June 23, 2017

Online extortion, tech support scams and phishing attacks that spoof the boss were among the most costly cyber scams reported by consumers and businesses last year, according to new figures from the FBI’s Internet Crime Complaint Center (IC3).

The IC3 report released Thursday correctly identifies some of the most prevalent and insidious forms of cybercrimes today, but the total financial losses tied to each crime type also underscore how infrequently victims actually report such crimes to law enforcement.

Source: Internet Crime Complaint Center (IC3).

Source: Internet Crime Complaint Center (IC3).

For example, the IC3 said it received 17,146 extortion-related complaints, with an adjusted financial loss totaling just over $15 million. In that category, the report identified 2,673 complaints identified as ransomware — malicious software that scrambles a victim’s most important files and holds them hostage unless and until the victim pays a ransom (usually in a virtual currency like Bitcoin).

According to the IC3, the losses associated with those ransomware complaints totaled slightly more than $2.4 million. Writing for BleepingComputer.com — a tech support forum I’ve long recommended that helps countless ransomware victims — Catalin Cimpanu observes that the FBI’s ransomware numbers “are ridiculously small compared to what happens in the real world, where ransomware is one of today’s most prevalent cyber-threats.”

“The only explanation is that people are paying ransoms, restoring from backups, or reinstalling PCs without filing a complaint with authorities,” Cimpanu writes.

It’s difficult to know how what percentage of ransomware victims paid the ransom or were able to restore from backups, but one thing is for sure: Relatively few victims are reporting cyber fraud to federal investigators.

The report notes that only an estimated 15 percent of the nation’s fraud victims report their crimes to law enforcement. For 2016, 298,728 complaints were received, with a total victim loss of $1.33 billion.

If that 15 percent estimate is close to accurate, that means the real cost of cyber fraud for Americans last year was probably closer to $9 billion, and the losses from ransomware attacks upwards of $16 million.

The IC3 reports that last year it received slightly more than 12,000 complaints about CEO fraud attacks — e-mail scams in which the attacker spoofs the boss and tricks an employee at the organization into wiring funds to the fraudster. The fraud-fighting agency said losses from CEO fraud (also known as the “business email compromise” or BEC scam) totaled more than $360 million.

Applying that same 15 percent rule, that brings the likely actual losses from CEO fraud schemes to around $2.4 billion last year.

Some 10,850 businesses and consumers reported being targeted by tech support scams last year, with the total reported loss at around $7.8 million. Perhaps unsurprisingly, the IC3 report observed that victims in older age groups reported the highest losses.

Many other, more established types of Internet crimes — such as romance scams and advanced fee fraud — earned top rankings in the report. Check out the full report here (PDF). The FBI urges all victims of computer crimes to report the incidents at IC3.gov. The IC3 unit is part of the FBI’s Cyber Operations Section, and it uses the reports to compile and refer cases for investigation and prosecution.

Source: IC3

Source: IC3

34 thoughts on “FBI: Extortion, CEO Fraud Among Top Online Fraud Complaints in 2016

  1. Kevin Johnson

    It’s great that you published these statistics they are real eye-opening and really show why this is a “market”. ($) It’s although unfortunate that the punishment in a lot of these cases don’t fit the crime. Until they (law makers) start making examples of these hacker communities and make them serve hard time they will walk with probation and continue to do these same scams and easy money behind a keyboard.
    I’d like to see a graph of the hacker that were caught and what the sentencing was handed down.
    If Timmy (hacker/Scammer/Phisher)only get their hand slapped and no other follow-through (Monitary or real-time) that really make them think about returning back to the same avenue this will continue to get worse.

  2. Nobby Nobbs

    It kills me how much collateral damage is done by ransomware, for such a comparatively minimal profit.

    Thanks as always, Brian!

  3. kevin

    I would say in usa and canada carders still have stable income,even usa swipe dumps works great. many ways to have income for many carders. Im not sure about ransom but i think its mainly in uk best business,im not sure if there is any good cvv providers as so many rippers.

  4. Ron

    Part of the problem is the way USA laws allow marketing/fake/spam calls left-right-center.

    Ever since I moved to California from Fiji / New Zealand noticed crazy number of calls from marketing, fake companies from Timbuktu etc

    New Zealand is beating down hard on fake calls.

    Seems like any tom dick & harry from anywhere in the world can buy a USA phone number and become an expert by quick Googling/Wikipedia.

    FBI/ Agencies are collecting all the data but seems like the spinning disks are good for cobwebs – hopefully one day someone with common sense in these so called agencies will decide, Hey! why not data mine and stop all this nonsense and help Americans.

    I do not see any value in mass collection of data and just adding to the carbon footprint unless intrinsic value gleaned.

  5. Scott

    When a company files a federal complaint, are they also required to disclose it publicly? If so, then that might explain why there is a discrepancy. If a company can either pay the ransom, or restore from backup and not suffer the negative publicity, then why should they report it?

