While it should come as no surprise that cybercrime broke pretty much every record in 2021, the actual numbers behind the crimes are quite revealing.
The FBI’s Internet Crime Complaint Center (IC3) has released its annual report, providing the public with specific details on how cybercrime has evolved in the last five years, what threats were the most persistent, and what groups were the most targeted, along with a flurry of other information and statistics.
Let’s take a look at some of the highlights from the report.
The first section of the report provides an overview of what cybercrime has looked like in the last five years. It says that over that time period, the IC3 received an average of 552,000 complaints per year. The chart below shows how this number has increased:
As for the most popular types of crime, phishing related attacks led the way by a significant margin:
Despite ransomware grabbing all the headlines in 2021, the report claims that BEC crimes had the most impact.
According to the IC3, in 2021 it received 19,954 Business Email Compromise (BEC) or Email Account Compromise (EAC) complaints, with adjusted losses at nearly $2.4 billion.
It discusses how BEC attacks have changed over the years:
“As fraudsters have become more sophisticated and preventative measures have been put in place, the BEC/EAC scheme has continually evolved in kind. The scheme has evolved from simple hacking or spoofing of business and personal email accounts and a request to send wire payments to fraudulent bank accounts. These schemes historically involved compromised vendor emails, requests for W-2 information, targeting of the real estate sector, and fraudulent requests for large amounts of gift cards.
Now, fraudsters are using virtual meeting platforms to hack emails and spoof business leaders’ credentials to initiate the fraudulent wire transfers. These fraudulent wire transfers are often immediately transferred to cryptocurrency wallets and quickly dispersed, making recovery efforts more difficult.”
The report also points to the pandemic and shift to remote work as being a large contributor to the increase in BEC crimes.
The IC3 reports that ransomware numbers were significantly lower than BEC schemes. It received only 3,729 complaints identified as ransomware, with adjusted losses of more than $49.2 million.
Though these numbers are shockingly low, they are also probably inaccurate, as many ransomware incidents go unreported as executives often try to keep this information as lowkey as possible.
The IC3 discusses ransomware in 2021:
“Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally. Although cyber criminals use a variety of techniques to infect victims with ransomware, phishing emails,
Remote Desktop Protocol (RDP) exploitation, and exploitation of software vulnerabilities remained the top three initial infection vectors for ransomware incidents reported to the IC3. Once a ransomware threat actor has gained code execution on a device or network access, they can deploy ransomware.
Note: these infection vectors likely remain popular because of the increased use of remote work and schooling starting in 2020 and continuing through 2021. This increase expanded the remote attack surface and left network defenders struggling to keep pace with routine software patching.”
In June 2021, the IC3 began tracking ransomware attacks that targeted critical infrastructure organizations. With the SolarWinds and Colonial Pipeline incidents occurring earlier in the year, this was certainly a well-timed decision.
The IC3 received 649 complaints that indicated organizations belonging to a critical infrastructure sector were victims of a ransomware attack. Of the 16 critical infrastructure sectors in the United States, 14 had at least one member fall victim to a ransomware attack in 2021. The following chart breaks down the number of ransomware attacks on critical infrastructure sectors:
The report also includes a breakdown of the three most prevalent cyber gangs that targeted critical infrastructure:
The IC3 says it anticipates an increase in critical infrastructure victimization in 2022.
Check out the rest of the FBI’s Internet Crime Report 2021. And don’t forget to register for an upcoming SecureWorld event, as we are back meeting in-person at our regional cybersecurity conferences!