in a statement in late 2020, alerting the public to increased danger during the pandemic. "The increased online dependency for people around the world is also creating new opportunities, with many businesses and individuals not ensuring their cyber defenses are up to date."
At the same time, phishing schemes and other cybercrimes are becoming increasingly convincing and high-tech.
Phishing
Phishing campaigns can use fake social media profiles and often closely research their victims to send them job offers, invitations to fake events, or links to websites tailored to their interests. There have even been cases where hackers establish Zoom calls with victims and post phishing links directly in the chat. Hackers are also making use of assistive artificial intelligence chat tools to send more legitimate-looking messages, free of typographical errors, long seen as a bellwether of fraud.
Forrester Research analysts note phishers are increasingly combining voicemail and text to attack victims. The cybercriminal leaves the victim a voicemail about the text or email they've sent, increasing both the perceived legitimacy and urgency of the fraudulent request. These cybercrimes, more specifically called vishing and smishing respectively, are increasingly more common.
The danger of phishing in general is significant. In spring 2022, an employee at Allegheny Health Network received a malicious phishing email link and had their email account compromised. Before being shut down, the attacker was able to access confidential files for over 8,000 patients, including names, birthdates, addresses, treatment and diagnosis information, and even financial account data and Social Security numbers in some cases.
Phishing victims by far outpaced all other kinds of complaints in the IC3 report, with nearly 300,500 complaints lodged in 2022. The next closest were personal data breaches, at just shy of 60,000.
Cryptocurrency-related fraud
Reported losses from crypto-investment schemes also skyrocketed, going from about $100,000 in 2020 to over $2.5 billion in 2022, significantly driving up the overall loss value.
Many of these victims were enticed into joining an online crypto-liquidity-mining scheme where participants were told they would earn money in exchange for lending online exchanges their cryptocurrency. But once the victims linked their wallets to the exchange, the scammers drained their holdings instead, prompting an FBI Public Service Announcement.
One victim of such a scheme was induced to part with $22,000 after being initially drawn into a flirtatious chat through the MeetMe online dating app, according to Sean Gallagher, principal threat researcher at security firm Sophos. After a bit of light conversation, the attacker offered to "teach" the victim how to make money through the mining scheme and steered them to a series of apps and online wallets, ultimately leading to their being defrauded. The scammers even used generative AI to craft text messages to send to the target.
The FBI recommends businesses and individuals take several steps to protect themselves against cybercrimes: Update operating systems and software, train users about phishing threats, and keep offline backups of data. Users should also check email headers to ensure emails are from who they appear to be and never click on links in emails or text messages. Instead, users should open a browser window and type in the legitimate address of any website that they're told needs attention.
The true number of cybercrime victims is much higher, and many crimes go unreported, the FBI estimates. Observers theorize that a combination of embarrassment and the perception that law enforcement won't act is keeping the number of reports down.
Story editing by Jeff Inglis. Copy editing by Paris Close. Photo selection by Michael Flocker.