FBI's Internet Crime Complaint Center (IC3) published its 2018 Internet Crime Report which shows that cybercrime was behind $2,7 billion in total losses during 2018 as shown by 351,936 complaints received during the last year.

Since its inception in May 2000, IC3 says that it has received 4,415,870 complaints, with an average of around 300,000 complaints each year and roughly 900 per day. These resulted in a total loss of $7.45 billion over the last five years, between 2014 and 2018.

As further reported by the IC3, the internet crimes with the highest reported losses by their victims were BEC, confidence/romance fraud, and non-payment/non-delivery, while the most prevalent were non-payment/non-delivery, extortion, and personal data breach.

FBI reports the IC3 received 351,936 complaints in 2018—an average of more than 900 every day. The most frequently reported complaints were for non-payment/non-delivery scams, extortion, and personal data breaches. The most financially costly complaints involved business email compromise, romance or confidence fraud, and investment scams, which can include Ponzi and pyramid schemes.

The IC3 also states that its Recovery Asset Team (RAT) established in February 2018 was able to help cybercrime victims recover a large part of the funds lost due to various types of Internet crimes.

Through Domestic Financial Fraud Kill Chain (DFFKC) fraudulent fund recovery actions, the IC3 RAT "notified 56 field offices and 12 Legal Attachés of 1,061 DFFKC’s totaling $257,096,992, a recovery rate of 75%."

"The 2018 report shows how prevalent these crimes are,” said IC3 chief Donna Gregory. "It also shows that the financial toll is substantial and a victim can be anyone who uses a connected device. Awareness is one powerful tool in efforts to combat and prevent these crimes. Reporting is another. The more information that comes into the IC3, the better law enforcement is able to respond."

BEC scams are the most profitable for crooks

Last year's cybercrime with the highest reported total losses, BEC (Business Email Compromise) — also known as EAC (Email Account Compromise) — reached a staggering $1,2 billion in losses by targeting the wire transfer payments of both businesses and individuals.

"The scam is frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds," says the report.

BEC/EAC scams are the most popular method used by crooks to quickly make bank, given that most times it doesn't require that much skill because it relies on tricking people into wiring money to entities they already trust and whose bank accounts were switched with ones controlled by the criminals prior to the attacks.

IC3's findings are also confirmed by Proofpoint researchers, with Rob Holmes VP of email security at Proofpoint saying that "the frequency with which companies were targeted with email impersonation attacks tripled in 2018 relative to 2017 and increased greatly in sophistication. Adding to this global financial impact, it is worth noting that each year many incidents of this nature typically go underreported or unreported for various reasons."

As explained by the IC3, "Through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for W-2 information, and the targeting of the real estate sector."

FBI's IC3 also reported increased tech support fraud activity during 2018, with 14,408 recorded complaints and losses of roughly $39 million, representing an increased of 161% when compared to the losses reported during 2017.

The common factor for the vast majority of tech support fraud reports is the fact that the victims are over 60 years of age, a devious yet logical approach showing that the crooks behind them really know their target "audience."

The IC3 also states that it "received 51,146 extortion-related complaints with adjusted losses of over $83 million which represents a242% increase in extortion related complaints from 2017."

As defined by the FBI, extortion will be used by cybercriminals as the last stage in "Denial of Service attacks, hitman schemes, sextortion, government impersonation schemes, loan schemes, and high-profile data breaches."

"It is critical that organizations prioritize a people-centric approach to security that protects all parties (their employees, customers, and business partners) against phishing, email fraud, credential theft, and brute force attacks," also said Holmes. "We also recommend layered defenses at the network edge, email gateway, in the cloud, and endpoint, along with strong user education to provide the best defense against these types of attacks."

Update April 25 16:09 EDT: Added Proofpoint VP Rob Holmes' insights on business email compromise attacks.