The FBI’s Internet Crime Complaint Center has released its annual report. The 2020 Internet Crime Report includes information from 791,790 complaints of suspected internet crime—an increase of more than 300,000 complaints from 2019—and reported losses exceeding $4.2 billion. State-specific statistics have also been released and can be found within the 2020 Internet Crime Report and in the accompanying 2020 State Reports.

The top three crimes reported by victims in 2020 were phishing scams, non-payment/non-delivery scams, and extortion. Victims lost the most money to business email compromise scams, romance and confidence schemes, and investment fraud. Notably, 2020 saw the emergence of scams exploiting the COVID-19 pandemic. The IC3 received over 28,500 complaints related to COVID-19, with fraudsters targeting both businesses and individuals.

Infographic depicting the number of complaints to the Internet Crime Complaint Center in 2020 (791,790) compared to 2019 (467,361).

In addition to statistics, the IC3’s 2020 Internet Crime Report contains information about the most prevalent internet scams affecting the public and offers guidance for prevention and protection. It also highlights the FBI’s work combating internet crime, including recent case examples. Finally, the 2020 Internet Crime Report explains the IC3, its mission, and functions.

The IC3 gives the public a reliable and convenient mechanism to report suspected internet crime to the FBI. The FBI analyzes and shares information from submitted complaints for investigative and intelligence purposes, for law enforcement, and for public awareness.

With the release of the 2020 Internet Crime Report, the FBI wants to remind the public to immediately report suspected criminal internet activity to the IC3 at ic3.gov. By reporting internet crime, victims are not only alerting law enforcement to the activity, but aiding in the overall fight against cybercrime.

According to Vanessa Pegueros, Chief Trust and Security Officer, OneLogin, “Cybercriminals are masterful when it comes to playing on human emotions. They take advantage of human loneliness, fears around health, and the desperate hopes of quick economic gain. Computers don’t have emotions and are the vehicles by which cybercriminals monetize these human emotions. We need to continue to implement security controls on computers because we will not change our humanness.”

Jerome Becquart, Chief Operating Officer, Axiad, explains, “Email phishing remains a growing issue because an organization’s greatest vulnerability is its users. Despite all the efforts businesses make to educate users to identify phishing emails, and the implementation of increasingly smarter email filtering solutions,  hackers still find new ways to trick users and get through the system. Most email scams are masquerading as a known email source or colleague within the same organization, which makes the recipient more likely to share sensitive information. Digital Signature of emails should be more widely used to prevent this, as they enable the email recipient to confirm that the sender is authentic and legitimate. In our experience at Axiad, implementation of Digital Signature for e-mails significantly decreased the risk of email phishing, as we know that if an email for a co-worker doesn’t have their digital signature, it is a phishing scam."

Becquart adds, “The problem with user credentials being compromised is not a new issue - passwords are not secure and are an easy target for scammers and hackers, which is one of the reasons credential issues make up over 80% of data breaches. The good news is that we see a lot of organizations moving to a passwordless approach using technologies such as FIDO2 and PKI. These technologies are widely available and supported by all the major players, from Microsoft to Google and AWS. These approaches result not only in better security but also better user experience, as passwords are painful to remember, need to be changed frequently, etc. However, it’s important for businesses to deploy passwordless solutions for their various business use cases, as FIDO2 or PKI don’t protect all of your users and devices on their own. By implementing multiple credential solutions, you can protect every identity on your network. “

Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, says, “Unsurprisingly, ransomware continues to grab headlines. However, what’s most concerning is how attack vectors are evolving. Remote Desktop Protocol (RDP) is an increasingly common attack vector. RDP access enables an attacker to take over a victim’s computer – this kind of access is being bought and sold on cybercriminal marketplaces and the dark web. It commands the highest average price of $9,800 among all types of access sold, according to Digital Shadows’ research. RDP is a particular concern in the battle against ransomware, with the FBI estimating that RDP is 70-80% of the initial foothold that ransomware actors use. To minimize exposure from services like RDP, make sure you have multifactor authentication enabled.”

Setu Kulkarni, Vice President, Strategy at WhiteHat Security, a San Jose, Calif.-based provider of application security, explains that these latest numbers certainly represent the current state of affairs. "While I am not surprised by the findings in the report, and the rising prominence of BEC/phishing spams, what does surprise me is that we have not adequately addressed this epidemic. This is no longer limited to a section of technology users – with the pandemic, everyone virtually is a technology user. While point in time training and educational campaigns targeted to the most vulnerable are necessary, they are not sufficient. We need to teach the vulnerable how to safely use the internet highway, as we have been taught to use the physical highways. The internet highway needs constant patrolling and safety sighs and prompts to prevent mishaps and keep us safe.”