Things Matt Wrote


Internet-enabled crime is largely underreported. Those affected by cybercrime may not know how or where to report their victimization. Some are too embarrassed to report it while many others don't even know they've been victimized. Regardless of the reason, the majority of persons victimized by cybercriminals fail to report it to law enforcement. A 2020 crime survey of England and Wales suggested that only 16.6% of frauds are being reported and only 1.7% of those victimized by “computer misuse offenses” are self-reporting their victimization.

Businesses aren't much better at reporting their victimization. This 2019 report by global IT and cybersecurity association ISACA found that enterprise and other business entities are vastly under-reporting cybercrime victimization, even when legally mandated to notify law enforcement and regulatory agencies.

The underreporting of cybercrimes makes the 2021 Internet Crime Report from the Internet Crime Complaint Center even more remarkable.

The Internet Crime Complaint Center (IC3) is the cybercrime reporting and analysis mechanism for the Federal Burea of Investigation. The center facilitates an easy and efficient way for citizens and businesses to self-report their victimization and losses. The collected information is then analyzed to look for trends and investigative leads. The results are distributed to FBI field offices for follow-up investigation and for information releases to educate the public. Each year the organization creates a summary of the previous year's numbers and publishes it as the Internet Crime Report.

The 2021 Internet Crime Report follows the trend of its predecessors in revealing that cybercrime has increased from the previous year. In 2021, the IC3 accepted 847,376 reports which is a 7% increase over the number received in 2020. The reported dollar loss is greater than 6.9 Billion dollars.

Remember that cybercrime victimization is grossly underreported? Yeah, so what are the true numbers for 2021? It's mind-boggling.


Why are business email compromise attacks so effective?

Because people are Helpful.

Because people are Trusting

Because people are Obedient.

Phishing and Business Email Compromise attacks are acts of social engineering. They are attacks on humans and they prey upon human emotions. The most effective phishing emails exploit the target's emotions of Obedience, Fear, Kindness, or Curiosity. The most effective BEC emails target the employee's sense of obedience.

Employees want to be good workers. They want to excel at their jobs and win the praise of their supervisors. Imagine you are an accounts payable clerk or junior accountant and the CEO walks into your office and says Jump. Are you going to question how high or why?

One of the biggest fears most employees have is failing at their jobs, or at least look like their failing. No one wants to question the boss and risk appearing incompetent or untrusting. Even when employees think the email directing the high dollar wire transfer is suspicious many times the urge to carry out the task with diligence and obedience overcomes the suspicion.

This week, the Milford Daily News detailed a Business Email Compromise attack executed on the city of Franklin, Tennessee. The cities treasurer transacted a wire transfer that resulted in a $522,000 loss to the municipality, The city manager described it as a “sophisticated cyber fraud”. It was not. It was just a standard spear-phishing attack taking advantage of an organization with untrained employees and insufficient security controls.