FBI: investment fraud tops list of costliest cybercrimes


Cybercrime in the US cost an estimated $12.5 billion last year – and that’s just the incidents that were reported to the FBI. But while ransomware gangs like LockBit might enjoy high-profile notoriety, it’s online investment fraud that hurts American wallets the most.

The Bureau’s specialized IC3 cyber reporting department made the disclosure in its annual report published on March 7th.

ADVERTISEMENT

IC3 had to field an average of 2,412 complaints daily, bringing the total number it received since its creation at the beginning of the century to over eight million.

The most damaging form of cybercrime in terms of financial cost in 2023 was investment fraud – where people or businesses are duped online into sinking money into fake ventures – which cost victims $4.57 billion, a 38% rise on the previous year’s total of $3.31 billion.

“These scams are designed to entice those targeted with the promise of lucrative returns on their investments,” said the FBI, adding that investment fraud involving cryptocurrency rose from $2.57 billion in 2022 to $3.94 billion, an increase of 53%.

Next after investment fraud, in terms of lost dollars, were business email compromises (BECs), social engineering scams that hoodwink company employees into signing off on bogus invoices, often by pretending to be a decision-maker telling them to do so.

These netted cybercriminals an estimated $2.9 billion at the expense of Americans, with 21,489 complaints being filed with the FBI.

“These BEC schemes historically involved compromised vendor emails, requests for W-2 [tax return] information, targeting of the real estate sector, and fraudulent requests for large amounts of gift cards,” said the FBI, which added that the IC3 data “suggests fraudsters are increasingly using custodial accounts held at financial institutions for cryptocurrency exchanges or third-party payment processors.”

Online impostors

And old-school confidence tricksters and con artists, it seems, are going nowhere in the digital era. Scammers impersonating tech and customer service support or even government agents resulted in $1.31 billion being stolen from victims last year.

ADVERTISEMENT

“Impersonation scams defraud thousands of individuals each year,” said the FBI, while also noting that it had enjoyed some success in bringing such perpetrators to justice.

Among them was Ankur Khemani and the Sterks gang in Iowa, who stole $4 million from 14,000 victims through a fake tech support center based in India that targeted US citizens before being caught and jailed for 75 months in September by a federal court in Knoxville.

Khemani’s accomplices, Marilin, Jennifer, and Teresa Sterk were convicted of laundering his ill-gotten gains, opening more than 30 bank accounts – the former was jailed for 30 months though her daughters were spared a prison sentence.

Ransom gangs still at it

Ransomware gangs also had a busy year, with LockBit, ALPHV/BlackCat, and Akira topping the list of most prominent offenders – total losses arising from this type of cyberattack reported to IC3 came to $59.6 million, a hefty 74% rise on 2022’s total of $34.3 million.

“Cybercriminals continue to adjust their tactics, and the FBI has observed emerging ransomware trends,” said IC3, “such as the deployment of multiple ransomware variants against the same victim and the use of data-destruction tactics to increase pressure on victims to negotiate.”

Ransomware gangs usually infiltrate a target organization’s computer systems, encrypting data so it is beyond the owner’s use until extortion demands are met or even, as noted above, destroying it altogether.

Of the total 2,825 ransomware attacks reported to the FBI in 2023, 175 were attributed to LockBit, another 100 to BlackCat, and 95 to Akira. Royal (63) and Black Basta (41) were also prominent offenders.

“Ransomware infections impact individual users and businesses regardless of size or industry by causing service disruptions, financial loss, and in some cases, permanent loss of valuable data,” said IC3, while also noting that establishing the actual number of such cases is difficult.

ADVERTISEMENT

“While ransomware infection statistics are often highlighted in the media and by computer security companies, it has been challenging for the FBI to ascertain the true number of ransomware victims as many infections go unreported to law enforcement,” it said.

The FBI needs YOU

Pledging to continue fighting the “evolving cyber threat,” the FBI said: “Today’s cyber landscape is threatened by a multitude of malicious actors who have the tools to conduct large-scale fraud schemes, hold our money and data for ransom, and endanger our national security.”

It added: “Profit-driven cybercriminals and nation-state adversaries alike have the capability to paralyze entire school systems, police departments, healthcare facilities, and individual private sector entities.”

The Bureau is urging the public to continue to come forward with any tip-offs or complaints it might have about cybercrime in all its nefarious forms.

“As the cyber threat continues to evolve, the FBI remains appreciative of those who report cyber incidents to IC3,” it said. “Your reporting is critical for our efforts to pursue adversaries, share intelligence with our partners, and protect your fellow citizens. Cybersecurity is the ultimate team sport, and we are in this fight together.”