FBI Cites Record High Losses from Cyberattacks

The FBI’s latest Internet Crime Report points to a shifting cyberattack landscape. Complaints to the agency’s Internet Crime Complaint Center (IC3) in 2022 dropped by 5.5%, the first annual decrease in almost a decade.[1],[2] However, losses increased by almost 50% from the previous year, reaching an all-time high of $10.3 billion.

These two figures may appear contradictory, but they showcase an important trend: Cybercriminals are becoming savvier and have the potential to create bigger losses from fewer attacks. In fact, the increasing sophistication of cyber threats was the top challenge cited by security professionals in Mimecast’s State of Email Security 2023 (SOES 2023) report, with 76% projecting that they would suffer a negative business impact from an email-borne attack this year.

Business email compromise (BEC) continues to make up a large percentage of cyber threats in the FBI report. Despite the overall drop in reported incidents, BEC complaints rose 9.4% over the past year and contributed to 27% of all losses covered in the report, costing over $2.7 billion. BEC attacks can take many forms. Businesses must stay alert to stay ahead of sophisticated cybercriminals, like the Massachusetts man sentenced in March 2023 for a BEC scheme using hacked or spoofed email addresses to convince victims to wire hundreds of thousands of dollars to a bank account under his control.[3]

How Cyberattacks Changed in 2022

The FBI’s 2022 report showcases some major changes in cybercrime. Important takeaways from the report include:

• Investment Takes the Top Spot: Investment losses grew 127% between 2021 and 2022, overshadowing BEC attacks for the first time since the Internet Crime Report began aggregating BEC.
• Cryptocurrency Drove Investment Losses: 2022’s record-breaking losses were partially driven by the rise of cryptocurrency investment fraud, which increased by 183% over the previous year and contributed to 78% of total investment fraud losses in 2022.
• The Cost of a Data Breach is on the Rise: 2022’s losses from data breaches cost victims $1.2 billion, an 80% increase over 2021, despite only a 16% increase in complaints over the same period.
• Ransomware on the Decline: Complaints for ransomware attacks decreased for the first time in four years, falling below 2020 levels. Ransomware attacks still led to over $34 million in losses.
• Malware Hits a New Low: Malware, which the FBI defines as malicious software intended to damage, disable, or copy itself onto a computer system, reached a new recent low, continuing a declining trend that started after a spike in 2015. But like the overall trend, these fewer cases still led to a 67% increase in losses from malware attacks over the previous year — costing almost $10 million in 2022.
• Harassment/Stalking Was Tracked: For the first time, the FBI reported on actions that serve no legitimate purpose but to annoy, alarm, or distress a person, causing fear or emotional distress. The complaint count remains relatively low with 11,779 complaints — 13th on the list — but still led to over $5 million in losses.

It’s important to remember that the FBI statistics only include reported crimes, and many cyberattacks go unreported. Therefore, the IC3 data can be a good indicator for larger trends but does not fully reflect the threats businesses face.

Phishing Remains the Largest Threat

Much of 2022’s losses were driven by phishing attacks, a tactic the FBI defines as using emails, texts, or calls that appear to come from a legitimate company requesting personal, financial, and/or login credentials to funnel information to cybercriminals. Phishing is once again the number one cyberattack, with more victims than the next eight leading types combined. According to the SOES 2023 report, 74% of businesses suggest that the volume of email threats in their organization has increased in the last 12 months, and businesses and their staff must remain vigilant or risk becoming part of next year’s victim count.

How to Prevent Becoming a Victim

The FBI report includes updated guidance on ways that businesses and their employees can protect themselves from threats. 

• Never change or make any payments until verifying with the recipient through two- or multi-factor authentication. External means, such as direct calls to known phone numbers — not only numbers included in the email — can also be useful. But be careful, since “spoofing” professional business phone numbers has become more commonplace. 
• Verify email addresses before clicking links or replying with sensitive information on both desktops and mobile devices. Always carefully examine email addresses, URLs, and spelling for any inconsistencies. And even if the email addresses match with official accounts, be cautious of spoofing.
• Keep an offline backup of all data, and update operating systems and software to maintain the latest security standards. 
• Visit www.ic3.gov for the latest information on BEC trends and new fraud schemes.

The SOES 2023 report found that 99% of businesses surveyed provide some form of cyber awareness training to their workforce, but is that training enough? Two out of three respondents concede that their companies need to spend more on cybersecurity, and the FBI recommends implementing user training and phishing exercises to raise risk awareness. 

What Happens After an Attack

When a business discovers a successful cyberattack, the FBI recommends immediately contacting the financial institution holding the account that might be tapped. Quick contact increases the likelihood of a successful recall or reversal of any lost funds and can allow the business to obtain a “hold harmless” letter.

Businesses should also file a detailed complaint with the FBI at www.ic3.gov. Using the information included in these complaints, the IC3 Recovery Asset Team (RAT) has achieved a 73% success rate to date, freezing over $430 million in funds for victims who made transfers to domestic accounts under fraudulent pretenses.

The Bottom Line

The 2022 FBI Internet Crime Report details changing cybersecurity trends, including fewer complaints but record-breaking losses. Driven by cryptocurrency fraud, investment fraud surpassed business email compromise as the costliest crime, but BEC still makes up more than one-quarter of all cybercrime losses. What hasn’t changed is the prevalence of phishing, which maintains its number one spot by victim count. Overall, the findings in the report show that even with fewer complaints, cyber threats still need to be top of mind for businesses amid mounting financial risk. Read Mimecast’s State of Email Security 2023 report for more information on the cybersecurity threats companies are facing and how they are addressing these challenges.

[1] “Internet Crime Complaint Center,” FBI

[2] “Internet Crime Report 2022,” FBI

[3] “Framinghman Man Sentenced in Business Email Compromise Scheme,” United States Attorney’s Office