FBI: Cybercrime Nearly Doubles in 2020, Costing a Record $4.2 Billion
Email phishing and business email compromise top the list, while continued global uncertainties invite future cybercrime increases.
- Email phishing attacks are still the most favored attack vector by criminals, more than doubling year over year.
- Socially engineered COVID-19-related threats specifically targeted remote workers.
- Business email compromise remained the costliest cyber threat — by far — with thieves getting $1.8 billion last year.
In a disturbing sign of the times, the FBI’s annual Internet Crime Report debuted earlier this month showing cyberattacks soared during 2020, from email phishing scams to costly business email compromise attacks.
For nearly 20 years, the FBI’s Internet Crime Complaint Center (IC3) annual report has been regarded as a bellwether for cybersecurity. The 2020 Internet Crime Report reveals that cybercrime complaints nearly doubled: In 2019, the IC3 received 467,361 reports, which skyrocketed to a record-setting 791,790 complaints last year. Email continued to be the dominant point of attack for most fraud and cyberattack attempts, and the report noted some unsettling related trends that cost businesses and individuals billions of dollars.
Cybercriminals Exploited ‘The Year of Social Distancing’
Some of the report’s revelations were not surprising given the new work environment that emerged in 2020. As Mimecast's The Year of Social Distancing report explains, remote working and the increased use of digital tools by employees at home saw threat actors taking aim at those vulnerable targets during the first year of the pandemic. Indeed, according to the Mimecast Threat Intelligence Center, cyberattack volume surged by 48%, with spikes paralleling the surges in infection rates last April and October.
The FBI report underscored that trend, revealing that email phishing attacks continued to be the most popular attack vector for cybercriminals. Such attacks more than doubled last year, from approximately 114,000 email phishing schemes in 2019 to roughly 241,000 such attacks last year.
Renewed socially engineered email phishing attacks last year were designed to defraud users sympathetic to COVID-19 hospitalizations and job loss. Other scams, according to the IC3, pretended to offer information about false virus cures and treatments. Much of this, the FBI said, was aimed at stealing employee credentials.
Email and Collaboration Tools Exposed More Sensitive Information
The trend is doubly concerning, as the Mimecast report points out, because out of necessity companies had to digitally transfer more sensitive information than ever before online. Lockdowns around the world meant that data ranging from competitive analysis to research and development and financial projections—all of which previously might have been discussed in corporate board rooms—was suddenly being shared online using email and new collaboration tools.
And home-bound workers did not use the same cyber hygiene practices in their new remote offices that they would have back at company headquarters. The Mimecast Threat Intelligence team found that people "simply are not as vigilant about cybersecurity when they are home." The Mimecast report discovered that there was a three-fold increase in unsafe clicks (clicks on malicious URLs in emails) by employees worldwide during the year of social distancing.
Business Email Compromise (BEC) Attacks Cost $1.8 billion in 2020
These trends led to record-setting financial damage from cyberattacks. The IC3’s total estimate of losses to businesses and individuals was $4.2 billion in 2020; of that total, the most financial damage was caused by business email compromise (BEC) attacks, which caused a whopping $1.8 billion.
BEC cybercrimes expanded in 2020 from impersonating internal corporate officers to leveraging compromised suppliers, customers and law firms. Stolen funds obtained this way, according to the FBI, were funneled increasingly into cryptocurrency, making recovery extremely difficult. And BEC was efficient and profitable for criminals. Consider that just over 19,000 BEC attacks netted thieves that $1.8 billion while it took over 241,000 email phishing attacks to generate $54 million in stolen funds.
Email Is Still the Cybercrime Gateway
The principal lesson from the IC3 report is that email continues to be the most popular target for cybercriminals. Email phishing attacks, for example, are often just the entree to more sophisticated and damaging BEC scams. And with more employees at home, attackers have stepped up the volume of attacks.
Further, it’s important to remember that while it's an important benchmark, the IC3 report may only represent a fraction of the real threat since it only covers incidents reported directly to the FBI's IC3 center. Some extensive attacks, such as the recent headline-making zero-day attacks, may go undetected and underreported. Nation-state backed cyber campaigns also can inflict more damage in terms of intellectual property theft and loss of reputation.
Threat Intelligence Center Advises Constant Vigilance
What does year two of the pandemic hold? The Mimecast Threat Intelligence team has assessed the likelihood of threat actors continuing to exploit the unsettled work situation at 95%, or "very likely." Not only will remote workers continue to be targets, but so will employees returning to offices where they face new protocols and stressful situations. So, while the world must continue to remain vigilant in addressing the global pandemic, it's clear we'll have to be just as vigilant deterring the waves of cybersecurity threats to come.
The Bottom Line
The FBI’s annual Internet Crime Report confirms how cybercrime soared in 2020, riding the back of the COVID-19 pandemic. Email phishing remained the most popular entryway for cyberattacks, business email compromise expanded beyond internal corporate targets into companies’ supply chains — and continues to be the costliest form of cyberattack. Meanwhile, Mimecast’s Threat Intelligence Center warns businesses to remain ever-vigilant, as even the return of workers to offices again is likely to create new unsettling situations for cybercriminals to exploit.
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!