Business Email Compromise Attacks Dominate 2017 FBI Internet Crime Report

Posted By HIPAA Journal on Jun 29, 2018

The FBI has released its 2017 Internet Crime Report. Data for the report came from complaints made through its Internet Crime Complaints Center (IC3).

The report highlights the most common online scams, the scale of Internet crime, and the substantial losses suffered as a result of Internet-related crimes.

In 2017, there were 301,580 complaints made to IC3 about Internet crime, with total losses for the year exceeding $1.4 billion. Since 2013, when the first Internet Crime Report was first published, more than $5.52 billion has been lost in online scams and more than 1.4 million complaints have been received.

The leading types of online crime in 2017 were non-payment/non-delivery, personal data breaches, and phishing; however, the biggest losses came from business email compromise (BEC) attacks, confidence scams/romance fraud, and non-payment/non-delivery.

The losses from business email compromise scams (and email account compromise scams on consumers) exceeded $675 million. BEC/EAC scams resulted in more than three times the losses as confidence fraud/romance scams – the second biggest cause of losses by victims. The average loss per BEC/EAC incident was $43,094.

There were 25,344 reports of phishing incidents in 2017 resulting in losses of $29,703,421, although phishing likely played a part in many other categories of crime such as credit card fraud and corporate and personal data breaches.

There were 406 reported cases of health care-related crimes and $925,849 was lost to those scams. Health care related fraud includes attempts to defraud private and government health care programs, fake insurance cards, stolen health information, and diversion/pill mill practices.

Most Prevalent Internet Crimes and Losses by Crime Type

Internet Crime Trends in 2017

In the report, the FBI draws attention to hot topics in 2017 –  types of crime that are on the rise and have resulted in extensive losses.

With business email compromise scams resulting in major losses, it is an area of major concern. Business email compromise scams often start with a phishing attempt on a senior executive such as the CEO or CFO. Social engineering techniques are used to convince that individual to part with login credentials. Once access to their email account is gained, an email conversation is initiated with an employee who has access to sensitive data or an individual responsible for making wire transfers. These individuals can often be identified via LinkedIn accounts and from messages contained in the compromised email account. The attacker convinces the target to make a wire transfer to their account or to send sensitive data such as W-2 Forms via email.

Access to an email account is not necessary for this type of attack. There have been many cases where fraudulent transfers have been made and W-2 data sent in response to spoofed emails.

Spam filtering solutions are not effective when emails are sent internally from a compromised account. One of the best defenses is 2-factor authentication, which requires an additional form of identification when an unfamiliar device is used to access an email account. Policies and procedures can be implemented to prevent these scams from being successful, such as requiring any transfer above a certain threshold to be verified by telephone and prohibiting the sending of sensitive data such as W2 forms via email.

Ransomware was also a hot topic in 2017. Ransomware attacks appear to be decreasing as cybercriminals switch to other methods of generating money such cryptocurrency mining; however, there were several major attacks in 2017, with the healthcare industry heavily targeted.

Spam filtering solutions, security awareness training, user-behavior monitoring solutions, and intrusion detection solutions helping to prevent attacks and reduce their severity when they do occur. Segmentation of networks can also help reduce the severity of attacks and good data backup policies are essential.

The FBI explains that it does not support the paying of a ransom, although appreciates that in cases where the business can no longer function, payment of the ransom should be considered.

Tech support scams were commonplace in 2017. These scams attempt to obtain payment to resolve fictional problems or to remove screen lockers and fake viruses. End users are convinced to provide fraudsters with remote access to their devices or to install software (malware) for this purpose. These scams often result in the theft of credentials and sensitive data as well as payment for software and technicians’ time. Losses to tech support scams have increased by 90% since 2016.

Elder fraud is a growing problem. In 2017, there were 49,523 complaints filed by victims over the age of 60, These scams resulted in adjusted losses of more than $342 million. In an effort to tackle the problem, the Justice Department launched the Elder Justice Initiative in February.

Attorney General Jeff Sessions explained that the Justice Department is taking unprecedented, coordinated action to protect elderly Americans. “When criminals steal the hard-earned life savings of older Americans, we will respond with all the tools at the Department’s disposal – criminal prosecutions to punish offenders, civil injunctions to shut the schemes down, and asset forfeiture to take back ill-gotten gains.” Local, state, and federal capacity to fight elder abuse is now being enhanced.

Extortion scams, loan schemes, impersonation schemes, sextortion, and hitman schemes are also on the rise. There were 14,938 extortion-related complaints received by IC3 in 2017 and losses exceeded $15 million.

States Worst Affected by Internet Crime

The states most affected by Internet crime closely match population levels, with the six most populated states featuring in the top seven states for reported Internet crimes.