Cyber-scams cost victims around the globe at least $6.9 billion last year, according to the FBI’s latest Internet Crime Report.

Since 2017, the bureau’s Internet Crime Complaint Center (IC3) received an average of 552,000 complaints per year. This includes reports of extortion, identity theft, phishing, fraud, and a slew of other nefarious schemes that cost victims no less than $18.7 billion in losses over the five-year period. 

Unsurprisingly, the volume of these crimes — and related costs — have grown every year; 2021 set records [PDF] for the total number of complaints (847,376) as well as losses exceeding $6.9 billion, a jump from the $4.2 billion reported a year earlier.

As with earlier years, phishing attacks were by far the most commonly reported crimes, with 323,972 last year. A subset of this category, business email compromise (BEC), is proving very lucrative and and cost victims almost $2.4 billion from 19,954 victims, according to the Feds. 

BEC involves a cyber-criminal compromising a legitimate email account, and then tricking a business or individual into transferring funds, sending employees’ personal data or tax-related W2 forms, or unlocking cryptocurrency wallets. The fraudster then steals the cash, drains the crypto wallet and/or sells employees’ identities and credentials on the dark web.

FBI reinforces need to check for BEC

In a related public-service announcement, also shared this week, the FBI revealed that BEC fraud cost organizations and individuals at least $43.3 billion between June 2016 and December 2021.

BEC “continues to grow and evolve, targeting small local businesses to larger corporations, and personal transactions,” the FBI warned, adding that between July 2019 and December 2021, the IC3 tracked a 65 percent increase in identified global exposed losses, with victims in 177 countries. 

Part of the reason for this, along with virtually all other evils during this time period, was the COVID-19 pandemic and resulting move to all-virtual everything, according to the FBI.

Crypto, ransomware spike

Losses related to cryptocurrency crime also spiked last year, increasing almost seven-fold from $246.2 million in 2020 to more than $1.6 billion in 2021, the IC3 report said. However, while the cost associated with these crimes grew, the number of complaints decreased slightly from 35,229 victims in 2020 to 34,202 in 2021. 

“It is extremely pervasive in investment scams, where losses can reach into the hundreds of thousands of dollars per victim,” the feds wrote. And in addition to the FBI turning a more watchful eye to crypto crimes, the US Securities and Exchange Commission this week announced that it is nearly doubling the number of positions in a special unit that polices cryptocurrency fraud and other cyber-crimes.

Ransomware continued to evolve in 2021, and the IC3 received 3,729 complaints identified as ransomware last year, although presumably many more went unreported. Adjusted losses for this crime category surpassed $49.2 million, compared to about $30 million in 2020, the report states, but adds those figures only cover ransoms victims admitted paying out, not the costs of fixing borked systems. 

“Although cyber criminals use a variety of techniques to infect victims with ransomware, phishing emails, Remote Desktop Protocol (RDP) exploitation, and exploitation of software vulnerabilities remained the top three initial infection vectors for ransomware incidents reported to the IC3,” the report noted. 

The agency for the first time in June 2021 began tracking reported ransomware incidents in which the victim was a critical infrastructure owner or operator, and received 649 such complaints.

It tracks 16 critical infrastructure sectors and noted that 14 of these had at least one organization fall victim to a ransomware attack last year.  Health care, financial services, and IT firms were the most frequent victims, and the IC3 anticipates an increase in these attacks against critical infrastructure in 2022.

Of the known ransomware variants reported to IC3, the three top variants deployed against critical infrastructure companies were Conti (87), LockBit (58) and REvil/Sodinokibi (51). ®