Each year the FBI compiles all the reports it receives through the Internet Crime Compliant Center (IC3) into an annual report. This report, released February 11, 2020, gives us a window into current techniques and tactics being used by cybercriminals. Over the span of the last year, the FBI received 467,361 reports of cybercrime totaling over $3.5 billion of losses. Year over year that is roughly a 30% increase in reported losses from 2018.
Where did the criminals focus last year?
Topping the list of the “Hot Topics for 2019” is Business Email Compromise (BEC) / Email Account Compromise (EAC) accounting for over $1.7 billion dollars in damage. Generally, an attacker will compromise the email address of a CEO or CFO (someone with the authority to request the money to be transferred). Then using that breached account the attacker sends an email as that person of authority requesting that money is wired to the attackers account as though you were paying a bill. Compromising a user’s email account can be done a number of ways: social engineering (phishing, vishing, smishing), using a 3rd party breached credential that has been re-used, password spraying, and other technical exploits. There are also other variants of this fraud including compromising email accounts from vendors, spoofing emails from lawyers, and requests for W-2 information to name a few but the underlying security issue here is the same.
How to combat this type of fraud
There are many ways to combat this type of fraud. First, we recommend that as a company you make it a policy to never wire money via a request through an email alone. Pick up the phone and confirm it with whoever sent the request. If that policy is not feasible for your business set a dollar amount that requires over the phone confirmation or use some other system for these requests, email is simply too big a target right now to trust fully.
Secondly, set up Multi-factor Authentication (MFA)! With today’s options for MFA, it’s incredibly easy to set up and to use. By setting up multi-factor authentication you are making it exponentially harder for an attacker to cash-in on those stolen credentials (trust me as pen tester I know firsthand how difficult MFA makes my job).
Finally, cybersecurity training and user-awareness. Your employees should know about common types of fraud like signs to look for in emails, proper password strength and management techniques, and how to report incidents to your Incident Response Team. Do not just rely on computer-based training (CBT), you need to do phishing simulations as well. If you’re doing just CBTs and not simulations, it’s like a football team showing up to the game after reading the playbook but never actually practicing. The same is true of tabletop exercises for your Incident Response plan.
Other Threats to Be Aware Of
Regrettably, the next runner up for the most damaging type of cybercrime last year was Elder Fraud. Unconscionably, cybercriminals stole more than $835 million from our senior citizens over the age of 60. This category consists of a number of scams including investment fraud, romance scams, tech support scams, grandparent scams, sweepstakes/lottery/charity scams. To make matters even worse those individuals that are successfully targeted are typically targeted again and again. I urge all of our readership to talk to your senior citizen family and friends and make sure they are aware of the target that’s been painted on their backs from these criminals.
To round out the list of most reported crimes are Tech Support Fraud ($54 Million) and Ransomware ($9 Million). These are tried and true means to steal money and the criminals continue to use these because they are effective. My opinion is that Ransomware is also drastically underrepresented in this list based on my experience with clients daily. Make sure you have your backups up to date, they must be tested regularly, and complete your annual incident response tabletop exercises (for the same reason we did fire drills in school)!
Credit Where Credit is Due
I would like to thank the FBI and in particular the Recovery and Investigative Department (RaID) for the fantastic work they are doing in recovering assets for those victims of cybercrime. This is a tremendously difficult task, however one certainly worthy of undertaking. In 2019, their inaugural year, the Recovery Asset Team (RAT) which is a component of RaID recovered 79% of the reported losses which is simply outstanding. Keep up the great work it is appreciated!