Business email compromise (BEC) remains the biggest source of financial losses, which totaled $2.4 billion in 2021, up from an estimated $1.8 billion in 2020, according to the Federal Bureau of Investigation’s (FBI) Internet Crime Center (IC3).
The FBI says in its 2021 annual report that Americans last year lost $6.9 billion to scammers and cyber criminals through ransomware, BEC, and cryptocurrency theft related to financial and romance scams. In 2020, that figure stood at $4.2 billion.
Last year, FBI’s Internet Crime Complaint Center (IC3) received 847,376 complaints about cybercrime losses, up 7% from 791,790 complaints in 2020.
BEC has been the largest source of fraud for several years despite ransomware attacks grabbing most headlines.
“In 2021, BEC schemes resulted in 19,954 complaints with an adjusted loss of nearly $2.4 billion,” said Paul Abbate, deputy director of the FBI, in an introduction to the report.
“In 2021, heightened attention was brought to the urgent need for more cyber incident reporting to the federal government.”
IC3’s statistics in its annual reports are based on information the public submits to its website www.ic3.gov. Since 2017, the IC3 has received 2.76 million complaints that indicate US consumers and businesses have lost $18.7 billion.
BEC scams have evolved with technology, such as AI-created audio and video deep fakes, as the pandemic forced businesses to move to online video meetings via Zoom or Microsoft Teams.
Originally, BEC scams relied on spoofing or hacking a business email account of a senior officer and then instructing a subordinate to wire funds to the scammer’s bank account. The emails often targeted real estate companies.
“Now, fraudsters are using virtual meeting platforms to hack emails and spoof business leaders’ credentials to initiate the fraudulent wire transfers. These fraudulent wire transfers are often immediately transferred to cryptocurrency wallets and quickly dispersed, making recovery efforts more difficult,” the FBI noted.
In those meetings, the fraudster would insert a still picture of the CEO with no audio, or a ‘deep fake’ audio, though which fraudsters, acting as business executives, would then claim their audio/video was not working properly. The fraudster then uses video to instruct employees to complete a wire transfer or use an executive’s compromised email to deliver wiring instructions.
Cryptocurrency laundering was a huge business last year. Blockchain analysis firm Chainalysis reported that cyber criminals washed about $8.6 billion worth of cryptocurrency in 2021. North Korean hackers stole around $400 million in cryptocurrency last year, and used cryptocurrency mixer or ‘tumbler’ software that splits funds into small sums and blends it with other transactions before sending the amounts to a new address.
IC3 received 3,729 complaints about ransomware attacks that amounted to adjusted losses of more than $49.2 million. The FBI noted that ransomware groups use phishing emails, stolen remote desktop protocol (RDP) credentials, and software flaws to infect victims with ransomware.
In February, IC3 reported an uptick in “high-impact” ransomware attacks during 2021 based on data from the FBI, National Security Agency, and cybersecurity agencies from the UK and Australia. The other major trends are ransomware-as-a-service, where the attackers provide ransom negotiation services, and the rise of access brokers, who supply compromised accounts to ransomware gangs.
The notorious Conti ransomware gang got a special mention in IC3’s report. IC3 only started tracking ransomware targeting US critical infrastructure operators in June, covering attacks on US operators of water and waste water systems, food and agriculture, healthcare and emergency medical services, law enforcement, 911 dispatch centers, and firms in chemical, energy, finance and tech sectors.
The IC3 received 51 reports about REvil ransomware attacks, 58 reports about Lockbit 2.0, and 87 reports about Conti attacks.
“Of all critical infrastructure sectors reportedly victims by ransomware in 2021, the healthcare and public health, financial services, and information technology sectors were the most frequent victims,” IC3 said, suggesting it anticipates an increase in critical infrastructure victimization in 2022, but that it doesn’t encourage paying a ransom to criminals.
The US is reorganizing how critical infrastructure operators report significant hacks. Newly passed legislation requires operators to report these hacks and ransom payments to the Cybersecurity and Infrastructure Security Agency (CISA) versus the FBI. CISA has committed to immediately share reports it receives with the FBI.