Since May 2000, the FBI has collected cyber-crime data in the Internet Crime Complaint Center (IC3). The annual report shows that Internet crime continues to be a profitable growth industry. For example, the number of reported Internet crimes for the last five reporting periods has more than doubled, from 2016 (298,728) to 2020 (791,790). In 2020, the resulting losses totaled more than $4 billion. The information collected by the IC3 is through public self-reporting.
Most of the reporting was from the United States. However, 20 countries contributed to the report. As the information is gathered, trends emerge, and best practices are identified to protect individuals and businesses. A consideration is that the actual number of criminal acts and the amount of money extorted is much greater than what is reported. A reason is that not all victims report Internet crime; for some, they do not know where or how to report, or the victim is unwilling to report because they are too embarrassed or fearful due to threats. Interesting is that most business and individual victims are re-attacked within a year, often through the same means.
What has become apparent is that criminals never pass up an opportunity to make money from holidays, social disruptions, war, pestilence, or the plague. In 2020, the COVID-19 pandemic was accompanied by cyber assaults that leveraged fear and the government's financial response. These scams were related to promised cures, tests, and protective equipment.
Most lucrative was taking advantage of the government's financial response by fraudulently submitting online loan applications and submitting unemployment insurance claims. For the most part, the victims were unaware of these fraudulent claims until they submitted a claim and were denied. These scams all begin with the criminals collecting and using personal or business information, most often gathered through email. One of the most common ways for people to provide personal information was for the criminal to appear as a government agent or authority. Often people fall for scams through carelessness or ignorance. Nevertheless, protecting information is a foundation in cybersecurity and being cynical and suspicious of email from all sources is a commonsense approach.
The top three 2020 categories of cyber-crime were: Business Email Compromise/Email Account Compromise (BEC/EAC) ($1.8 billion); Tech Support Fraud ($145 million); and Ransomware ($29.1 million).
BEC/EAC involves transferring money from a personal or business account to another due to fraud. The money is transferred to an international account, where the account is closed and the funds stolen. These are very sophisticated and targeted attacks, and they take time to unravel. They succeed when the victim is fooled into thinking the transfer is legitimate and required. These, too, begin with email.
Tech Support Fraud is when criminals pose as routine tech maintenance or claim they are solving a problem where one does not exist. Many of these originate in India through call centers. They begin with email notifications of the problem and end with the victim sending money for nonexistent services or the victim sending their bank account information which is cleaned out.
Ransomware is the third of the top three; it is the criminal encrypting data on a computer system and then demanding a ransom for the decryption key. Rarely is the decryption key provided, even if there is a ransom paid. The attack will usually occur through an infected email that the victim opened, with the malware downloading onto the system. Other means are the attackers using known exploits against systems with outdated software or misconfigured systems.
To protect yourself and your business from these attacks, you must first recognize that email is the most common attack vector. Know that all emails from all sources must be treated as suspect until proven otherwise, do not download anything until you are sure of its origin. In addition, make sure you have antivirus software and it is up to date. Make sure all of your software is updated, including the operating system, router, and application software. Known vulnerabilities, or bugs, for software are published and exploited.
If these essential actions that protect your computer systems seem to be always the same, it is because they are. This points to the fact that most users ignore them. The adage is to be proactive, do the simple things well, and protect yourself.
With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at firstname.lastname@example.org.