FBI: $4.2B Lost to Cybercrime in 2020, Led By Phishing, BEC, Extortion

March 18, 2021 - The latest FBI IC3 Internet Crime Report shows that cybercrime cost individuals and US businesses about $4.2 billion in losses in 2020, up 69 percent from $3.5 billion in 2019. Phishing, non-payment scams, and extortion were the biggest crimes reported to the FBI.

Data showed healthcare-related losses amounted to a little over $29 million from 1,383 complaints. Healthcare-related schemes attempt to defraud private or government healthcare programs and typically involve providers, companies, or individuals.

The FBI received 791,790 complaints last year, an increase of over 300,000 complaints reported in 2019. It’s the largest volume of complaints reported to the agency in its history.

Since its inception, the IC3 has received an average of 440,000 complaints each year. In 2020, the FBI received an average of 2,000 complaints each day.

To compile the 2020 report, the FBI analyzed and shared information from the submitted complaints for both intelligence and investigative purposes. Much like other reports on 2020 trends, the agency found the pandemic did not deter hackers from attempting to make a profit.

READ MORE: FBI Probing 2 Hospital Ransomware Attacks; Hackers Remove Health Data

The report found that business email compromise scams continued to be the costliest threat -- although phishing accounted for the most complaints. The 19,369 BEC complaints cost those victims about $1.8 billion, while the 241,342 phishing complaints created losses of $54 million.

As hackers continue to evolve their threats, the BEC and email account compromise (EAC) attempts have become more sophisticated. The 2020 data found a rise in the number of BEC and EAC complaints that stemmed from identity theft and funds converted into cryptocurrency. 

These scams ranged from extortion, tech support, and the like and were designed to coerce a victim into providing a form of identification to the threat actor. The hacker leverages those stolen credentials to establish a bank account for the receipt of stolen funds, which were then transferred to a cryptocurrency account.

Ransomware incidents also continued to rise, with 2,474 incidents, while non-payment or non-delivery schemes accounting for 108,869 complaints and extortion attempts totaling 76,741 complaints.

For ransomware, the FBI noted the attackers primarily leveraged email phishing campaigns, software vulnerabilities, and the remote desktop protocol to launch these pervasive attacks.

READ MORE: FBI: Spike in Vishing Attacks Seeking Escalated Access, Credential Theft

“The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and /or fund illicit activities,” the report authors wrote.

“Paying the ransom also does not guarantee that a victim’s files will be recovered,” they added. “Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to your local field office or the FBI’s IC3.”

Fortunately, the FBI’s Recovery Asset Team was able to successfully freeze about $380 million of the $462 million in reported losses last year: a success rate of 82 percent. Among the successful interventions, was an April 2020 incident with a Houston-based healthcare entity.

The FBI received a complaint from a healthcare entity that sent about five wire transfers totaling more than $2 million. The FBI team was able to freeze the funds to allow the victim time for the indemnification process.

“Later inquiries into the recipient account number by the IC3 RaID Team found additional suspicious activity information from financial databases on the possible money mules involved with the account,” according to the report.

The report also shed light on COVID-19 fraud, which federal agencies and security researchers alerted to throughout the pandemic. In total, the FBI received 28,500 complaints tied to the coronavirus.

READ MORE: FBI: Business Email Compromise Attacks Abuse Email Auto-Forwarding

The Coronavirus Aid, Relief, and Economic Security Act (CARES Act) fraud was the largest scheme observed in these complaints, with attempts at grant and loan fraud, as well as phishing for personally identifiable information. 

One of the largest examples stemmed from hackers fraudulently filing insurance claims with the victims’ identity. Other complaints referred to attempted scams around stimulus funds, Paycheck Protection Program (PPP) loans, and those meant for small businesses.

Notably, the FBI warned that government impersonators were highly prevalent throughout the pandemic response. Hackers reached out to victims through social media, emails, or even the phone and pretended to be from the government, in an attempt to gather personal information or illicit funds.

“Many victims of this identity theft scheme did not know they had been targeted until they attempted to file their own legitimate claim for unemployment insurance benefits,” according to the report.

“Unfortunately, criminals are very opportunistic. They see a vulnerable population out there that they can prey upon,” FBI Section Chief Steven Merrill, Financial Crimes Section, said in a statement.