Criminal movers and shakers, according to the FBI’s IC3

On May 7, the FBI released their annual IC3 report. In it, you can read up on reported internet crime. We like the report, it’s simple and straightforward and based on data. It’s, of course, US-centric, which means there’s more credit card theft and other subtle differences with Europe, but the bigger picture is interesting and relevant.

Since the report offers the numbers with little context, we aim to dive into them, do some comparing between 2016 and 2017, look at some anomalies, interesting tidbits and offer some context. We hope it helps.

Bear the following in mind: it’s about crime. Not about nation-state attacks, espionage, hacktivism and so on. Criminals are our most predictable adversary. They’re after our money, and they’ll choose low hanging fruit and proven technologies when they can. Furthermore, these numbers are only the reported crimes, which means that “low yield” crime numbers are likely to be reported less than they’ve occured.

First look at the numbers

Let’s look at the list, sorted by a cumulative loss in dollars. The top 4 contains Business Email Compromise (CEO e.g. fraud), Romance fraud, Non-payment, Investment. Personal data breach is the first one with a tech component, in the 5th place. Credit card fraud is number 9. It is the first automated crime type in the list. Malware and ransomware are number 24 and 25. According to these numbers, there are 24 better ways than ransomware for criminals to make money. Maybe that’s why our Cyber Defense Centers show that ransomware is slowly being pushed aside by cryptojacking since January of this year.

Total reported losses when we add them up is a bit over 1.7 billion dollars, although IC3 reports 1.4 billion. Maybe because the list doubles some things. BEC is responsible for 39% of these losses. Romance fraud is another 12%, and the other 49% are divided among 31 other crime types.

Sum of loss FBI Report

Based on individual complaints, the pie chart sliced differently. When people are hit by a scam, they will probably tell you one of these two stories: the most common one is that they bought something online, but never got the goods. The second one is about how their personal data was stolen or leaked.

Sum nr of victims - FBI Report

Criminal money makers

Which is the most profitable attack type? To get some insight, we divided the total loss per crime type by the number of reported incidents. On the low end, if you’re scamming kids, you’re only making a small amount of money (and be a miserable person in the process), while going after the big enterprises with CEO fraud yields an average of $ 43,094. Investment fraud complements the top 3 at number 2 (averaging $ 31,351), and Corporate Data Breach at number 3, averaging $ 16,101.

Avg loss per victim - FBI Report

Obviously, this doesn’t mean every criminal will stop what they’re doing and go BEC tomorrow. Social engineering type attacks require time, effort and diligence, whereas some of the automated malware attacks are close to fire-and-forget. It all depends on the criminals’ work ethic and their risk appetite. Each to his own.

Loss, profitability, and volume

Next, we aimed to visualize the 33 crime types in one graph; the number of attacks versus average loss. The data points are sized by total loss (and thus the FBI’s ranking). We observe four quadrants; the most dangerous is empty: attacks with a high yield that happen a lot. The cash cows are BEC and investment fraud. Most likely to happen is non-payment, although you probably won‘t lose sleep over it. Romance fraud is in the middle and apparently seems to be a well-balanced attack, as it heads the mainstream (and some rare attacks seldom reported).

Cash cow - FBI Report

Changes of the past year ranked by loss

The top 4 (BEC, Romance fraud, Non-Payment, Investment fraud)  didn’t change. The total reported crime losses went up from $1.6B to $1.7B (with the caveat, FBI themselves mention 1.4B). If this were a music top 33, it would be a boring one, with few movers and shakers. Tech support scams are number 17 in the list (up from 22), and Civil matter dropped down from 10 to 21. This is the biggest anomaly we could find, as IC3 reports total losses on the Civil matter going down by 90% while the number of victims is almost the same, around 1000. We suspect a digit got shifted in the IC3 numbers.

2017 Cyber Crime Type

Loss

Nr of victims

1 BEC/EAC $676,151,185 (+$315,637,224) 15690
2 Confidence Fraud/Romance $211,382,989 (-$8,424,771) 15372
3 Non-Payment/Non-Delivery $141,110,441 (+$2,882,159) 84079
4 Investment $96,844,144 (-$26,563,853) 3089
5 Personal Data Breach ↑(8th) $77,134,865 (+$17,996,713) 30904
6 Identity Theft ↑(9th) $66,815,298 (+$7,897,900) 17636
7 Corporate Data Breach ↓ (5th) $60,942,306 (-$34,927,684) 3785
8 Advanced Fee ↓ (7th) $57,861,324 (-$2,623,249) 16368
9 Credit Card Fraud ↑(12th) $57,207,248 (+$9,019,255) 15220
10 Real Estate/Rental ↑(13th) $56,231,333 (+$8,355,568) 9645
11 Overpayment $53,450,830 (-$2,554,006) 23135
12 Employment ↑(14th) $38,883,616 (-$1,633,989) 15784
13 Phising/Vishing/Smishing/Pharming ↑(15th) $29,703,421 (-$1,976,030) 25344
14 Other ↓ (6th) $23,853,704 (-$49,238,397) 14023
15 Lottery/Sweepstakes ↑(17th) $16,835,001 (-$4,448,768) 3012
16 Extortion ↑(18th) $15,302,792 (-$509,045) 14938
17 Tech Support ↑(22nd) $14,810,080 (+$7,003,664) 10949
18 Misrepresentation ↑(19th) $14,580,907 (+$855,674) 5437
19 Harassment/Threats of Violence ↓ (16th) $12,569,185 (-$9,436,470) 16194
20 Government Impersonation $12,467,380 (+$188,666) 9149
21 Civil Matter ↓ (10th) $5,766,550 (-$51,922,005) 1057
22 IPR/Copyright and Counterfeit ↑(23rd) $5,536,912 (-$1,292,555) 2644
23 Malware/Scareware/Virus** ↑(24th) $5,003,434 (-$485,238) 3089
24 Ransomware ↑(25th) $2,344,365 (-$86,896) 1783
25 Denial of Service/TDoS ↓ (21st) $1,466,195 (-$9,747,371) 1201
26 Charity ↑(27th) $1,405,460 (-$254,992) 436
27 Health Care Related ↑(29th) $925,849 (-$69,810) 406
28 Re-shipping ↓ (26th) $809,746 (-$1,122,275) 1025
29 Gambling ↑(30th) $598,853 (+$308,160) 203
30 Crimes Against Children ↑(32nd) $46,411 (-$32,762) 1300
31 Hacktivist ↑(33rd) $20,147 (-$35,353) 158
32 Terrorism ↓ (31st) $18,926 (-$201,009) 177
33 No Lead Value ↑(34th) $0 (-) 20241

