Criminal movers and shakers, according to the FBI’s IC3

On May 7, the FBI released their annual IC3 report. In it, you can read up on reported internet crime. We like the report, it’s simple and straightforward and based on data. It’s, of course, US-centric, which means there’s more credit card theft and other subtle differences with Europe, but the bigger picture is interesting and relevant.

Since the report offers the numbers with little context, we aim to dive into them, do some comparing between 2016 and 2017, look at some anomalies, interesting tidbits and offer some context. We hope it helps.

Bear the following in mind: it’s about crime. Not about nation-state attacks, espionage, hacktivism and so on. Criminals are our most predictable adversary. They’re after our money, and they’ll choose low hanging fruit and proven technologies when they can. Second, these numbers are only reported crimes, which means that ”low yield” crime numbers are likely reported less than they’ve happened.

First look at the numbers

Let’s look at the list, sorted by cumulative loss in dollars. The top 4 contains BEC (CEO fraud), Romance fraud, Non-payment, Investment. Personal data breach is the first one with a tech component on number 5. Credit card fraud on number 9 is the first automated crime type in the list. Malware and ransomware are at number 24 and 25. Which means for criminals, judging from the numbers, there are 24 better ways to make money than with ransomware. Maybe that’s why our Cyber Defense Centers show ransomware is slowly being pushed aside by cryptojacking since January of this year.

Total reported losses when we add them up is a bit over 1.7 billion dollars, although IC3 reports 1.4 billion. Maybe because the list counts some things double. BEC is responsible for 39% of these losses. Romance fraud is another 12%, and the other 49% are divided among 31 other crime types.

Sum of loss FBI Report

Based on individual complaints, the pie sliced differently. When people hit with a scam, they will likely tell you one of two stories: the most frequent about how they bought something online, but never got the goods. The second one about how their personal data was stolen or leaked.

Sum nr of victims - FBI Report

Criminal money makers

Which is the most profitable attack type? To get some insight, we divided the total loss per crime type by the number of reported incidents. On the low end, if you’re scamming kids, you’re only making a few tenners (and be a miserable person in the process), while going after the big enterprises with CEO fraud yields an average of $ 43,094. Investment fraud complements the top 3 at number 2 (averaging $ 31,351), and Corporate Data Breach at number 3, averaging $ 16,101.

Avg loss per victim - FBI Report

Obviously, this doesn’t mean every criminal will stop what they’re doing and go BEC tomorrow. Social engineering type attacks require time, effort and diligence, whereas some of the automated malware attacks are close to fire-and-forget. It all depends on the criminals’ work ethic and their risk appetite. Each to his own.

Loss, profitability, and volume

Next, we aimed to visualize the 33 crime types in one graph; the number of attacks versus average loss. The data points sized by total loss (and thus the FBI’s ranking). We observe four quadrants; the most dangerous of which is empty: attacks with a high yield that happen a lot. The cash cows are BEC and investment fraud. Most likely to happen is non-payment, although you’ll likely not lose sleep over it. Romance fraud sits nicely in the middle and apparently forms a well-balanced attack, as it heads the mainstream (and some rare attacks seldom reported).

Cash cow - FBI Report

Changes from last year by the loss

The top 4 (BEC, Romance fraud, Non-Payment, Investment fraud)  didn’t change. Total reported crime losses went up from $1.6B to $1.7B (with the caveat, FBI themselves mention 1.4B). Would this be a music top 33, it would be a boring one, with few movers and shakers. Tech support scams on number 17 (up from 22), and Civil matter down from 10 to 21. Here’s the biggest anomaly we could find, as IC3 reports total losses on the Civil matter going down by 90% while the number of victims is almost the same, around 1000. We suspect a digit got shifted in the IC3 numbers.

2017 Cyber Crime Type

Loss

Nr of victims

1 BEC/EAC $676,151,185 (+$315,637,224) 15690
2 Confidence Fraud/Romance $211,382,989 (-$8,424,771) 15372
3 Non-Payment/Non-Delivery $141,110,441 (+$2,882,159) 84079
4 Investment $96,844,144 (-$26,563,853) 3089
5 Personal Data Breach ↑(8th) $77,134,865 (+$17,996,713) 30904
6 Identity Theft ↑(9th) $66,815,298 (+$7,897,900) 17636
7 Corporate Data Breach ↓ (5th) $60,942,306 (-$34,927,684) 3785
8 Advanced Fee ↓ (7th) $57,861,324 (-$2,623,249) 16368
9 Credit Card Fraud ↑(12th) $57,207,248 (+$9,019,255) 15220
10 Real Estate/Rental ↑(13th) $56,231,333 (+$8,355,568) 9645
11 Overpayment $53,450,830 (-$2,554,006) 23135
12 Employment ↑(14th) $38,883,616 (-$1,633,989) 15784
13 Phising/Vishing/Smishing/Pharming ↑(15th) $29,703,421 (-$1,976,030) 25344
14 Other ↓ (6th) $23,853,704 (-$49,238,397) 14023
15 Lottery/Sweepstakes ↑(17th) $16,835,001 (-$4,448,768) 3012
16 Extortion ↑(18th) $15,302,792 (-$509,045) 14938
17 Tech Support ↑(22nd) $14,810,080 (+$7,003,664) 10949
18 Misrepresentation ↑(19th) $14,580,907 (+$855,674) 5437
19 Harassment/Threats of Violence ↓ (16th) $12,569,185 (-$9,436,470) 16194
20 Government Impersonation $12,467,380 (+$188,666) 9149
21 Civil Matter ↓ (10th) $5,766,550 (-$51,922,005) 1057
22 IPR/Copyright and Counterfeit ↑(23rd) $5,536,912 (-$1,292,555) 2644
23 Malware/Scareware/Virus** ↑(24th) $5,003,434 (-$485,238) 3089
24 Ransomware ↑(25th) $2,344,365 (-$86,896) 1783
25 Denial of Service/TDoS ↓ (21st) $1,466,195 (-$9,747,371) 1201
26 Charity ↑(27th) $1,405,460 (-$254,992) 436
27 Health Care Related ↑(29th) $925,849 (-$69,810) 406
28 Re-shipping ↓ (26th) $809,746 (-$1,122,275) 1025
29 Gambling ↑(30th) $598,853 (+$308,160) 203
30 Crimes Against Children ↑(32nd) $46,411 (-$32,762) 1300
31 Hacktivist ↑(33rd) $20,147 (-$35,353) 158
32 Terrorism ↓ (31st) $18,926 (-$201,009) 177
33 No Lead Value ↑(34th) $0 (-) 20241

