On May 7, the FBI released their annual IC3 report. In it, you can read up on reported internet crime. We like the report, it’s simple and straightforward and based on data. It’s, of course, US-centric, which means there’s more credit card theft and other subtle differences with Europe, but the bigger picture is interesting and relevant.
Since the report offers the numbers with little context, we aim to dive into them, do some comparing between 2016 and 2017, look at some anomalies, interesting tidbits and offer some context. We hope it helps.
Bear the following in mind: it’s about crime. Not about nation-state attacks, espionage, hacktivism and so on. Criminals are our most predictable adversary. They’re after our money, and they’ll choose low hanging fruit and proven technologies when they can. Furthermore, these numbers are only the reported crimes, which means that “low yield” crime numbers are likely to be reported less than they’ve occured.
First look at the numbers
Let’s look at the list, sorted by a cumulative loss in dollars. The top 4 contains Business Email Compromise (CEO e.g. fraud), Romance fraud, Non-payment, Investment. Personal data breach is the first one with a tech component, in the 5th place. Credit card fraud is number 9. It is the first automated crime type in the list. Malware and ransomware are number 24 and 25. According to these numbers, there are 24 better ways than ransomware for criminals to make money. Maybe that’s why our Cyber Defense Centers show that ransomware is slowly being pushed aside by cryptojacking since January of this year.
Total reported losses when we add them up is a bit over 1.7 billion dollars, although IC3 reports 1.4 billion. Maybe because the list doubles some things. BEC is responsible for 39% of these losses. Romance fraud is another 12%, and the other 49% are divided among 31 other crime types.
Based on individual complaints, the pie chart sliced differently. When people are hit by a scam, they will probably tell you one of these two stories: the most common one is that they bought something online, but never got the goods. The second one is about how their personal data was stolen or leaked.
Criminal money makers
Which is the most profitable attack type? To get some insight, we divided the total loss per crime type by the number of reported incidents. On the low end, if you’re scamming kids, you’re only making a small amount of money (and be a miserable person in the process), while going after the big enterprises with CEO fraud yields an average of $ 43,094. Investment fraud complements the top 3 at number 2 (averaging $ 31,351), and Corporate Data Breach at number 3, averaging $ 16,101.
Obviously, this doesn’t mean every criminal will stop what they’re doing and go BEC tomorrow. Social engineering type attacks require time, effort and diligence, whereas some of the automated malware attacks are close to fire-and-forget. It all depends on the criminals’ work ethic and their risk appetite. Each to his own.
Loss, profitability, and volume
Next, we aimed to visualize the 33 crime types in one graph; the number of attacks versus average loss. The data points are sized by total loss (and thus the FBI’s ranking). We observe four quadrants; the most dangerous is empty: attacks with a high yield that happen a lot. The cash cows are BEC and investment fraud. Most likely to happen is non-payment, although you probably won‘t lose sleep over it. Romance fraud is in the middle and apparently seems to be a well-balanced attack, as it heads the mainstream (and some rare attacks seldom reported).
Changes of the past year ranked by loss
The top 4 (BEC, Romance fraud, Non-Payment, Investment fraud) didn’t change. The total reported crime losses went up from $1.6B to $1.7B (with the caveat, FBI themselves mention 1.4B). If this were a music top 33, it would be a boring one, with few movers and shakers. Tech support scams are number 17 in the list (up from 22), and Civil matter dropped down from 10 to 21. This is the biggest anomaly we could find, as IC3 reports total losses on the Civil matter going down by 90% while the number of victims is almost the same, around 1000. We suspect a digit got shifted in the IC3 numbers.
