FBI Director Christopher Wray speaks in Washington, D.C. Today’s columnist, Brian Johnson of Armorblox, offers five takeaways from the FBI’s 2020 Internet Crime Report. Credit: FBI

The FBI Internet Crime Complaint Center (IC3) in March released its 2020 Internet Crime Report with updated statistics on Business Email Compromise (BEC), Email Account Compromise (EAC), and COVID-19 scams. Since the IC3 was created in 2000, it has consistently shined a light on forms of cybercrime – some new and evolving, others belligerently persistent – and has made laudable strides in stopping the fraudulent transfer of funds whenever possible.

This year’s report reveals 791,790 complaints of suspected internet crime in 2020 – an increase of more than 300,000 complaints from 2019 – and reported losses exceeding $4.2 billion. Contained within are some stark trends on how scammers continue to leverage universal communication channels such as email, text, and voice to effect compromise. It also highlights how the sobering uniqueness of 2020 was exploited to steal money and data.

BEC and EAC losses continue to rise

BEC and EAC attacks have continued to evolve since the FBI first started tracking them as relatively straightforward email spoofs of CEOs and CFOs requesting fraudulent payments. The 2020 report presented an interesting BEC pattern of lower complaints and higher dollar losses. The report shows that BEC/EAC complaints have reduced from 20,373 in 2018 to 19,369 in 2020. However, the reported losses have increased year-over-year, from $1.29 billion in 2018 to $1.86 billion in 2020.

It’s likely that attackers have refined their BEC tactics and are emboldened enough now to go after the bigger fish and ask for higher dollar amounts in their scams. While other forms of cybercrime continue to present a danger to organizations’ security processes and peace of mind, BEC and EAC remain the forerunners in harming their bank balance.

The ever-present phishing challenge

We can forgive the general public for thinking that the phishing problem has largely been addressed, since these scams have littered our news pages and collective consciousness for many years. Security pros know better. Numbers from the 2020 report paint another picture.

The IC3 received 241,342 complaints on phishing and related attacks like smishing, vishing, and pharming in 2020, a 110% increase over complaints received in 2019. Since these numbers constitute only reported complaints, we can assume the real phishing impact numbers are much higher than the ones presented in the report.

Tips for security leaders  

Organizations must navigate cybercrime at all times. While realizing that there’s no one-shot solution, here are some tips to better contain socially engineered threats and protect the human layer:

Recognize that all companies are targets. Realize that every organization – regardless of industry vertical or size – can get hacked.

Choose layered defenses over silver bullets. There’s no single security solution that will stop all email attacks. Security leaders should institute multiple layers of defense, with each subsequent layer reducing the likelihood of dangerous emails getting through. Security awareness programs, in-built security from cloud email providers, and augments that stop BEC/EAC attacks are needed. It will take a village to achieve the desired breadth and depth of protection.

Recalibrate the company’s definition of trusted communications. In 2020, the IC3 received more than 28,500 complaints related to COVID-19. Many of these scams exploited victims’ trust in people and entities, replicating existing processes like unemployment insurance, small business loans, vaccination programs, and stimulus check disbursements. These attacks show us that security teams can’t trust an email just because it passes authentication checks, comes from someone we know, or reuses visuals and context from known mail workflows.

Authenticate all workflows. Apart from implementing multi-factor authentication, security leaders should also educate employees on creating their own lines of authentication when dealing with emails concerning money or data. Ratify sudden requests for payments or sensitive data by calling or messaging the purported sender. Dismiss email requests for sensitive information from government entities out of hand: The IRS will never ask for social security number information over email.

Minimize repetitive work for the company’s security teams. Companies must stay sensitive to the workload email crime places upon security teams. Security leaders should strive to have processes and technologies in place that minimize repetitive threat triage and remediation work for their teams. The less time teams spend chasing down false positives, poring over logs of data, and manually deleting bad emails across inboxes, the more time teams will have to hunt for sophisticated threats and perform targeted interventions that move the needle for security operations.

Much of what we suggest are common-sense “blocking and tackling” security concepts that are easy to talk about, but hard to do in a consistent, continuous way that the security team will accept and adapt in their everyday work lives. But it’s a journey we all must take – because the attacks are sure to keep coming. 

Brian Johnson, chief security officer, Armorblox