Cybercrime Was a $10.2 Billion ‘Business’ in 2022

Cybercriminals fleeced Americans off a whopping $10.2 billion in 2022, up 47.82% from $6.9 billion in 2021. This is not an easy feat, especially considering complaints fell 5% compared to the previous year.

According to the FBI’s Internet Crime Report 2022, the federal agency’s Internet Crime Complaint Center (IC3) received 800,944 complaints throughout 2022 — the previous five-year average for complaints received stands at 652,000 per year.

“The amount of money lost to online scams has continued to increase for decades and shows no signs of reducing anytime soon,” Roger Grimes, data-driven defense evangelist at KnowBe4, told Spiceworks.

Cybercriminal Complaints and Losses over the Last Five Years (IC3 Data)

Investment fraud

The $3.3 billion bump in losses to cybercrime is mainly attributed to the 127% rise in investment fraud complaints ($1.45 billion in 2021 to $3.31 billion in 2022). The prime mover under investment fraud seems to be cryptocurrency-related investment fraud, which surged at a rate of 183% from $907 million in 2021 to $2.57 billion in 2022.

Liquidity mining, hacked social media accounts, celebrity impersonation, real estate, and employment scams are also contributing factors.

Notably, investment scams took over business email compromise as the most reported cybercrime.

Business email compromise (BEC)

BEC scams contributed $2.7 billion. “We saw a 182% increase in BEC attacks between Q1 2022 and Q1 2023. The attack is extremely difficult for traditional email security platforms to detect, as the email is sent from a legitimate account. This, of course, makes it very lucrative for attackers, as the success rate is very high, and with it, the payoff,” Dror Liwer, co-founder of Coro, told Spiceworks.

“Siloed cybersecurity can’t deal with a multi-vectored attack. When one tool deals with user authentication, and another with email content inspection, we get cybersecurity blind spots that attackers exploit.”

See More: Security in an Increasingly Distributed-Workforce World

Ransomware

Meanwhile, American organizations registered $34.3 million in losses (2,385 complaints) from ransomware attacks, a tad on the lower side considering ransomware gangs wreaked havoc across industries consistently. “While the number of reported ransomware incidents has decreased, we know not everyone who has experienced a ransomware incident has reported to the IC3,” the FBI IC3 report reads.

“It has been challenging for the FBI to ascertain the true number of ransomware victims as many infections go unreported to law enforcement. By reporting the incident, the FBI may be able to provide information on decryption, recover stolen data, possible seizure/recovery of ransom payments, and gain insight on adversary tactics. Ultimately, the information you provide will lead us to bring the perpetrators to justice.”

Of the complaints received by the FBI, 870 were touted to be from organizations in the critical infrastructure sectors. Of the 16 critical infrastructure sectors, IC3’s report data indicate 14 sectors had at least one member victimized by a ransomware attack in 2022.

Infrastructure Sectors Victimized by Ransomware (FBI IC3 Data)

“Healthcare is always the number one target,” Xavier Bellekens, CEO of Lupovis, told Spiceworks. “However, one interesting area that we are also seeing is criminals launching attacks from their networks they compromise as well. This means criminals not only attack a victim, but they also use their network presence to launch attacks on other victims as well. Which essentially means they are rinsing targets dry before moving on to the next.”

“With industrial organizations being such a prime target today, these businesses must do more to protect their assets. We often see OT networks being connected directly up to the web, which is a critical red flag that must stop. When it comes to industrial cybersecurity, organizations must rely on segmentation, threat monitoring, vulnerability management and visibility to improve their defences.”

Lockbit (149), ALPHV/Blackcat (114) and Hive (87) ransomware gangs were responsible for the most number of incidents against critical infrastructure.

See More: Information Stealing and Digital Extortion: Why Criminals Attack for Future Use

Call center fraud

The fourth most prevalent online scam pertains to illegal call centers, accounting for more than $1 billion in losses. Two major frauds, i.e., tech/customer support and government impersonation, make up the most number of call center frauds, with the elderly being the preferred targets.

Individuals over 60 made up nearly half (46%) of fraud reports and 69% of losses from call center fraud ($724 million).

Call Center Fraud Data by Age (FBI IC3 Data)

Those aged over 60 were victims of not only call center frauds but also all types of cybercriminal activity (refer to the table below).

Julia O’Toole, CEO of MyCena Security Solutions, told Spiceworks that 82% of breaches originate internally through logins. As such, they remain undetected by threat intelligence and tools. “This highlights organizations’ access as today’s weakest security link, which is a problem they can solve internally,” O’Toole said.

“This problem started when allowing employees to make their own passwords and keys to access the infrastructure, something that would never happen on a physical site. By transferring the command and control of access to each of the employees, they lose data access control and have no idea when a password is phished, social engineered, shared, sold or reused in personal accounts. Then multiply this problem by the number of employees.”

“The loss of access control cannot be solved with Privileged Access and Single Sign-On as it is still employee-made master passwords or biometrics, which can be used by criminals to log in. These tools simply remove defence access layers, which crucially decreases cyber-resilience. They remove access segmentation within these critical networks, which is akin to building a fence around a nuclear plant in the physical world but leaving everything inside open plan.”

O’Toole reiterated Bellenkens and said segmentation and encryption management should be instituted to prevent unauthorized access.

Moreover, Grimes highlighted the importance of the people that make up organizations and the need to train them. “We know that 70%-90% of all cybercrimes are conducted by social engineers, and simply educating people to recognize the signs of a scam is the single best way to prevent scams out of everything you could possibly do,” Grimes said.

“Everyone should be educated about the most common types of scams, how to spot them, how to defeat them, and how to appropriately report them. And everyone should be taught to be proactively skeptical of any request, no matter how it arrives (be it, email, chat, SMS, social media, a phone call, or in person), if it arrives unexpectedly and is asking the receiver to do something they have never done before for that requestor.”

“Any message with these two traits is a high-risk message and the desired request should be confirmed as legitimate, using some alternate method (such as calling the real requestor or visiting the legitimate website) before performing the requested actions. If everyone could be made a default skeptic of any message with those two traits (i.e., it arrives unexpectedly and it asks the receiver to do something new for that receiver), it would go a long way to mitigating online scams.”

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Image source: Shutterstock

MORE ON CYBERCRIME

• Data Exfiltration: What Is It, and Three Ways to Prevent It
• Malware Distribution via YouTube Videos Up 300%
• Cyber War: A Stealthy Contest
• Can Tech Layoffs Increase Insider Threats?