2017 Cyber Crime Type | Loss | Nr of victims | |||
| 1 | BEC/EAC | – | $676,151,185 | (+$315,637,224) | 15690 |
| 2 | Confidence Fraud/Romance | – | $211,382,989 | (-$8,424,771) | 15372 |
| 3 | Non-Payment/Non-Delivery | – | $141,110,441 | (+$2,882,159) | 84079 |
| 4 | Investment | – | $96,844,144 | (-$26,563,853) | 3089 |
| 5 | Personal Data Breach | ↑(8th) | $77,134,865 | (+$17,996,713) | 30904 |
| 6 | Identity Theft | ↑(9th) | $66,815,298 | (+$7,897,900) | 17636 |
| 7 | Corporate Data Breach | ↓ (5th) | $60,942,306 | (-$34,927,684) | 3785 |
| 8 | Advanced Fee | ↓ (7th) | $57,861,324 | (-$2,623,249) | 16368 |
| 9 | Credit Card Fraud | ↑(12th) | $57,207,248 | (+$9,019,255) | 15220 |
| 10 | Real Estate/Rental | ↑(13th) | $56,231,333 | (+$8,355,568) | 9645 |
| 11 | Overpayment | – | $53,450,830 | (-$2,554,006) | 23135 |
| 12 | Employment | ↑(14th) | $38,883,616 | (-$1,633,989) | 15784 |
| 13 | Phising/Vishing/Smishing/Pharming | ↑(15th) | $29,703,421 | (-$1,976,030) | 25344 |
| 14 | Other | ↓ (6th) | $23,853,704 | (-$49,238,397) | 14023 |
| 15 | Lottery/Sweepstakes | ↑(17th) | $16,835,001 | (-$4,448,768) | 3012 |
| 16 | Extortion | ↑(18th) | $15,302,792 | (-$509,045) | 14938 |
| 17 | Tech Support | ↑(22nd) | $14,810,080 | (+$7,003,664) | 10949 |
| 18 | Misrepresentation | ↑(19th) | $14,580,907 | (+$855,674) | 5437 |
| 19 | Harassment/Threats of Violence | ↓ (16th) | $12,569,185 | (-$9,436,470) | 16194 |
| 20 | Government Impersonation | – | $12,467,380 | (+$188,666) | 9149 |
| 21 | Civil Matter | ↓ (10th) | $5,766,550 | (-$51,922,005) | 1057 |
| 22 | IPR/Copyright and Counterfeit | ↑(23rd) | $5,536,912 | (-$1,292,555) | 2644 |
| 23 | Malware/Scareware/Virus** | ↑(24th) | $5,003,434 | (-$485,238) | 3089 |
| 24 | Ransomware | ↑(25th) | $2,344,365 | (-$86,896) | 1783 |
| 25 | Denial of Service/TDoS | ↓ (21st) | $1,466,195 | (-$9,747,371) | 1201 |
| 26 | Charity | ↑(27th) | $1,405,460 | (-$254,992) | 436 |
| 27 | Health Care Related | ↑(29th) | $925,849 | (-$69,810) | 406 |
| 28 | Re-shipping | ↓ (26th) | $809,746 | (-$1,122,275) | 1025 |
| 29 | Gambling | ↑(30th) | $598,853 | (+$308,160) | 203 |
| 30 | Crimes Against Children | ↑(32nd) | $46,411 | (-$32,762) | 1300 |
| 31 | Hacktivist | ↑(33rd) | $20,147 | (-$35,353) | 158 |
| 32 | Terrorism | ↓ (31st) | $18,926 | (-$201,009) | 177 |
| 33 | No Lead Value | ↑(34th) | $0 | (-) | 20241 |
Changes of the past year ranked by the number of complaints
If we sort the numbers by the number of complaints, then we get a different picture. Most attacks yield way less than the above mentioned top three, as a matter of fact, the average across all attacks is a bit over 4,500$. That said, for the top 3: Nonpayment averages the criminal $1,678, personal data breach averages almost $2,500 and Phishing averages a bit over $1,100. It seems, the mainstream internet criminal still has an appetite for these mid-level amounts. Maybe their proven ways of laundering the money drive this appetite, or maybe criminals in the B-leagues just like to do it this way.
