2021 Internet Crime Report. Only the Reported is Reported.
Internet-enabled crime is largely underreported. Those affected by cybercrime may not know how or where to report their victimization. Some are too embarrassed to report it while many others don't even know they've been victimized. Regardless of the reason, the majority of persons victimized by cybercriminals fail to report it to law enforcement. A 2020 crime survey of England and Wales suggested that only 16.6% of frauds are being reported and only 1.7% of those victimized by “computer misuse offenses” are self-reporting their victimization.
Businesses aren't much better at reporting their victimization. This 2019 report by global IT and cybersecurity association ISACA found that enterprise and other business entities are vastly under-reporting cybercrime victimization, even when legally mandated to notify law enforcement and regulatory agencies.
The underreporting of cybercrimes makes the 2021 Internet Crime Report from the Internet Crime Complaint Center even more remarkable.
The Internet Crime Complaint Center (IC3) is the cybercrime reporting and analysis mechanism for the Federal Burea of Investigation. The center facilitates an easy and efficient way for citizens and businesses to self-report their victimization and losses. The collected information is then analyzed to look for trends and investigative leads. The results are distributed to FBI field offices for follow-up investigation and for information releases to educate the public. Each year the organization creates a summary of the previous year's numbers and publishes it as the Internet Crime Report.
The 2021 Internet Crime Report follows the trend of its predecessors in revealing that cybercrime has increased from the previous year. In 2021, the IC3 accepted 847,376 reports which is a 7% increase over the number received in 2020. The reported dollar loss is greater than 6.9 Billion dollars.
Remember that cybercrime victimization is grossly underreported? Yeah, so what are the true numbers for 2021? It's mind-boggling.
The top five reported crimes were:
- Extortion. The report defines extortions as “Unlawful extraction of money or property through intimidation or undue exercise of authority.” Surprisingly, they don't consider ransomware as extortion.
- Identity Theft. How broad of a term is that? The definition they provide doesn't narrow it down.
- Personal Data Breach. Specifically a person, not a business.
- Non-payment / Non-delivery. Have you ever sold something online and never gotten paid after shipping it? Ever paid for something and not have it shipped to you? This.
- Phishing/Vishing/Smishing. How about we just call this social engineering.
The dollar loss from Business Email Compromise fraud is staggering. It's important to note that it only ranks ninth in the number of reports received but first in the reported dollar loss. And it's not even close, as losses from BEC victimization are reported at $2,395,953,296 while the next closest loss is investment fraud at just over 1.4 billion dollars. The move to a remote workforce surely bears some responsibility for this as the dehumanizing technology that allows for a virtual office plays right into the hands of BEC actors. Two years into this pandemic forced work-from-home experiment some employees have never met each other in person. Of course, you're going to immediately answer the email or slack message from your boss, it's the only you communicate. Confirm a transaction by telephone? Of Course. Would you even recognize the voice of the CFO?
The prevalence of tech support fraud demonstrates that we need to increase our senior citizen outreach. The IC3 received a 137% increase in tech support fraud reports over the 2020 numbers and 60% of the reporting victims were over 60 years old. Law enforcement should be more proactive in targeting seniors with education and technology companies should be bolder in their security messaging. How about targeted ads, “Hi we're Microsoft, your safety is important to us. We will never cold call you about the status of your computer. EVER!”.
Considering the true numbers are not known because of underreporting, the amount of Romance Scam victimization is frightening. The agency heard from 24,999 victims who experienced more than 956 million dollars in losses. Victims of romance scams are extremely reluctant to come forward and report their abuse due to the shame and embarrassment they feel. It's a deeply personal offense that completely devastates most victims. Many of them just want to privately grieve their losses, and broken heart, without telling their friends and families how they were duped. The true number of victims must be tenfold.
The most disheartening aspect of the yearly IC3 report, at least for those of us in law enforcement and financial industry security, is the unwritten acknowledgment that the overwhelming majority of people responsible for this victimization will not be criminally charged. Ever.
Think about that for a minute.