Business Email Compromise Attacks Dominate 2017 FBI Internet Crime Report

The FBI has released its 2017 Internet Crime Report. Data for the report came from complaints made through its Internet Crime Complaints Center (IC3).

The report highlights the most common online scams, the scale of Internet crime, and the substantial losses suffered as a result of Internet-related crimes.

In 2017, there were 301,580 complaints made to IC3 about Internet crime, with total losses for the year exceeding $1.4 billion. Since 2013, when the first Internet Crime Report was first published, more than $5.52 billion has been lost in online scams and more than 1.4 million complaints have been received.

The leading types of online crime in 2017 were non-payment/non-delivery, personal data breaches, and phishing; however, the biggest losses came from business email compromise (BEC) attacks, confidence scams/romance fraud, and non-payment/non-delivery.

The losses from business email compromise scams (and email account compromise scams on consumers) exceeded $675 million. BEC/EAC scams resulted in more than three times the losses as confidence fraud/romance scams – the second biggest cause of losses by victims. The average loss per BEC/EAC incident was $43,094.

There were 25,344 reports of phishing incidents in 2017 resulting in losses of $29,703,421, although phishing likely played a part in many other categories of crime such as credit card fraud and corporate and personal data breaches.

There were 406 reported cases of health care-related crimes and $925,849 was lost to those scams. Health care related fraud includes attempts to defraud private and government health care programs, fake insurance cards, stolen health information, and diversion/pill mill practices.

Most Prevalent Internet Crimes and Losses by Crime Type

Crime Type Number of Complaints Crime Type Reported Losses
Non-Payment/Non-Delivery 84,079 BEC/EAC $676,151,185
Personal Data Breach 30,904 Confidence Fraud/Romance $211,382,989
Phishing/Vishing/Smishing/Pharming 25,344 Non-Payment/Non-Delivery $141,110,441
Overpayment 23,135 Investment $96,844,144
No Lead Value 20,241 Personal Data Breach $77,134,865
Identity Theft 17,636 Identity Theft $66,815,298
Advanced Fee 16,368 Corporate Data Breach $60,942,306
Harassment/Threats of Violence 16,194 Advanced Fee $57,861,324
Employment 15,784 Credit Card Fraud $57,207,248
BEC/EAC 15,690 Real Estate/Rental $56,231,333

Internet Crime Trends in 2017

In the report, the FBI draws attention to hot topics in 2017 –  types of crime that are on the rise and have resulted in extensive losses.

With business email compromise scams resulting in major losses, it is an area of major concern. Business email compromise scams often start with a phishing attempt on a senior executive such as the CEO or CFO. Social engineering techniques are used to convince that individual to part with login credentials. Once access to their email account is gained, an email conversation is initiated with an employee who has access to sensitive data or an individual responsible for making wire transfers. These individuals can often be identified via LinkedIn accounts and from messages contained in the compromised email account. The attacker convinces the target to make a wire transfer to their account or to send sensitive data such as W-2 Forms via email.

Access to an email account is not necessary for this type of attack. There have been many cases where fraudulent transfers have been made and W-2 data sent in response to spoofed emails.

Spam filtering solutions are not effective when emails are sent internally from a compromised account. One of the best defenses is 2-factor authentication, which requires an additional form of identification when an unfamiliar device is used to access an email account. Policies and procedures can be implemented to prevent these scams from being successful, such as requiring any transfer above a certain threshold to be verified by telephone and prohibiting the sending of sensitive data such as W2 forms via email.

Ransomware was also a hot topic in 2017. Ransomware attacks appear to be decreasing as cybercriminals switch to other methods of generating money such cryptocurrency mining; however, there were several major attacks in 2017, with the healthcare industry heavily targeted.

Spam filtering solutions, security awareness training, user-behavior monitoring solutions, and intrusion detection solutions helping to prevent attacks and reduce their severity when they do occur. Segmentation of networks can also help reduce the severity of attacks and good data backup policies are essential.

The FBI explains that it does not support the paying of a ransom, although appreciates that in cases where the business can no longer function, payment of the ransom should be considered.

Tech support scams were commonplace in 2017. These scams attempt to obtain payment to resolve fictional problems or to remove screen lockers and fake viruses. End users are convinced to provide fraudsters with remote access to their devices or to install software (malware) for this purpose. These scams often result in the theft of credentials and sensitive data as well as payment for software and technicians’ time. Losses to tech support scams have increased by 90% since 2016.

Elder fraud is a growing problem. In 2017, there were 49,523 complaints filed by victims over the age of 60, These scams resulted in adjusted losses of more than $342 million. In an effort to tackle the problem, the Justice Department launched the Elder Justice Initiative in February.

Attorney General Jeff Sessions explained that the Justice Department is taking unprecedented, coordinated action to protect elderly Americans. “When criminals steal the hard-earned life savings of older Americans, we will respond with all the tools at the Department’s disposal – criminal prosecutions to punish offenders, civil injunctions to shut the schemes down, and asset forfeiture to take back ill-gotten gains.” Local, state, and federal capacity to fight elder abuse is now being enhanced.

Extortion scams, loan schemes, impersonation schemes, sextortion, and hitman schemes are also on the rise. There were 14,938 extortion-related complaints received by IC3 in 2017 and losses exceeded $15 million.

States Worst Affected by Internet Crime

The states most affected by Internet crime closely match population levels, with the six most populated states featuring in the top seven states for reported Internet crimes.

State Number of Complaints State Reported Losses
California 41,974 California $214,217,307
Florida 21,877 Texas $115,680,902
Texas 21,852 Florida $110,620,330
New York 17,622 New York $88,633,788
Pennsylvania 11,348 Arizona $59,366,635
Virginia 9,436 Washington $42,991,213
Illinois 9,381 Illinois $42,894,106
Ohio 8,157 New Jersey $40,441,739

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.