The Federal Bureau of Investigation (FBI) and its Internet Crime Complaint Center (IC3) has just published their 2022 Internet Crime Report. As expected, the annual report warns about the serious threat of Business Email Compromise (BEC) like 2021, but also reveals the growth of investment scams, which exceeded BEC losses in 2022. The key findings in the IC3 2022 Report include the following:
- Phishing is still the number one reported cybercrime.
- Investment scams resulted in $3.3 billion in losses in 2022. These are typically crypto currency themed and delivered mostly via SMS. The FBI calls it “Pig Butchering.”
- Business Email Compromise (BEC) continued to grow with victims’ losses reaching $2.7 billion over 2021’s reported $2.4 billion losses.
Victim Losses Significantly Rising Relative to Complaints
In the report, the IC3 shows that losses have significantly risen over the last two years from $6.9 billion in 2021 to $10.3 billion in 2022. Overall complaints have been increasing at a slower pace, still averaging 652,000 complaints per year over the last five years.
Directly from FBI IC3 Report: Chart includes yearly and aggregate data for complaints and losses over the years 2018 to 2022. Over this time, the IC3 received 3.26 million complaints, reporting a loss of $27.6 billion. *See the ICE3 report for more information regarding IC3 data.
Investment Scams Top Annual Losses at $3.3 Billion
Investment scams, which are a multi-channel problem, topped the annual losses at over $3.3 billion in 2022. At the end of the year, the FBI reported that crypto scams, called “pig butchering,” were sweeping the US, so it’s not a surprise to see investment scams resulting in the costliest scams in 2022. Investment fraud complaints increased 127% and crypto scams rose 183% over 2021.
Crypto scams take place outside of email, starting on dating or social media apps. These scams are well scripted and require multiple touch points to build trust and rapport. The victim is encouraged to invest in high-yielding crypto funds. The name “pig butchering” comes from the practice of fatting up pigs before they go to market, in this case the pig is the victim investing more and more money in the fraudulent fund until the cybercriminal steals the funds and disappears.
Business Email Compromise (BEC) Continues to Grow at a Staggering Rate
Let’s look at the BEC segment – from the eyes of the FBI’s IC3 organization. According to the report, in 2022, the IC3 received 21,832 BEC complaints with adjusted losses of over $2.7 billion. Business Email Compromise scams target both businesses and individuals performing the transfer of funds. The FBI organization notes that the scams are often performed when a bad actor compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct the unauthorized transfers of funds.
Directly from FBI IC3 Report: *In regard to ransomware adjusted losses, this number does not include estimates of lost business, time, wages, files, or equipment, or any third-party remediation services that were acquired by a victim. In some cases, victims do not report any loss amount to the FBI, thereby creating an artificially low overall ransomware loss rate. The number only represents what victims report to the FBI via the IC3 and does not account for victim direct reporting to FBI field offices/agents.
BEC Losses Exceeded $2.7 Billion and Continue to Rise
A mounting number of BEC scams occur at companies of all sizes. In the IC3 table shown above, you can see that the listed types of crime sorted by the amount of money lost in 2022 has BEC sitting at No. 2 with respective losses of over $2.7 billion, second only to investment crimes totaling $3.3 billion.
As threat actors become more sophisticated, BEC has continually evolved. According to the report, these “schemes historically involved compromised vendor emails, requests for W-2 information, targeting of the real estate sector, and fraudulent requests for large amounts of gift cards.” The report adds that more recently, cyber criminals are more often using custodial accounts held at financial institutions for cryptocurrency exchanges, or having victims send funds directly to cryptocurrency platforms where funds are quickly dispersed.
In 2022, the IC3 also saw an increasingly prevalent tactic by BEC bad actors of spoofing legitimate business phone numbers to confirm fraudulent banking details with victims.
Here are a couple of examples shown in the report:
“In September 2022, the IC3 received a complaint filed by a victim in the Seattle area of a BEC who intended a wire of $650 thousand be sent to an investor, not realizing their email account was intercepted by a hacker supplying fraudulent bank account instructions.
“In July 2022, the IC3 received notice of a complaint filed by an attorney to help on behalf of his clients who were buying a property. They had received a spoofed email from their “fake” realtor instructing them to wire $400 thousand to a financial institution for an escrow payment. The wire instructions came from a spoofed email.”
Phishing and BEC Make the Top 10 “Most Popular” Crime Type List
If we step back and look at the most popular crime types in 2022, you’ll see that phishing, per se, and BEC are positioned in the top 10 with phishing affecting over 300 thousand victims and BEC affecting almost 22 thousand.
For more information about other types of crimes, including ransomware, and charts covering victims by age group, countries, states, complaints, overall statistics, and more, you can read the full report here.
We’re focusing more on BEC attacks in this blog since they have become one of the most sophisticated and are a top threat evading email security solutions, leading to business disruption, financial loss and customer trust. It’s a fact that 80 percent of phishing attacks lead to breaches with email as a target of choice.
We want to make sure you don’t become an FBI IC3 metric; look at our SlashNext Integrated Cloud Email solution and learn about BEC and other types of common phishing attacks that are seen regularly.
Watch a quick video demonstration, schedule a one-on-one demo with one of our security experts, or see where your current security defenses stand today, what threats are missed, and how you can improve your security readiness by plugging into SlashNext HumanAI™, a combination of computer vision, natural language processing, and behavioral contextualization that detects malicious URLs, BEC, malware and exploits in real-time with our quick 5-min setup Email Observability Mode.