Changes of the past year ranked by the number of complaints

If we sort the numbers by the number of complaints, then we get a different picture. Most attacks yield way less than the above mentioned top three, as a matter of fact, the average across all attacks is a bit over 4,500$. That said, for the top 3: Nonpayment averages the criminal $1,678, personal data breach averages almost $2,500 and Phishing averages a bit over $1,100. It seems, the mainstream internet criminal still has an appetite for these mid-level amounts. Maybe their proven ways of laundering the money drive this appetite, or maybe criminals in the B-leagues just like to do it this way.

2017 Cyber Crime Type

Nr of victims

Loss

1 Non-Payment/Non-Delivery 84079 (+3050) $141,110,441
2 Personal Data Breach 30904 (+3331) $77,134,865
3 Phising/Vishing/Smishing/Pharming ↑ (4th) 25344 (+5879) $29,703,421
4 Overpayment ↓ (3rd) 23135 (-2581) $53,450,830
5 No Lead Value ↑ (12th) 20241 (+6447) $0
6 Identity Theft ↑ (7th) 17636 (+758) $66,815,298
7 Advanced Fee ↑ (10th) 16368 (+1293) $57,861,324
8 Harassment/Threats of Violence 16194 (-191) $12,569,185
9 Employment ↓ (5th) 15784 (-1603) $38,883,616
10 BEC/EAC ↑ (16th) 15690 (+3685) $676,151,185
11 Confidence Fraud/Romance 15372 (+826) $211,382,989
12 Credit Card Fraud ↓ (9th) 15220 (-675) $57,207,248
13 Extortion ↓ (6th) 14938 (-2208) $15,302,792
14 Other ↓ (13th) 14023 (+1404) $23,853,704
15 Tech Support ↑ (17th) 10949 (+99) $14,810,080
16 Real Estate/Rental ↓ (14th) 9645 (-2929) $56,231,333
17 Government Impersonation ↓ (15th) 9149 (-3195) $12,467,380
18 Misrepresentation 5437 (+1) $14,580,907
19 Corporate Data Breach ↑ (20th) 3785 (+382) $60,942,306
20 Investment ↑ (24th) 3089 (+892) $96,844,144
21 Malware/Scareware/Virus** 3089 (+306) $5,003,434
22 Lottery/Sweepstakes ↓ (19th) 3012 (-1219) $16,835,001
23 IPR/Copyright and Counterfeit 2644 (+72) $5,536,912
24 Ransomware ↓ (22nd) 1783 (-1000) $2,344,365
25 Crimes Against Children ↑ (26th) 1300 (+70) $46,411
26 Denial of Service/TDoS ↑ (28th) 1201 (+222) $1,466,195
27 Civil Matter 1057 (-13) $5,766,550
28 Re-shipping ↑ (29th) 1025 (+132) $809,746
29 Charity ↑ (30th) 436 (-1) $1,405,460
30 Health Care Related ↑ (31th) 406 (+37) $925,849
31 Gambling ↑ (33rd) 203 (+66) $598,853
32 Terrorism 177 (-118) $18,926
33 Hacktivist ↑ (34th) 158 (+45) $20,147

Some final thoughts

From 2016 to 2017, nothing much changed. Ransomware is not the big criminal money maker people think it is, and in 2017 this has been confirmed. Some numbers seem to be counterintuitive: our observations in our Cyber Defense Center show that the number of malware infections is steadily increasing, for example. A first explanation for this is organizations see malware (such as ransomware and crypto miners) as an operational nuisance. They cut their operational losses, but they do not pursue the event with law enforcement. Especially in larger organizations, with multiple malware infections per day, this makes sense. Secondly, for attacks like ransomware, the impact is determined more by collateral damage rather than by the criminals‘ profit.

This said, the highest amounts of money are not stolen by hacking and tools, but by social engineering. The bulk of internet crime was done in a mid-range segment, criminals aiming to rob a few thousand from you and launder it in traditional ways. BEC was and remains the biggest moneymaker. It shows that, despite our efforts to become more resilient, criminals eagerly exploit that which is so difficult to patch: our behavior.

Links

Data sources from FBI IC3. Data compiled from the FBI’s reports by Glenn Fryklund. Analysis by Glenn Fryklund and Eward Driehuis.

2018-06-08T09:36:21+00:00 June 7th, 2018|

Leave A Comment

SecureLink