The FBI’s Internet Crime Complaint Center (IC3) released its annual report Wednesday, showing a sharp increase in cybercrime, both in quantity and cost in 2020.
Over the course of the year, the IC3 logged 791,000 complaints, more than a third of the total complaints over the past five years and a marked rise from the 463,000 complaints in 2019. Victims lost $4.2 billion over the course of the year, up from $3.5 billion in 2019.
For enterprise cybersecurity, the report was headlined by two key findings. One was the emergence of COVID-19 themed phishing targeting both organizations and individuals. Vendors had warned about the rise of COVID-19 scams throughout 2020. The second was the increase in the total cost of business email compromise (BEC) scams and email account compromise (EAC).
“Ransomware is the thing that everyone always focuses on, but when you look at the amount of loss that’s in the report from BEC, it’s 64 times what ransomware is,” said Crane Hassold of the email security vendor Agari. “Ransomware is not even close to the amount of impact that BEC has to businesses.”
Ransomware, the report notes, is likely an underreported crime. Hassold said the same is true about BEC. Ransomware can also cost more to clean up and reconstitute networks.
The FBI compiles BEC and EAC as a single category of crime. Perpetrators pilfered $90 million more in 2020 than 2019, nearing $1.9 billion. BEC/EAC is the only category of cybercrime costing more than $1 billion. Ransomware costs reported to the FBI were a comparatively meager $29 million.
This came, however, as the total incidents of BEC/EAC declined by nearly 20%, meaning the average cost of individual scams has dramatically risen.
Agari’s threat intelligence traces the rise of the average cost of BEC crime to a group operating in Russia that focuses on big-ticket scams involving mergers and acquisitions.
Hassold said the decline in total incidents came from COVID-19. Many of the actors who were involved in BEC scams in early 2020 switched to the far more lucrative world of unemployment and other COVID related fraud.
“For decades, a lot of these scammers in places like Nigeria have called themselves Yahoo boys. Last year, because SBA [Small Business Association] loans and unemployment fraud was so successful, they started calling themselves SBA boys,” said Hassold. “I guess it sounds better than unemployment fraud boys.”
Hassold said he anticipated most of those scammers would move back to BEC as COVID becomes less profitable. Until 2020, the number of BEC incidents reported to the FBI had steadily increased year over year. While the numbers of attacks will grow, he predicts the average cost of attacks will decline as returning actors reemerge with their old pricing.
With the $29 million reported to the FBI, ransomware is no slouch. But more concerning might be the speed of the rise. Costs are up $20 million from 2019, the second year in a row that ransomware costs more than doubled. The number of reported attacks also rose in 2020, up 20% from 2019. Due to underreporting, it’s hard to gauge how much of the change is an acceleration of attacks. Potentially, victims may also have been more willing to come forward in 2020, skewing the data.
Still, in terms of FBI calculated impact, ransomware is orders of magnitude lower than BEC. BEC has now led the board for six years straight and comprises 43% of total losses.
“It’s crazy to me that for six years in a row this is the number one threat to businesses, and yet other types of more technically sophisticated attacks that seem a little more sexy get more attention,” said Hassold.