Changes to last year by the number of complaints

Sorting the numbers on a number of complaints, then it is a different picture. Most attacks yield way less than the above mentioned top three, as a matter of fact, the average across all attacks is a bit over 4,500$. That said, for the top 3: Nonpayment averages the criminal $1,678, personal data breach averages almost $2,500 and Phishing averages a bit over $1,100. It seems, the mainstream internet criminal still has an appetite for these mid-level amounts. Maybe their proven ways of laundering the money drive this appetite, or maybe criminals in the B leagues are just content to do it like this.

2017 Cyber Crime Type

Nr of victims

Loss

1 Non-Payment/Non-Delivery 84079 (+3050) $141,110,441
2 Personal Data Breach 30904 (+3331) $77,134,865
3 Phising/Vishing/Smishing/Pharming ↑ (4th) 25344 (+5879) $29,703,421
4 Overpayment ↓ (3rd) 23135 (-2581) $53,450,830
5 No Lead Value ↑ (12th) 20241 (+6447) $0
6 Identity Theft ↑ (7th) 17636 (+758) $66,815,298
7 Advanced Fee ↑ (10th) 16368 (+1293) $57,861,324
8 Harassment/Threats of Violence 16194 (-191) $12,569,185
9 Employment ↓ (5th) 15784 (-1603) $38,883,616
10 BEC/EAC ↑ (16th) 15690 (+3685) $676,151,185
11 Confidence Fraud/Romance 15372 (+826) $211,382,989
12 Credit Card Fraud ↓ (9th) 15220 (-675) $57,207,248
13 Extortion ↓ (6th) 14938 (-2208) $15,302,792
14 Other ↓ (13th) 14023 (+1404) $23,853,704
15 Tech Support ↑ (17th) 10949 (+99) $14,810,080
16 Real Estate/Rental ↓ (14th) 9645 (-2929) $56,231,333
17 Government Impersonation ↓ (15th) 9149 (-3195) $12,467,380
18 Misrepresentation 5437 (+1) $14,580,907
19 Corporate Data Breach ↑ (20th) 3785 (+382) $60,942,306
20 Investment ↑ (24th) 3089 (+892) $96,844,144
21 Malware/Scareware/Virus** 3089 (+306) $5,003,434
22 Lottery/Sweepstakes ↓ (19th) 3012 (-1219) $16,835,001
23 IPR/Copyright and Counterfeit 2644 (+72) $5,536,912
24 Ransomware ↓ (22nd) 1783 (-1000) $2,344,365
25 Crimes Against Children ↑ (26th) 1300 (+70) $46,411
26 Denial of Service/TDoS ↑ (28th) 1201 (+222) $1,466,195
27 Civil Matter 1057 (-13) $5,766,550
28 Re-shipping ↑ (29th) 1025 (+132) $809,746
29 Charity ↑ (30th) 436 (-1) $1,405,460
30 Health Care Related ↑ (31th) 406 (+37) $925,849
31 Gambling ↑ (33rd) 203 (+66) $598,853
32 Terrorism 177 (-118) $18,926
33 Hacktivist ↑ (34th) 158 (+45) $20,147

Some final thoughts

From 2016 to 2017, not a lot has changed. Ransomware is not the big criminal money maker people think it is, and in 2017 this has been confirmed. Some numbers seem to be counterintuitive: our observations in our Cyber Defense Center show the number of malware infections steadily increasing, for example. One explanation for this is organizations see malware (such as ransomware and crypto miners) as an operational nuisance. They cut their operational losses, but they do not pursue the event with law enforcement. Especially in larger organizations, with multiple malware infections per day, this makes sense. Secondly, for attacks like ransomware, the impact is defined more by collateral damage rather than what the criminals make.

This said the highest amounts of money are not stolen with hacking and tools, but with social engineering. The bulk of internet crime was done in a mid-range segment, criminals aiming to rob a few thousand off of you and launder it in traditional ways. BEC was and it the biggest moneymaker. It shows that, despite our efforts to become more resilient, criminals eagerly exploit that which is so difficult to patch: our behavior.

Links

Data sources from FBI IC3. Data compiled from the FBI’s reports by Glenn Fryklund. Analysis by Glenn Fryklund and Eward Driehuis.

2018-06-07T08:56:40+00:0007 juni, 2018|

About the Author:

Eward Driehuis
Chief Research Officer, SecureLink Group

Leave A Comment

SecureLink Sverige