The cost of reported cybercrime in the U.S. jumped 22% last year to more than $12.5 billion, according to the FBI’s Internet Crime Complaint Center (IC3) 2023 annual report (PDF).
The IC3 received a record 880,418 complaints over the year, up almost 10% on 2022.
While investment fraud and business email compromise (BEC) scams continued to dominate the statistics in terms of the cost to victims, losses from reported ransomware attacks spiked by 74%.
Certain crimes hit specific age groups harder
More than 29,000 complaints about investment fraud were lodged, with losses up 38% to $4.57 billion. Of the money lost in those scams, $3.94 billion related to cryptocurrency fraud, a jump of 53% from the previous year.
The second most expensive type of cybercrime was business email compromise (BEC) attacks, with more than 21,000 complainants reporting losing a total of $2.9 billion to scammers.
Tech/customer support and government impersonation scams were the third-costliest type of crime tracked by IC3, with just under 52,000 victims losing a total of more than $1.3 billion.
Writing in the annual report, FBI executive assistant director Timothy Langan said people in different age groups tended to be impacted by different crimes.
“Victims 30 to 49 years old were the most likely group to report losses from investment fraud, while the elderly accounted for well over half of losses to tech support scams,” he said.
Cost of ransomware attacks jumps 74%
The number of ransomware incidents reported to IC3 last year was up 18% to 2,825. More significantly, the cost of those attacks leapt 74% to $59.6 million.
Just under 1,200 ransomware attacks were reported by organizations in the 16 designated critical infrastructure sectors. The most targeted sector was healthcare and public health (249 reports), followed by critical manufacturing (218), and government facilities (156).
Of the 16 critical infrastructure sectors, 14 reported at least one ransomware attack during 2023.
“Cybercriminals continue to adjust their tactics, and the FBI has observed emerging ransomware trends, such as the deployment of multiple ransomware variants against the same victim and the use of data-destruction tactics to increase pressure on victims to negotiate,” Langan said.
The ransomware groups believed responsible for carrying out the most reported attacks were LockBit (credited with 175 attacks), ALPHV/BlackCat (100), Akira (95), Royal (63) and Black Basta (41).
Those figures are likely to differ significantly next year given LockBit’s operation was taken down by a major international law enforcement taskforce last month, while ALPHV/BlackCat appeared to put itself out of business this week in what is likely an exit scam.
Losses likely much higher than reported
The total value of losses suffered by U.S. cybercrime victims last year is likely to be considerably more than the $12.5 billion indicated by the reports filed with IC3.
The $59.6 million cost of reported American ransomware attacks appears to underrepresent the true extent of the crime, given that Chainalysis tracked $1.1 billion in ransomware payments globally during 2023.
The Justice Department estimates that only about 15% of fraud victims report their crime and Langan indicated that the FBI’s experience with ransomware reporting put it in a similar ballpark.
“Consider that when the FBI recently infiltrated the Hive ransomware group’s infrastructure (in January 2023), we found that only about 20% of Hive’s victims reported to law enforcement,” he said. “More reporting from victims would mean superior insight for the FBI.”