    1. JCitizen

      That is what I was thinking – also they probably don’t want their insurance company to find out, or they’d be dropped soon after paying the damages. You can quickly become uninsurable in business.

  6. Larry

    Wow! Looks like the election cycle really ran up the numbers for DC. 🙂

  7. Kelly Martin

    Not sure how to share this with Krebs. I know there is an ongoing facination with credit/debt card skimmers. It turns out that BoredPanda has built a really cool photo essay of these devices and includes how to spot them in the wild.

  8. Joe P

    If the US ever really does a major infrastructure improvement program, I hope they include ways to make the phone system handle/filter/eliminate spoofing of phone numbers. Some kind of control over IP to telephone network gateways to stop phone scams would pay dividends.

  9. bibao

    anyone have any idea what price for crypto locker? And whats the best way to spread it over internet ?

  10. Anonymous

    Identity theft? Report it to the various officials, and nobody takes action, and nobody cares.

    1. bibao

      Many many people work with cvv-s, ransoms,dumps bank dransfers. Many people earn regular income from identy theft.
      i want to kno how to learn this jobs

  11. AP

    A local nonprofit I’m involved with was recently phished for $10,000. We tried to report it to the FBI and they had zero interest in anything so small. (It wasn’t small to us.) I don’t think they even took a report. We also reported it to local law enforcement, but they weren’t interested because the bank the money was wired to was in another state; the police in the bank’s town weren’t interested since we weren’t there.

    If our experience is typical, I’m surprised the number is even as high as 15%. There were clues in the email headers as well as the bank numbers if anyone with law enforcement connections had been interested in helping chase them down.

    1. melon

      But your bank or financial institution will refund your loss 100%
      So np.

  12. TomTom

    My Mom got scammed by people who called her, claimed that they are a Microsoft-approved service and that her computer had alerted them to problems, for which they charged her credit card $299 and gained access to her computer. When I contacted Citibank that a long-time customer had been scammed, they couldn’t have cared less and refused to take up the credit card payment complaint. Even pointing out that Googling the company turned up hundreds if not thousands of complaints about them would not move Citibank. Apparently Citibank supports ripping off their loyal elderly customers – or else they are the bankers for these scammers. So who’s worse: the scammers who did it or Citibank, for allowing it and refusing the credit card protest?

    1. citybank_employ

      I think its not true. Citybank is very helpful
      banks and goverment are here to help you out.

      1. TomTom

        Who are you to say that my detailed story is not true?

    2. somguy

      Get their form for credit card fraud and mail it in to them. They are required under federal law to investigate it. Don’t pay attention to random phone rep who is a moron.

      1. TomTom

        Thank you for the suggestion. I did that. I officially disputed the charge. I have a case number and a pile of correspondence, including the phone number, links to sites where people complain about the number, etc. Citibank investigated and sided with the crooks.

  13. capri

    If everybody around you scamming and stealimg then you do the same. make it even…thts why in eastern europe you cant steal couse only scammers and criminals has money over here

  14. Dr. Oskooie

    Disproportionate numbers of actual attacks compared to reports being filed may also be resulting from inundated authorities acknowledging the reported incidents and responding commensurate to the reporters expectations. If that is the case, then giving up on reporting would definitely yield the disparity in numbers.

  15. Craig Thomas

    A common scam here in Australia is where the scammers get hold of a SIP phone number (unsure if they’ve hijacked it or leased it) and use that to robocall other local numbers with a message to the effect that, “You have a tax debt, a warrant has been issued and officers are on their way now to execute that warrant, please call us back on nnnn nnnn immediately to clear this up”.

    When they provide a number like this, it makes it easy – you check the Communications Authority (ACMA)’s registry of assigned number ranges to find out which telco has those numbers.
    a) I get in touch with that telco and tell them a number they are responsible for is being used in criminal fraudulent activity and advise them I will be reporting the matter to ACMA.
    b) I report it to ACMA
    c) I report it to the police cyber people (ACORN)
    d) I report it to the Consumer law people (ACCC)’s Scamwatch division

    Meanwhile, I ring the number back. I have various approaches to them, one being:
    Scammer: Hello?
    Me: Hold the line please
    Scammer: What?
    Me: sorry, please just hold the line for a moment longer
    Scammer: what are you saying?
    Me: Please hold the line, we are tracing this call in order to identify you
    (scammer rapidly hangs up.)

    I have had these dodgy Indian call centre scammers beg me to stop calling them. The irony.

    These numbers are invariably out of service within 24-48 hours of me getting stuck into them.

  16. Mitch

    I would venture a guess that 99.9% of the US has never heard of the IC3 or know to report anything there or feel inclined to call anything more than the local police if anything in case they are scammed.

    Another funny but very adult language video where someone calls back a scammer and talks with them. They know they are scamming people and have zero remorse for it. https://youtu.be/dNt8nPA9khc

  17. Cynthia

    I find it interesting that non-payment is #3 … clients bilking freelancers and entrepreneurs on payment for services rendered is a white collar crime that doesn’t get reported enough!

Comments are closed.