Schemes, Data Breaches & Phishing Top FBI’s Internet Crime Report

The top three crimes reported last year were non-payment/non-delivery, personal data breaches, and phishing according the FBI’s the Internet Crime Complaint Center 2017 Internet Crime Report, which highlighted scams trending online.

The top five crimes by number of victims: non-payment/non-delivery, 84,079; personal data breach, 30,904; phishing/vishing/smishing/pharming, 25,344; overpayment 23,135; no lead value, 20,241; and identity theft 17,636.

In non-payment situations, shipped goods and services never receive payment. In non-delivery situations, there are no goods and services received after payment. No lead value are incomplete complaints, which do not allow determination of a specific crime type. Credit card fraud with 15,220 victims ranked 12th on the list.

“The 2017 Internet Crime Report emphasizes the IC3’s efforts in monitoring trending scams such as business email compromise, ransomware, tech support fraud, and extortion.,” Scott S. Smith. assistant director Cyber Division, FBI, said in the introduction. He added, in 2017, IC3 received a total of 301,580 complaints with reported losses exceeding $1.4 Billion.

The hot topics for 2017 included BEC, a sophisticated scam targeting businesses that often work with foreign suppliers and/or businesses and regularly perform wire transfer payments. The email account compromise variation of BEC targets individuals who regularly perform wire transfer payments.

While most BEC and EAC victims reported using wire transfers as their regular method of transferring business funds, some victims reported using checks. Scams typically involved one or more fraudsters, who compromised legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

BEC and EAC constant evolve as scammers become more sophisticated. In 2013, victims indicated the hacking or spoofing of email accounts of CEOs and CFOs. In 2014, victims reported compromised personal email accounts. In 2015, victims reported contact by subjects posing as lawyers; in 2016, the scam evolved to include the compromise of legitimate business email accounts and fraudulent requests for personally identifiable information or wage and tax statements. In 2017, scammers targeted the real estate sector.

BEC and EAC victims, often become linked to other forms of fraud such as romance, lottery, employment, and rental scams, are usually U.S.-based. The IC3 received 15,690 BEC/EAC complaints with adjusted losses of over $675 million.

There are many variations of another hot topic, tech support fraud, a widespread scam in which criminals claim to provide customer, security, or technical support to defraud unsuspecting individuals and gain access to the individuals’ devices. For example, in addition to telephone calls, popup and locked screens, search engine advertising, and URL hijacking/typosquatting, criminals now use phishing emails with malicious links or fraudulent account charges to lure their victims.

Some recent complaints involved criminals posing as technical support representatives for income tax assistance, GPS, printer, or cable companies, or support for virtual currency exchanges. In some variations, criminals posed as government agents, who offer to recover losses related to tech support fraud schemes or request financial assistance with “apprehending” criminals.

Ransomware, a form of malware targeting both human and technical weaknesses to make critical data and/or systems inaccessible and delivered through phishing and various vectors, including remote desktop protocol. Recent iterations target specific organizations and their employees, making awareness and training a critical preventative measure. The FBI does not support paying a ransom to the adversary. Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations never received the decryption keys after having paid a ransom.

Extortion occurs in various schemes reported to the IC3, including denial of service attacks, hitman schemes, sextortion, government impersonation schemes, loan schemes, and high-profile data breaches. Virtual currency, the commonly demanded payment mechanism, provided the criminal an additional layer of anonymity when perpetrating these schemes.