5 Takeaways on Pandemic Fraud From the FBI 2021 Internet Crimes Report

FBI, ransomware, cryptocurrency

SIM swaps, employment schemes, business email compromise, tech support fakes, auction fraud, romance scams — fraud comes in many forms, and 2021 was a banner year for it.

In its “2021 Internet Crimes Report” released Tuesday (March 22) the FBI called the pandemic era wave of cyberattacks and malicious activity “unprecedented,” estimating that losses rose to a record $6.9 billion last year, up 7% from 2020 overall, with alarming spikes in certain areas.

Compiled by the FBI’s Internet Crime Complaint Center (IC3), the latest report showed that cybercrooks are going for the most lucrative targets, led by financial services and healthcare.

Another growing area is complaints of fraudsters impersonating customer support agents ,which IC3 said “has taken on a variety of forms, such as financial and banking institutions, utility companies, or virtual currency exchanges.”

In addition to the fact that spoofing (falsified emails, phone calls, forged websites) and phishing/vishing/smishing/pharming (impersonators seeking sensitive data using email and social media) are the top tactics now in use, here are five things we learned from the 2021 Internet Crimes Report.

See also: Will FBI’s New Crypto Crime Unit Bust Industry’s Mainstream Image?

Ransomware Follows the Money

Saying it expects “an increase in critical infrastructure victimization in 2022,” the new report stated that “[o]f all critical infrastructure sectors reportedly victimized by ransomware in 2021, the healthcare and public health, financial services, and information technology sectors were the most frequent victims.”

That’s cybercrooks phishing where the big bucks are concentrated and, in healthcare’s case, exploiting a dearth of digital anti-fraud measures in a sector still modernizing those areas.

Per the report, “the IC3 received 3,729 complaints identified as ransomware with adjusted losses of more than $49.2 million.” That number may be low as ransomware attacks often go unreported.

As to favored fraud tools, the LockBit Ransomware-as-a-Service (RaaS) “most frequently victimized the government facilities, healthcare and public health, and financial services sectors,” the FBI said.

The REvil/Sodinokibi RaaS attack type “most frequently victimized the financial services, information technology, and healthcare and public health sectors.” In January, Russian authorities raided and arrested 14 people associated with the REvil ransomware group.

Read also: Agency Warns of Increased Cyberattacks on Healthcare Targets

COVID-19 Was Good for Email Compromise, Business Fakes

Logging nearly 20,000 business email compromise (BEC)/email account compromise (EAC) complaints in 2021 and pegging “adjusted losses at nearly $2.4 billion,” the FBI noted that BEC/EAC scams are increasingly relying on social engineering and email intrusion “to conduct unauthorized transfers of funds.”

The new report stated that during the pandemic, fraudsters went heavy “using virtual meeting platforms to hack emails and spoof business leaders’ credentials to initiate the fraudulent wire transfers. These fraudulent wire transfers are often immediately transferred to cryptocurrency wallets and quickly dispersed, making recovery efforts more difficult.”

Faked CEO and chief financial officer (CFO) emails were among prime fraud tactics in BEC attacks.

Crypto Crime Mushrooms

Despite its reputation as an unimpeachable source of truth, blockchain and cryptocurrencies stored on it continue as coin of the crime realm for anonymity and untraceable nature.

IC3 said it received 34,202 complaints “involving the use of some type of cryptocurrency, such as bitcoin, Ethereum, Litecoin or Ripple. While that number showed a decrease from 2020’s victim count (35,229), the loss amount reported in IC3 complaints increased nearly seven-fold” from $246.2 million in 2020 to “total reported losses in 2021 of more than $1.6 billion.”

A major culprit in crypto crime called out by the report were cryptocurrency ATMs.

IC3 said that while crypto ATMs are now not uncommon, “[r]egulations on the machines are lax and purchases are almost instantaneous and irreversible, making this payment method lucrative to criminals. In 2021, the IC3 received more than 1,500 reports of scams using crypto ATMs, with losses of approximately $28 million. The most common scams reported were confidence fraud/romance, investment, employment, and government impersonation.”

Targeting Lonely Hearts

In 2021, IC3 received complaints from nearly 24,300 victims “who experienced more than $956 million in losses to confidence fraud/romance scams. This type of fraud accounts for the third-highest losses reported by victims.”

With those aged 60 and over representing almost one-third (32%) of confidence fraud/romance scam victims, IC3 said, “The criminals who carry out romance scams are experts at what they do and will seem genuine, caring and believable. The scammer’s intention is to quickly establish a relationship, endear himself/herself to the victim, gain trust, and eventually ask for money.”

Incidents of “sextortion” in which hackers threaten to expose delicate personal content if not paid represented 18,000 complaints and losses of more than $13.6 million last year, per IC3.

The RAT Is Catching Cyber Pests

The good news in an otherwise woeful portrait of pandemic cybersecurity challenges are the gains being made by law enforcement against these hard-to-find foes.

IC3 formed its Recovery Asset Team (RAT) in 2018 to foster better communications “with financial institutions and FBI field offices to assist freezing of funds for victims.”

Per the report, “RAT initiated the Financial Fraud Kill Chain (FFKC) on 1,726 BEC complaints involving domestic-to-domestic transactions with potential losses of $443,448,237. A monetary hold was placed on approximately $329 million, which represents a 74% success rate.”

See also: FBI Targets Crypto Over Ransomware Crimes