2017 Cyber Crime Type | Nr of victims | Loss | |||
| 1 | Non-Payment/Non-Delivery | – | 84079 | (+3050) | $141,110,441 |
| 2 | Personal Data Breach | – | 30904 | (+3331) | $77,134,865 |
| 3 | Phising/Vishing/Smishing/Pharming | ↑ (4th) | 25344 | (+5879) | $29,703,421 |
| 4 | Overpayment | ↓ (3rd) | 23135 | (-2581) | $53,450,830 |
| 5 | No Lead Value | ↑ (12th) | 20241 | (+6447) | $0 |
| 6 | Identity Theft | ↑ (7th) | 17636 | (+758) | $66,815,298 |
| 7 | Advanced Fee | ↑ (10th) | 16368 | (+1293) | $57,861,324 |
| 8 | Harassment/Threats of Violence | – | 16194 | (-191) | $12,569,185 |
| 9 | Employment | ↓ (5th) | 15784 | (-1603) | $38,883,616 |
| 10 | BEC/EAC | ↑ (16th) | 15690 | (+3685) | $676,151,185 |
| 11 | Confidence Fraud/Romance | – | 15372 | (+826) | $211,382,989 |
| 12 | Credit Card Fraud | ↓ (9th) | 15220 | (-675) | $57,207,248 |
| 13 | Extortion | ↓ (6th) | 14938 | (-2208) | $15,302,792 |
| 14 | Other | ↓ (13th) | 14023 | (+1404) | $23,853,704 |
| 15 | Tech Support | ↑ (17th) | 10949 | (+99) | $14,810,080 |
| 16 | Real Estate/Rental | ↓ (14th) | 9645 | (-2929) | $56,231,333 |
| 17 | Government Impersonation | ↓ (15th) | 9149 | (-3195) | $12,467,380 |
| 18 | Misrepresentation | – | 5437 | (+1) | $14,580,907 |
| 19 | Corporate Data Breach | ↑ (20th) | 3785 | (+382) | $60,942,306 |
| 20 | Investment | ↑ (24th) | 3089 | (+892) | $96,844,144 |
| 21 | Malware/Scareware/Virus** | – | 3089 | (+306) | $5,003,434 |
| 22 | Lottery/Sweepstakes | ↓ (19th) | 3012 | (-1219) | $16,835,001 |
| 23 | IPR/Copyright and Counterfeit | – | 2644 | (+72) | $5,536,912 |
| 24 | Ransomware | ↓ (22nd) | 1783 | (-1000) | $2,344,365 |
| 25 | Crimes Against Children | ↑ (26th) | 1300 | (+70) | $46,411 |
| 26 | Denial of Service/TDoS | ↑ (28th) | 1201 | (+222) | $1,466,195 |
| 27 | Civil Matter | – | 1057 | (-13) | $5,766,550 |
| 28 | Re-shipping | ↑ (29th) | 1025 | (+132) | $809,746 |
| 29 | Charity | ↑ (30th) | 436 | (-1) | $1,405,460 |
| 30 | Health Care Related | ↑ (31th) | 406 | (+37) | $925,849 |
| 31 | Gambling | ↑ (33rd) | 203 | (+66) | $598,853 |
| 32 | Terrorism | – | 177 | (-118) | $18,926 |
| 33 | Hacktivist | ↑ (34th) | 158 | (+45) | $20,147 |
Some final thoughts
From 2016 to 2017, nothing much changed. Ransomware is not the big criminal money maker people think it is, and in 2017 this has been confirmed. Some numbers seem to be counterintuitive: our observations in our Cyber Defense Center show that the number of malware infections is steadily increasing, for example. A first explanation for this is organizations see malware (such as ransomware and crypto miners) as an operational nuisance. They cut their operational losses, but they do not pursue the event with law enforcement. Especially in larger organizations, with multiple malware infections per day, this makes sense. Secondly, for attacks like ransomware, the impact is determined more by collateral damage rather than by the criminals‘ profit.
This said, the highest amounts of money are not stolen by hacking and tools, but by social engineering. The bulk of internet crime was done in a mid-range segment, criminals aiming to rob a few thousand from you and launder it in traditional ways. BEC was and remains the biggest moneymaker. It shows that, despite our efforts to become more resilient, criminals eagerly exploit that which is so difficult to patch: our behavior.
Links
Data sources from FBI IC3. Data compiled from the FBI’s reports by Glenn Fryklund. Analysis by Glenn Fryklund and Eward Driehuis.
Leave A Comment