The FBI has published its 2017 Internet Crime Report, which details the main types of online crime reported to its Internet Crime Complaint Center (IC3).

In 2017, businesses and consumers reported 301,580 incidents to IC3 and more than $1.4 billion was lost to cybercriminals. Of course, these are only reported losses. Many Internet crimes go unreported, so the true losses are likely to be substantially higher.

2017 saw more complaints of Internet crime than any other year since 2013 when the reports first started to be published.

Identity theft and corporate data breaches often make the headlines, although by far the biggest area of criminal activity are business email compromise (BEC) scams – or email account compromise (EAC) when the scams target individuals.

Business Email Compromise Scams – The Main Cause of Losses in 2017

More than three times as much money was lost to BEC and EAC scams than the next highest cause of losses: confidence fraud/romance scams. In 2017, the reported losses from BEC/EAC scams was $676,151,185.

Business email compromise and email account compromise scams involve the use of a compromised email account to convince individuals to make transfers of funds to accounts controlled by criminals or to send sensitive data via email.

BEC scams usually start with compromising the email account of the CEO, CFO or another board member – which is why this type of scam is also known as CEO fraud. Access to the executive’s email account is gained via brute force guessing of passwords or, most commonly, social engineering techniques and phishing scams.

Once access to the email account is gained, an email conversation is initiated with another member of the workforce, typically an individual responsible for making wire transfers. That individual is instructed to make a transfer to a new bank account – that of the attacker. Alternatively, the data of employees is requested – W2 Forms – or other sensitive company information.  These scams often involve large transfers of funds. In 2017 there were 15,690 such scams reported to IC3, making the average loss $43,094.

Phishing Extensively Used in Internet Crime

Phishing, vishing, smishing and pharming were grouped together. They ‘only’ resulted in losses of $29,703,421, although the losses from these crimes are difficult to calculate accurately. The losses associated with phishing are grouped in many other categories. BEC scams often start with a phishing attack and research from Cofense suggests 91% of corporate data breaches start with a phishing email.

The 2017 Internet Crime Report reveals the extent to which phishing is used in cyberattacks. There were 25,344 phishing incidents reported to IC3 in 2017 – the third highest category of Internet crime behind non-payment/non-delivery and personal data breaches. Many personal data breaches start with a phishing email.

Ransomware Attack Mitigation Proves Expensive

In addition to the threat of BEC attacks, the FBI’s 2017 Internet Crime Report warns of the threat from ransomware. Ransomware only resulted in reported losses of $2.3 million and attracted 1,783 complaints, although it is worthy of a mention due to the considerable disruption that attacks can cause. The reported losses – in terms of the ransoms paid – may be low, but actual losses are substantially higher. The ransomware attack on the City of Atlanta in April 2018 saw a ransom demand of $52,000 issued, although the actual cost of mitigating the attack was reported to be at least $2.7 million in April. However, in June 2018, city Information Management head Daphney Rackley indicated a further $9.5 million may be required over the coming year to cover the cost of mitigating the attack.

Tech Support Fraud Losses Increased by 90%

Another hot topic detailed in the 2017 Internet Crime Report is tech support fraud – This is a widespread scam where individuals are fooled into thinking they have a computer problem such as a virus or malware installed, when they do not. Calls are made warning of detected malware, and users are directed to malicious websites via phishing emails where pop-up warnings are displayed, or screen lockers are used.

These scams usually require the victim to pay the scammer to remove a fictitious infection and provide them with remote access to a computer. In addition to the scammers charge for removing the infection, sensitive data such as usernames, passwords, Social Security numbers, and bank account information are often stolen. 2017 saw a 90% increase in losses from tech support scams.

Protecting Against Internet Crime

One of the most important defenses for businesses to implement to protect against the leading cause of financial losses is an advanced spam filtering solution. Business email compromise scams often start with a phishing email and effective spam filtering will reduce the potential for email accounts to be compromised. Ransomware and malware are also primarily distributed via email. An advanced spam filter such as SpamTitan will block 100% of all known malware and prevent malicious messages from being delivered to inboxes.

Security awareness training is also essential. Malicious messages will make it past spam filtering solutions on occasion, so it is important for all end users to be prepared for malicious messages and taught security best practices. Training should be provided to every individual in the company with a corporate email account or access to an Internet facing computer, including board members.

A web filtering solution is also an important consideration. A web filter is an additional anti-malware control that can be used to prevent employees from visiting malicious websites – either via links in emails, redirects, or through general web browsing. A web filter, such as WebTitan, will block ransomware and malware downloads and prevent end users from accessing the types of phishing websites used to initiate BEC attacks.

These three cybersecurity measures should be part of all organizations’ cybersecurity defenses. They will help to prevent businesses from being included in next year’s FBI Internet Crime Report.