The FBI’s Internet Crime Complaint Center (IC3) has released its 2017 data and it isn’t pretty. BEC and all forms of Phishing caused plenty of damage, a record number of complaints were filed, and the total losses reported were only slightly down from the previous year at just over $1.4 billion. It’s interesting to see the FBI’s data, it informs and confirms much of what we know about the current threat landscape, and there’s plenty more interesting insight from this year’s report.
It is important to start with a caveat – this data is only based on voluntary reporting via IC3.gov, and is an incomplete representation when it comes to both national and global losses due to cyber attack and cyber crime. There’s no measure of how significantly cyber attacks – both successful and not – are under reported, nor of the indirect damages of the attacks. For example, Equifax’s data breach resulted in an estimated $600 million of costs alone. The damage caused by the biggest attacks of 2017 could easily add up to $1.4 billion. There are knock-on effects at play here that should make this FBI report even more concerning to both those in the security industry and to potential targets.
With that in mind here are some of the more interesting takeaways from this report.
Lower Average YoY Cost Per Complaint- But Big 5 Year Increase
IC3 received about 2500 (~ 1%) more complaints in 2017 compared to 2016, yet the reported losses of $1.4 billion were down 2.2% over 2016. This seems low compared to most data we see, including some pessimistic data predicting $9 billion in damage by BEC type attacks in 2018. The $1.4 billion doesn’t appear to register damages beyond calculating what complainants sent or paid to scammers. It’s also worth noting that while complaints were up roughly 15% in 2017 over 2013, the losses were up 85%. In 2013 the average loss reported was roughly $3000. In 2017, it was roughly $4700. That’s well above inflation.
BEC and EAC Continue to Be a Dominant Threat
Here’s a stat that is very frightening – the average cost of a Business Email Compromise (BEC) or Email Account Compromise was a whopping $43,000, with 15,690 complaints and losses reported at $675 million. And that doesn’t appear to include collateral and brand damage!
Interestingly, 2 attack vectors are highlighted by the FBI. The first being the W-2 Scam, which involves the gleaning highly confidential tax information from payroll or other sources which is then sold on black markets or used to file fake tax returns. The second is the real estate market, targeted because it contains the 3 key ingredients for a scam to be successful 1) urgency 2) often non-cyber aware stakeholders and 3) large financial transactions.
Ransomware Gets All The Attention, But Not the Money.
Surprisingly, in 2017 they received a seemingly low 1,783 ransomware complaints with losses of over $2.3 million (about $1290 per complaint). Wannacry alone infected 200,000 computers globally (granted there would only be one complaint per company, and not per computer). Estimates place the actual damage from Wannacry between “hundreds of millions” to $4 billion. So, it’s hard to make heads or tails on this one. We would’ve expected a much higher number of ransomware complaints – considering the attention it received in 2017.
Some ideas to explain this discrepancy would include:
- The FBI recommends not paying the ransom, perhaps people don’t report Ransomware to IC3?
- If the main goal of reporting is likely the recovery of funds rather than stopping criminals. Someone is going to report a $43,000 BEC, but not hassle with a $300 ransom. Interestingly, the Wannacry ransom was between $300-$600, while the average reported IC3 loss was 2x-4x that. Perhaps this is an explanation of this under-reporting?
- It plausible that stronger ransomware protection is deterring more savvy criminals to higher payoff attacks. Informed internet users are less likely to fall victim to ransomware because they will have protection in place. (Note: while informed users can fall for socially engineered attacks at surprising rates, ransomware can be thwarted more easily with the right technology.)
- The proliferation of ransomware as a service also inevitably results in more defensible and lower quality attacks.
The Elder Justice Initiative
We don’t focus on this area a lot, as we are focused mostly on the small to medium sized business community, but reading this was a bit concerning. 49,523 Complaints (16%) came from victims over the age of 60 with losses in excess of $342 million, representing over 24% of all losses reported. The Elder Justice Initiative was initiated by Attorney General Sessions to combat fraud on seniors. Hopefully, initiatives such as this will lead to improvements in next years’ numbers.
The 10 Year Age Bracket With the Highest Number of Victims? 30-39 Year Olds!
A bit surprising at first, 45,458 victims who reported a complaint were between 30-39. It decreases until the 60+ which registered 49,523 but encompasses a larger age group. But it’s worth noting that this can be explained perhaps;
- The role of reporting on behalf of businesses falls on the (mid level?) IT personnel which skews younger.
- Higher rates of internet usage among this group, especially in professional environment, means that while in absolute terms this number is higher, as a ratio of users it could be much smaller.
- The greater likelihood that individuals within this age group know how and where to actually report this sort of fraud, or even identify that it’s happened in the first place is another factor (and perhaps very important – considering the above mentions Elder Justice Initiative).
But any surprise stops there. The average loss per complaint is correlated with age. So while 30-39 year olds might have the highest number of victims per decade, the 60+ age group had an average loss at over 2x per complaint.
Wrapping it up.
As an industry and an individual email security business, we focus our products and the content efforts of this blog on securing businesses. We want to see complaints and losses go down. It’s an interesting catch 22. There’s a greater appetite to spend when there’s a higher threat level, but investing when threat levels are low is the most dollar efficient way to spend. Remediation is so much more expensive than protection. If we see certain threat levels decreasing it means we are winning on that front. When we see the reported losses to the FBI decrease, it can be taken as a sign that we’re doing our job, but given the frequency of attacks and sophisticated scamming tactics we see daily, we know that there is more to the threats than this data shows. Bulk mail, Phishing URLs, Malicious Emails, Sophisticated Spam, Ransomware and many other vectors are still increasingly threatening users, and while technology like ours helps, training and educating users is the final frontier – after all, they are the real target of these attacks.
View the full IC3 report here.