Criminal movers and shakers, according to the FBI’s IC3

On May 7, the FBI released their annual IC3 report. In it, you can read up on reported internet crime. We like the report, it’s simple and straightforward and based on data. It’s, of course, US-centric, which means there’s more credit card theft and other subtle differences with Europe, but the bigger picture is interesting and relevant.

Since the report offers the numbers with little context, we aim to dive into them, do some comparing between 2016 and 2017, look at some anomalies, interesting tidbits and offer some context. We hope it helps.

Bear the following in mind: it’s about crime. Not about nation-state attacks, espionage, hacktivism and so on. Criminals are our most predictable adversary. They’re after our money, and they’ll choose low hanging fruit and proven technologies when they can. Furthermore, these numbers are only the reported crimes, which means that “low yield” crime numbers are likely to be reported less than they’ve occured.

First look at the numbers

Let’s look at the list, sorted by a cumulative loss in dollars. The top 4 contains Business Email Compromise (CEO e.g. fraud), Romance fraud, Non-payment, Investment. Personal data breach is the first one with a tech component, in the 5th place. Credit card fraud is number 9. It is the first automated crime type in the list. Malware and ransomware are number 24 and 25. According to these numbers, there are 24 better ways than ransomware for criminals to make money. Maybe that’s why our Cyber Defense Centers show that ransomware is slowly being pushed aside by cryptojacking since January of this year.

Total reported losses when we add them up is a bit over 1.7 billion dollars, although IC3 reports 1.4 billion. Maybe because the list doubles some things. BEC is responsible for 39% of these losses. Romance fraud is another 12%, and the other 49% are divided among 31 other crime types.

Sum of loss FBI Report

Based on individual complaints, the pie chart sliced differently. When people are hit by a scam, they will probably tell you one of these two stories: the most common one is that they bought something online, but never got the goods. The second one is about how their personal data was stolen or leaked.

Sum nr of victims - FBI Report

Criminal money makers

Which is the most profitable attack type? To get some insight, we divided the total loss per crime type by the number of reported incidents. On the low end, if you’re scamming kids, you’re only making a small amount of money (and be a miserable person in the process), while going after the big enterprises with CEO fraud yields an average of $ 43,094. Investment fraud complements the top 3 at number 2 (averaging $ 31,351), and Corporate Data Breach at number 3, averaging $ 16,101.

Avg loss per victim - FBI Report

Obviously, this doesn’t mean every criminal will stop what they’re doing and go BEC tomorrow. Social engineering type attacks require time, effort and diligence, whereas some of the automated malware attacks are close to fire-and-forget. It all depends on the criminals’ work ethic and their risk appetite. Each to his own.

Loss, profitability, and volume

Next, we aimed to visualize the 33 crime types in one graph; the number of attacks versus average loss. The data points are sized by total loss (and thus the FBI’s ranking). We observe four quadrants; the most dangerous is empty: attacks with a high yield that happen a lot. The cash cows are BEC and investment fraud. Most likely to happen is non-payment, although you probably won‘t lose sleep over it. Romance fraud is in the middle and apparently seems to be a well-balanced attack, as it heads the mainstream (and some rare attacks seldom reported).

Cash cow - FBI Report

Changes of the past year ranked by loss

The top 4 (BEC, Romance fraud, Non-Payment, Investment fraud)  didn’t change. The total reported crime losses went up from $1.6B to $1.7B (with the caveat, FBI themselves mention 1.4B). If this were a music top 33, it would be a boring one, with few movers and shakers. Tech support scams are number 17 in the list (up from 22), and Civil matter dropped down from 10 to 21. This is the biggest anomaly we could find, as IC3 reports total losses on the Civil matter going down by 90% while the number of victims is almost the same, around 1000. We suspect a digit got shifted in the IC3 numbers.

2017 Cyber Crime Type

Loss

Nr of victims

1BEC/EAC$676,151,185(+$315,637,224)15690
2Confidence Fraud/Romance$211,382,989(-$8,424,771)15372
3Non-Payment/Non-Delivery$141,110,441(+$2,882,159)84079
4Investment$96,844,144(-$26,563,853)3089
5Personal Data Breach↑(8th)$77,134,865(+$17,996,713)30904
6Identity Theft↑(9th)$66,815,298(+$7,897,900)17636
7Corporate Data Breach↓ (5th)$60,942,306(-$34,927,684)3785
8Advanced Fee↓ (7th)$57,861,324(-$2,623,249)16368
9Credit Card Fraud↑(12th)$57,207,248(+$9,019,255)15220
10Real Estate/Rental↑(13th)$56,231,333(+$8,355,568)9645
11Overpayment$53,450,830(-$2,554,006)23135
12Employment↑(14th)$38,883,616(-$1,633,989)15784
13Phising/Vishing/Smishing/Pharming↑(15th)$29,703,421(-$1,976,030)25344
14Other↓ (6th)$23,853,704(-$49,238,397)14023
15Lottery/Sweepstakes↑(17th)$16,835,001(-$4,448,768)3012
16Extortion↑(18th)$15,302,792(-$509,045)14938
17Tech Support↑(22nd)$14,810,080(+$7,003,664)10949
18Misrepresentation↑(19th)$14,580,907(+$855,674)5437
19Harassment/Threats of Violence↓ (16th)$12,569,185(-$9,436,470)16194
20Government Impersonation$12,467,380(+$188,666)9149
21Civil Matter↓ (10th)$5,766,550(-$51,922,005)1057
22IPR/Copyright and Counterfeit↑(23rd)$5,536,912(-$1,292,555)2644
23Malware/Scareware/Virus**↑(24th)$5,003,434(-$485,238)3089
24Ransomware↑(25th)$2,344,365(-$86,896)1783
25Denial of Service/TDoS↓ (21st)$1,466,195(-$9,747,371)1201
26Charity↑(27th)$1,405,460(-$254,992)436
27Health Care Related↑(29th)$925,849(-$69,810)406
28Re-shipping↓ (26th)$809,746(-$1,122,275)1025
29Gambling↑(30th)$598,853(+$308,160)203
30Crimes Against Children↑(32nd)$46,411(-$32,762)1300
31Hacktivist↑(33rd)$20,147(-$35,353)158
32Terrorism↓ (31st)$18,926(-$201,009)177
33No Lead Value↑(34th)$0(-)20241

