FBI says business email compromise leads 2019 cybercrime stats, $3.5 billion loss

According to a recent article in Health IT Security by Jessica Davis, the FBI’s 2019 Internet Crime Report estimates that cybercrime cost individuals and US businesses $3.5 billion in losses last year. Published by the FBI Internet Crime Complaint Center (IC3), it notes that the most expensive complaints were the result of business email compromise.

IC3 received 467,361 complaints in 2019, up from its average of 340,000 that it receives each year. On average, nearly 1,300 complaints rolled in every day. The most frequently reported complaints were phishing and similar ploys, non-payment/non-delivery scams. The most costly exposures involved business email compromise, spoofing, or mimicking the account of a person or vendor known to the victim to gather personal or financial information.

New tactics rather than new scams

Donna Gregory, the chief of the FBI’s IC3 says that 2019 did not indicate an uptick in new types of fraud, but rather, saw criminals deploying new tactics and techniques to carry out existing scams.

“Criminals are getting so sophisticated,” she says. “It is getting harder and harder for victims to spot the red flags and tell the real from fake.”

For years, business email compromise (BEC), or email account compromise, has been a major concern for the FBI, as well as the healthcare and financial services industries. In 2019, IC3 recorded 23,775 complaints about BEC, which resulted in more than $1.7 billion in losses.

These scams typically involve a criminal spoofing or mimicking a legitimate email address. An individual receives a message that appears to be from an executive within their company or a business with which an individual has a relationship. In this “executive impersonation,” the email will request a payment, wire transfer, or gift card purchase that seems legitimate but actually funnels money directly to a criminal.

In the last year, IC3 reported seeing an increase in the number of BEC complaints related to the diversion of payroll funds. “In this type of scheme, a company’s human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period,” the report said. The change instead routes an employee’s paycheck to a criminal.

The Importance of Reporting

“Information reported to the IC3 plays a vital role in the FBI’s ability to understand our cyber adversaries and their motives,” says Matt Gorham, assistant director of the FBI’s Cyber Division. This, “in turn, helps us to impose risks and consequences on those who break our laws and threaten our national security. It is through these efforts we hope to build a safer and more secure cyber landscape.”

Gorham encourages everyone to use IC3 and reach out to their local field office to report malicious activity. 

Rapid reporting can help law enforcement stop fraudulent transactions before a victim loses the money for good. The FBI’s Recovery Asset Team was created to streamline communication with financial institutions and FBI field offices and is continuing to build on its success. The team successfully recovered more than $300 million for victims in 2019.

Besides stressing vigilance on the part of every connected citizen, the IC3’s Gregory also emphasizes the importance of victims providing as much information as possible when they come to IC3. Victims should include every piece of information they have—any email addresses, account information they were given, phone numbers scammers called from, and other details. The more information IC3 can gather, the more it helps combat the criminals.

In 2019, the Recovery Asset Team paired with the Money Mule Team (which tracks those helping cybercriminals launder cash) under the IC3’s Recovery and Investigative Development Team. This effort brings together law enforcement and financial institutions to use the data provided in IC3 complaints to gain a better view of the networks and methods of cyber fraudsters and identify the perpetrators.

The new effort allowed IC3 to aggregate more than three years of reports to help build a case against an active group of criminals who were responsible for damaging crimes that ranged from cryptocurrency theft to online extortion. The ensuing investigation by the FBI’s San Francisco Field Office resulted in the arrest of three people.

Since its foundation in May 2000, the IC3 has received more than 1,200 complaints each day for the last five years, or a total of 4.88 million in the last decade. The total number of recorded losses for the previous five years was $10.2 billion.

The FBI noted that despite increased awareness around the country, cybercrime continues to boom, given that hackers are improving upon previously successful campaigns with new techniques and tactics.

Email continues to be a common entry point, but these fraud attempts are also being launched through text messages or even fake websites.

What are healthcare compliance professionals to do?

Pay attention, of course. A vigilant, well-run compliance system can spot irregularities and give an attentive compliance team a chance to nip exposures before they get out of hand. Patrina can help, especially when it comes to email compliance. We’ve built our business based on helping organizations keep track of “bad apples,” and stay on the “straight and narrow” efficiently and cost-effectively. So, let’s talk. Call 212-233-1155 to ask about Patrina’s cost-effective systems specifically designed for the healthcare, insurance, and financial services community. Be smart. Be covered. Let’s talk.