FBI IC3 2024
Internet crime continues to be a growth industry; the 2024 FBI Internet Crime Complaint Center (IC3) report reported a 33% increase in losses over 2023. The 2024 report recorded 859,532 internet crime complaints, with losses over $16 billion. What has not changed are the types of crime; there is very little change in the ways people are victimized. By number of complaints, the top three cybercrimes were phishing/spoofing, extortion, and personal data breaches. A major component of the losses remains the elderly, with people over the age of 60 submitting the most complaints and suffering the greatest loss at nearly $5 billion, a third of the total loss for 2024.
The IC3 report is based on self-reporting by organizations and individuals who were the victims of internet crime. The FBI has been collecting and reporting on this data since May 2000. Throughout this time the number of cyber incidents has grown annually; at the end of 2022, there were over 7 million cybercrime reports; in 2024 the number is over 8.5 million. Most likely these are an undercount as many victims do not report. The purpose of the report is to identify trends in cybercrime and focus efforts on combating these trends; it is to use that information to educate the public and reduce the cyber threat. As illustrated in the report, most of these cybercrimes begin with email; recognizing the threats that originate from malicious email is one of the best ways to avoid becoming a victim of a cybercrime. In addition, the information gathered by the report allows for allocating resources in defending against these crimes; the data helped establish the IC3 Recovery Asset Team (RAT). The IC3 RAT was established in 2018 to stop fraudulent bank transfers resulting from successful cyberattacks. In 2024, the IC3 RAT stopped or froze the transfer of $561 million of funds, a 66% recovery rate, based on 3020 complaints at $848 million in attempted thefts.
By identifying and highlighting the cybercrime type or class, the report is able to identify defensive measures that can reduce the probability of a successful attack. In doing so, the report listed the 2024 top five cyber-crime types by the number of complaints; they were phishing (193,407), extortion (86,415), personal data breach (64,822), non-payment/delivery (49,572) and investment fraud (47,919). Phishing is the criminal using email, text messages, and telephone calls purportedly from a legitimate company requesting personal, financial, and/or login credentials. A Personal Data Breach is a leak/spill of personal data from a secure location into an untrusted environment, or it can be a security incident in which an individuals sensitive or protected data is stolen or used by an unauthorized individual. Non-payment is when goods or services are delivered, and payment is never received; non-delivery is when payment is sent, and the goods or services are never received, or lesser quality goods are delivered. Extortion is the extraction of money or property through intimidation or undue exercise of authority; it may include threats of physical harm, false threats of criminal prosecution, or public exposure. Tech Support Fraud is when the criminal poses as technical or customer support/service; they are paid for no support, or they access and compromise your computer. When evaluating the most common types of attacks, almost all of them involve email. The lone exception is a Personnel Data Breach when personal data is stolen and compromised. Then again, the entry point for personnel data theft is often email.
Cybercriminals use many avenues to separate people from their money. The most important point made in the FBI reports is that cybercriminals’ preferred means of communication is email. From the criminal’s perspective, email is easy to use and extremely easy to scale. The best defense against fraudulent email is education; gaining the knowledge to recognize fake email is almost a battle won. One of the primary ways to do this is to look at the sender’s address; if the domain does not match the bank, utility company, etc., it is a scam.
No matter the precautions, people make mistakes, and they become compromised. To address email compromise and fraud, the IC3 stood up the Recovery Asset Team (RAT) to assist people who have been swindled. The RAT can stop the money transfer and assist with its recovery. However, time is of the essence; if the victim waits too long to report, the money may be lost. The advice is to act immediately and execute these steps at the same time, take action. First, contact the originating financial institution and request a recall or reversal of the transaction, you want to stop the transaction. Then request a Hold Harmless Letter or Letter of Indemnity. Immediately after a call to the financial institution, file a detailed complaint with www.ic3.gov. It is extremely important to fill out all required data fields, including the banking information. A rule in dealing with financial transactions is to ensure you are addressing a legitimate financial entity, not a fraud. You should never make or send any payments without verifying the email addresses, phone numbers, and people to ensure you are dealing with a legitimate business.
Since beginning reporting in May of 2000, every year has seen an increase in the money lost to cybercrime. Cybercrime is an international business employing 100,000s worldwide, all fighting to take your money. Your best defense is knowledge; understanding how to avoid email compromise will significantly reduce the likelihood of a successful attack. Knowing to report quickly will increase your odds of recovery. As with many things, the victim of cybercrime must take the initiative to report and fight to recover.