Changes of the past year ranked by the number of complaints

If we sort the numbers by the number of complaints, then we get a different picture. Most attacks yield way less than the above mentioned top three, as a matter of fact, the average across all attacks is a bit over 4,500$. That said, for the top 3: Nonpayment averages the criminal $1,678, personal data breach averages almost $2,500 and Phishing averages a bit over $1,100. It seems, the mainstream internet criminal still has an appetite for these mid-level amounts. Maybe their proven ways of laundering the money drive this appetite, or maybe criminals in the B-leagues just like to do it this way.

2017 Cyber Crime Type

Nr of victims

Loss

1Non-Payment/Non-Delivery84079(+3050)$141,110,441
2Personal Data Breach30904(+3331)$77,134,865
3Phising/Vishing/Smishing/Pharming↑ (4th)25344(+5879)$29,703,421
4Overpayment↓ (3rd)23135(-2581)$53,450,830
5No Lead Value↑ (12th)20241(+6447)$0
6Identity Theft↑ (7th)17636(+758)$66,815,298
7Advanced Fee↑ (10th)16368(+1293)$57,861,324
8Harassment/Threats of Violence16194(-191)$12,569,185
9Employment↓ (5th)15784(-1603)$38,883,616
10BEC/EAC↑ (16th)15690(+3685)$676,151,185
11Confidence Fraud/Romance15372(+826)$211,382,989
12Credit Card Fraud↓ (9th)15220(-675)$57,207,248
13Extortion↓ (6th)14938(-2208)$15,302,792
14Other↓ (13th)14023(+1404)$23,853,704
15Tech Support↑ (17th)10949(+99)$14,810,080
16Real Estate/Rental↓ (14th)9645(-2929)$56,231,333
17Government Impersonation↓ (15th)9149(-3195)$12,467,380
18Misrepresentation5437(+1)$14,580,907
19Corporate Data Breach↑ (20th)3785(+382)$60,942,306
20Investment↑ (24th)3089(+892)$96,844,144
21Malware/Scareware/Virus**3089(+306)$5,003,434
22Lottery/Sweepstakes↓ (19th)3012(-1219)$16,835,001
23IPR/Copyright and Counterfeit2644(+72)$5,536,912
24Ransomware↓ (22nd)1783(-1000)$2,344,365
25Crimes Against Children↑ (26th)1300(+70)$46,411
26Denial of Service/TDoS↑ (28th)1201(+222)$1,466,195
27Civil Matter1057(-13)$5,766,550
28Re-shipping↑ (29th)1025(+132)$809,746
29Charity↑ (30th)436(-1)$1,405,460
30Health Care Related↑ (31th)406(+37)$925,849
31Gambling↑ (33rd)203(+66)$598,853
32Terrorism177(-118)$18,926
33Hacktivist↑ (34th)158(+45)$20,147

Some final thoughts

From 2016 to 2017, nothing much changed. Ransomware is not the big criminal money maker people think it is, and in 2017 this has been confirmed. Some numbers seem to be counterintuitive: our observations in our Cyber Defense Center show that the number of malware infections is steadily increasing, for example. A first explanation for this is organizations see malware (such as ransomware and crypto miners) as an operational nuisance. They cut their operational losses, but they do not pursue the event with law enforcement. Especially in larger organizations, with multiple malware infections per day, this makes sense. Secondly, for attacks like ransomware, the impact is determined more by collateral damage rather than by the criminals‘ profit.

This said, the highest amounts of money are not stolen by hacking and tools, but by social engineering. The bulk of internet crime was done in a mid-range segment, criminals aiming to rob a few thousand from you and launder it in traditional ways. BEC was and remains the biggest moneymaker. It shows that, despite our efforts to become more resilient, criminals eagerly exploit that which is so difficult to patch: our behavior.

Links

Data sources from FBI IC3. Data compiled from the FBI’s reports by Glenn Fryklund. Analysis by Glenn Fryklund and Eward Driehuis.

2018-06-08T09:36:21+00:00June 7th, 2018|

Leave A Comment

SecureLink