Cyber-Crime is on the Rise!
As part of its annual routine, the FBI’s Internet Crime Complaint Center (IC3) released on June 21st 2017 its 2016 Internet Crime Report, describing the numbers and types of cyber-crimes reported to IC3. The report shows that during 2016, the IC3 received a total of 298,728 complaints with reported losses in excess of $1.3 billion. The report also shows that Business Email Compromise (BEC), ransomware attacks, tech support fraud, and extortion were the most common attack methods used in the U.S. and around the world. The FBI believes that these numbers are much higher due to the fact that citizens prefer to not report attacks, because the information reported becomes public after filing the complaint with the FBI.
The IC3 was established in May 2000 as a center to receive complaints of internet crime, since then it has received about 4 million complaints on a variety of Internet scams and crimes.
As we have seen in the past couple of years, Cyber-criminals have focused on advancing and sophisticating their attack methods and dynamically adapting to the shifts in security awareness and the improvement of security solutions. Even though the cyber criminals still have the same objectives; to extract valuable information, reach personal data and steal money. IC3’s report provided us with a perspective regarding the trending methods utilized in 2016:
- Business Email Compromise (BEC): A targeted and semi-sophisticated attack method using either Spear Phishing or Whaling attacks to reach high-ranking employees or personnel with privileged capabilities including the end goal of fooling them into transferring money. This sort of attack requires the criminal to perform reconnaissance regarding its target. In 2016, the IC3 received 12,005 complaints regarding phishing attacks, including losses of over $360 million.
- Ransomware: A form of targeted attack or sporadic campaign that consists of malware which intends to deny the availability of data or resources through encryption. The main method used to deliver this attack is through the use of Email. In 2016, the IC3 received 2,673 complaints identified as ransomware with losses of over $2.4 million, but another report by the FBI on April 2016 stated that during the first three months of 2016, cybercriminals had already extorted $209 million from businesses, hence the possibility of an actual $1 billion loss over the whole year.
- Tech Support Fraud: This masquerading fraud is typically used to lure victims into contacting the attacker that falsely associates himself with a computer software company or a security firm, offering technical support with the purpose obtaining remote access to the target’s network. The leading methods used by the attackers implementing this type of fraud are by developing malicious websites and paying for them to appear on the top search results when victims search online or by relying on URL Hijacking / Typosquatting, which redirects victims to the attacker’s website. In 2016, the IC3 received 10,850 tech support fraud complaints with losses in excess of $7.8 million. While the majority of tech support fraud victims are from the U.S., the fraud was reported by victims in 78 different countries.
- Extortion: An incident when a cyber-criminal demands something of value from a victim by threatening them with physical or financial harm or the release of sensitive data. Extortion is often used in various schemes reported to the IC3; including Denial of Service attacks, hitman schemes, sextortion, Government impersonation schemes, loan schemes, and high-profile data breaches. During 2016, the IC3 received 17,146 extortion-related complaints with adjusted losses of over $15 million.
As elaborated by the FBI, the findings in this report are based on the numbers provided through complaints to the IC3, it is believed that the numbers are much higher than the ones provided in the report. Organizations must validate their cyber security posture frequently, and adjust to new attack trends with greater responsiveness.
- Perform periodic reviews of your organization’s architecture.
- Upgrade outdated or vulnerable hardware and firmware.
- Utilize security solutions relevant to the organization’s size and operations.
- Educate your employees and raise their awareness to current attack methods.
- Test your organization’s security posture resilience to advanced attacks through different vectors.
- Perform drills with employees through phishing campaigns and train Security and IT personnel on the steps to take while under attack.