FBI Reveals Alarming Rise in Cost of Cyberattacks

The little bit of good news in the FBI’s recently released Internet Crime Report for 2021 is that the number of complaints filed last year increased only 7% over the previous year.^[1] This is the first time in four  years that cyberattacks reported to the FBI rose merely by single percentage points. 

The bad news: Potential losses from those attacks spiked 64% to $6.9 billion, the biggest increase since 2018. So, while complaints rose modestly, the costs of attacks jumped dramatically. 

Consistent with the trends identified in the FBI’s report on 2020 complaint levels, phishing, and variants such as smishing and vishing, were the leading threat vectors in 2021, rising 34% annually to nearly 324,000 incidents and racking up losses of $44.2 million. 

Business email compromise and email account compromise complaints were smaller in aggregate number than phishing, but larger in impact. Nearly 20,000 BEC/EAC complaints accounted for $2.4 billion in losses, slightly more than a third of the total losses tallied by the FBI across the full range of cyberattacks. (Note that the FBI includes some defrauded individuals’ transactions, known as EAC, in the predominantly business-targeted BEC statistics.)

Overall, the FBI’s recap for 2021 paints a picture of heightened attention among businesses and consumers to an “urgent need” for cyber incident reporting to federal authorities. In addition to phishing and BEC, the threats tracked by the FBI include ransomware, tech support fraud, and identity theft, all of which grew in number. 

Email Remains #1 Threat

With phishing the top threat by sheer number, and BEC the loss leader by dollar value, email-related scams and compromises are far and away the most serious cybercrimes in the FBI’s analysis. Those findings are consistent with the U.K. government’s Cyber Security Breaches Survey 2022, in which phishing attacks were experienced by 83% of businesses that reported some form of cyberattack in the preceding 12 months.^[2]

Not surprisingly, BEC schemes continue to evolve as cybercriminals adjust their tactics in the cat-and-mouse game of email authenticity. They’re now using virtual meeting platforms, which rose in popularity with the work-from-home trend of the past two years, to hack emails and initiate fraudulent wire transfers. 

And they’re going to new and creative lengths in virtual meetings. One tactic is to spoof the email account of a CEO or CFO to invite employees to the meeting, “attending” with deep fake images and audio to request that employees make a wire transfer. 

Such social engineering techniques are consistent with the findings of Mimecast’s State of Email Security 2022 survey, which reports that the volume of email threats increased for the majority of organizations in 2021. In the Mimecast survey, 92% of respondents indicated they had seen attempted BEC and impersonation attacks during that time. 

Following the release of the Internet Crime Report, the FBI published a more comprehensive calculation of BEC costs in recent years, which included other law enforcement agencies’ reports and filings by financial institutions. In an alert released in early May, the FBI cited over 240,00 attempted BEC attacks, totaling $43 billion in actual and prevented losses from June 2016 to December 2021.^[3] 

Cryptocurrency, due to its characteristic anonymity, is increasingly among the financial assets targeted by email scam artists, accounting for $40 million in actual and prevented losses last year. That’s about four times more than the previous year, a trend that is only likely to get worse. The FBI’s Internet Crime Complaint Center (IC3) expects BEC-related crypto losses “to continue growing in the coming years”. 

Virtual Meeting Platforms Draw Attacks

It’s no coincidence that BEC rose in lockstep with the widening use of collaboration platforms such as Slack and Microsoft Teams during the pandemic. In fact, a few weeks prior to publishing the Internet Crime Report this year, the FBI issued an alert on the rise of BEC associated with these virtual meeting platforms.^[4] 

In addition to spoofing executive leaders, as mentioned above, the shady techniques employed by cybercriminals include surreptitiously logging into workplace meetings to steal business information. 

Here too, the Mimecast report reinforces the FBI’s warnings. Mimecast’s State of Email Security survey found that 76% of organizations are susceptible to cyberthreats related to the use of collaboration tools such as Slack, Zoom, or Microsoft Teams. The findings drive home the need for organizations to bolster cybersecurity across the board, including better systems and training to prevent employees from making mistakes.

Ransomware Targets Critical Infrastructure

Ransomware attacks continued to be a serious matter in 2021, with over 3,700 complaints to the FBI and adjusted losses of $49.2 million. And that may be just the tip of the iceberg. “In some cases, victims do not report any loss amount to the FBI, thereby creating an artificially low overall ransomware loss rate,” the FBI notes. 

The top three ransomware infection methods were phishing emails, Remote Desktop Protocol (RDP) exploits, and software vulnerabilities. The FBI attributed the increase in ransomware, in part, to the way a company’s attack surface expands when employees work from home, making it difficult for network security personnel to keep up with patching and other protective measures. 

Notably, in June 2021, the FBI began tracking ransomware incidents specific to 16 areas of critical infrastructure. Those hit hardest were healthcare and public health (148 reported incidents), financial services (89), IT (74), critical manufacturing (65), and government facilities (60). 

The top three ransomware variants used to target critical infrastructure were Conti, Lockbit, and REvil/Sodinokibi. The outlook for getting the problem under control is not favorable: “IC3 anticipates an increase in critical infrastructure victimization in 2022.” 

Related to this, Mimecast’s State of Email Security survey found a correlation between organizations that have been exposed to ransomware while also witnessing an increase in email threats. 

Fortunately, businesses may be able to lessen the risk: “It is fair to assume that if organizations are able to strengthen their email security, then they should be reducing their likelihood of falling victim to a successful ransomware attack,” the State of Email Security report concluded. 

Implementing a ‘Kill Chain’

The FBI showed progress disrupting the flow of money when transactions are initiated under fraudulent pretenses. Since it was launched in 2018, IC3’s Recovery Asset Team has claimed a 74% success rate when intervening to freeze funds. In response to 1,726 incidents, the team has engaged financial institutions to interrupt $328 million in illicit transfers during that period.

The Recovery Asset Team works with financial institutions to recall or reverse suspicious transactions in a process known as a kill chain. In one example of how that played out, a road commission contacted IC3 about a $1.5 million wire transfer to a fraudulent U.S. bank account. The funds had been moved to so-called “second hop” accounts to obfuscate the recipient. In this case, the funds were recovered. 

What Can Organizations Do? 

The FBI offers guidance on preventing and remediating scams and fraudulent transactions, including these BEC tips: 

• Never make payment changes without verifying email addresses.
• Contact the originating financial institution immediately as soon as payment fraud is recognized.
• File a complaint with the FBI that includes bank information.

Mimecast’s State of Email Security report also recommends fixing other potential vulnerabilities that may expose organizations to the kinds of threats described by the FBI. For example, 83% of survey respondents indicated some level of risk associated with poor password hygiene, and 81% cited the risky use of personal email in the workplace. 

The Bottom Line

In summary, the FBI report is a mixed bag. There were fewer complaints in a number of key areas, including corporate data breaches and denial of service attacks. But growing incidents in BEC, phishing, identity theft, and ransomware provide stark evidence that much work remains to be done to reinforce organizations’ cyber defenses. Dive deeper into the State of Email Security 2022 report for more findings on what companies are facing and how they are responding.

^[1] Internet Crime Report 2021, FBI

^[2] Cyber Security Breaches Survey 2022, U.K. Department for Digital, Culture, Media & Sport

^[3] “Business Email Compromise: The $43 Billion Scam,” FBI

^[4] “Business Email Compromise: Virtual Meeting Platforms,” FBI