Industry Voice: The FBI and the 2021 Internet Crime Report

By Mike Olivier | May 16, 2022

The takeaway from reading the FBI's 2021 Internet Crime Report is that internet crime continues to be a highly profitable growth industry.

The FBI collects Internet-related criminal complaints worldwide from individuals and companies. Since it began collecting and reporting in May 2000, the Internet Crime Complaint Center (IC3) has received more than 6.5 million complaints. As with all preceding years, this reporting year, 2021, has shown an increase in internet criminal activity and economic loss.

In general, the report is focused on criminal enterprise attacks against businesses and individuals. Most cybercrime reporting is now focused on the Russian invasion of Ukraine, the Russian cyber-war against NATO, Chinese cyberattacks, and other state-sponsored cyberattacks. Excluding these national attacks, criminal enterprise attacks account for most of the economic damage. In 2021 there was a 7 percent increase in reporting of cyberattacks over 2020. Almost all these attacks are associated with financial loss, which rose from $4.1 billion in 2020 to $6.9 billion in 2021.

The IC3 works with law enforcement agencies, the public, industry, and international agencies to combat all forms of cybercrime and provide public information and alerts. In addition to collecting and reporting internet crime data, the IC3 working with financial institutions and law enforcement assists with asset recovery by stopping illegal fund transfers. The IC3 Recovery Asset Team in 2021 was able to freeze the fraudulent transfer of $328 million, a 74 percent success rate. In addition to asset recovery, the IC3 provides data aggregation, and analysis for law enforcement focused on cybercrime. It is important to note that reporting to the IC3 is voluntary, and the actual number of incidents and losses is much higher.

Over the past five years, the number of victim complaints has increased, as has the total losses. In 2017 there were 301,580 complaints with $1.4 billion in losses; in 2021, this increased to 847,376 complaints with $6.9 billion in losses. The average loss has grown from $4,642 in 2017 to $8,142 in 2021.

As the number of complaints and losses continues to rise, the means of attack and compromise also evolve. However, business email/email account compromise (BEC/EAC) remains the leading means of separating victims from their money. This type of attack targets individuals and businesses through deception, resulting in the fraudulent transfer of funds into the attacker's account.

In the past, these attacks have involved hacking or spoofing the victim's email by requesting wire payments or fund transfers into the criminal's accounts. As the pandemic changed business behavior into a virtual environment filled with telecommuting, webinars, and virtual meetings, the criminals have adapted. Now criminals hack credentials, spoof business executives, and use these fraudulent credentials to transfer funds. In some instances, the criminals will arrange virtual meetings and, using the actual pictures of executives, under the guise of poor audio and internet connections, order the transfer of funds into their account.

The IC3 report slices and dices the data in many ways; it is presented by the number of complaints, the amount of economic loss, the number of complaints by state and country, and the victim's age. In regards to age, the over 60 population is the most affected. In 2021, the number of complaints for those over 60 was 92,371, with a loss of $1.68 billion, an average loss of $18,200 per complaint.

The report covers two crime types that hit the elder population the most: The first is Confidence/Romance Fraud, and the second is Tech Support Fraud. Confidence/Romance scams are on most dating and social media sites. The criminals use a fake online identity, and with the illusion of a romance or friendship, they manipulate and steal from the victim.

The romance scams usually end with requests for money for supposed travel to meet the victim or a request to help with an emergency; an emerging element of this scam is a request to use cryptocurrencies for a joint investment. Another related approach is the Grandparents Scam. The scammer calls a grandparent on behalf of a grandchild. With information gleaned from social media, the scammer constructs an emergency and requests money.

The second most common elder scam is Tech Support Fraud. This fraud affects small businesses as well. By spoofing legitimate companies through email, the criminal will offer technical support for some unknown problem that threatens the business or the individual's financial wellbeing. By using fear, the criminal's goal is for the victim to allow them to access the system and, once accomplished, extract payments or transfer money.

The IC3 report listed five cybercrime types; for two of them -- extortion and non-payment/non-delivery -- the number of complaints declined, the other three increased. For the most part, email is the line of attack used most often, and for the criminal, it is the most successful.

The means to meet and defeat these attacks remain constant. They are education and training so users can recognize fraudulent emails, have business processes requiring multiple approvals before transferring large sums of money, and use multifactor authentication for all accounts. In general, a healthy dose of skepticism is a good thing. It is knowing that if something is too good to be true, it most likely is; and it is recognizing that the supermodel-looking person that just sent you a friend request is probably not all that into you.

With 30 years of experience in information technology, Mike Olivier brings his expertise to small-business System Security Planning with San Diego-based 171Comply. As a small business owner working in the federal space both as a prime contractor and as a subcontractor, he understands the realities of running a small business. Contact Mike at