Cybercrime in the U.S. cost its victims at least $1.4 billion in 2017, with losses in the tri-state region in excess of $79 million, according to a report released Monday by the FBI’s Internet Crime Complaint Center (IC3).
The federal agency last year registered more than 300,000 victim complaints. Internet fraudsters targeted Pennsylvanians at least 11,300 times for $36.3 million , New Jersey residents more than 7,600 times for $40.4 million, and about 760 Delaware folk for $2.4 million, according to the FBI’s report.
But total losses — and the number of victims — likely are much greater, said cybersecurity experts.
“That’s because not everybody reports to the FBI,” said Michael Levy, Asst. U.S. Attorney and head of computer crimes at the U.S. Attorney’s Office for the Eastern District of Pennsylvania.
“People don’t report it for various reasons,” said Levy, who also teaches cybersecurity at the University of Pennsylvania, “but often they don’t want the embarrassment.”
The top reported internet scam was non-payment or non-delivery, where goods are shipped and never delivered or ordered but never received. The second most reported offense was personal data breaches, which are used for identity theft or industrial espionage. The third was phishing, where a fraudster lures a victim into disclosing sensitive information such as a password, a credit card number or bank account information.
“It just goes to show that people aren’t learning. That’s the big takeaway,” said Mark McCreary, partner and chief privacy officer at Philadelphia’s Fox Rothschild law firm. “The report comes out every year, but the number of people, the number of dollars lost remains fairly constant. We keep falling for the same scams.”
Ransomware ranked 24th on the FBI’s list of top internet scams. Both Levy and McCreary believe that’s because most victims don’t bother to file complaints about it. “It’s what people get most affected by,” McCreary said. In a ransomware attack, a hacker locks a victim’s data and promises to release it after a ransom is paid, typically in bitcoin. The FBI advises against paying a ransom.
Last year’s most lucrative swindle was the business email compromise (BEC), a sophisticated scam that targets people who regularly transfer large sums of money by wire or who write large checks. The money is unwittingly sent to accounts controlled by criminals. “It’s something we’re seeing a lot more of,” McCreary said.
The BEC scam has become common enough that the FBI created a separate category in 2017 to track it. Victims last year lost more than $676 million to BECs.
With a BEC, a fraudsters find a way to infiltrate a company’s email system. Then they sit and wait, learning who controls a company’s purse strings.
The scammers “get into a system and they lurk there for months, reading communications to figure out how a president or CEO would write an email asking for a check to be sent somewhere,” Levy said. Once the information is gleaned, the fraudster sends a faked email requesting a large sum be sent out.
“If the company doesn’t catch it early and report it to the bank or law enforcement, [the money is] out of the country before someone can do something about it,” Levy said. “A lot of times, banks have refused to reimburse their customers for the loss, saying you authorized the check.”