The Federal Bureau of Investigation (FBI) recently released the annual report from their Internet Crime Complaint Center (IC3). The 2019 Internet Crime Report contains some rather remarkable and sobering statistics recorded on the IC3 website during 2019.
One of the techniques I’ve learned about making a presentation to an audience is to engage with them physically. For example: “Please raise your hand if you’ve been a victim of some form of internet-based scam or fraud in the past 12 months.” Invariably some people in the audience will raise their hand. I’d continue by asking, “Now keep it raised if you went to the IC3 website to report it.” I would be very hard-pressed to convince you that any hands remained in the air. And with that little bit of background, let’s take a look at the numbers. I hope that after you read this newsletter you would contact the IC3 if you inadvertently fall victim to one of these scams.
In 2019, the IC3 received over 467,000 complaints with reported losses that exceeded $3.5 billion. That is approximately 1,300 reports per day and represents a 33% increase in the number of complaints from 2018 with a corresponding increase of 30% in losses. Those numbers reflect both the sheer volume of threats that are taking place and an enhanced effort by the FBI to let people know they should report scams to the IC3.
What accounted for the most substantial loss last year? 23,775 victims reported Business Email Compromise (BEC) attacks, which cost them over $1.7 billion in damages. BEC occurs when a bad actor compromises a legitimate business email account and requests a form of funds transfer. The FBI reports that a new variant of this scam appeared in 2019: diverting payroll funds. In this scheme, a human resources or payroll department would receive an email looking like it came from an employee with a request to update their direct deposit account information. The new account would generally route to a pre-paid card account. The likelihood of recovering those lost assets is extremely low.
Another high yielding scam from 2019 was Tech Support Fraud. The IC3 received over 13,000 complaints that amounted to more than $54 million in lost funds — a 40% increase from 2018. What is missing from this report is the number of victims who fell for the scam but who did not know to contact the IC3 to report their loss. Also missing is the total number of victims who didn’t succumb to the fraud in the first place. (I’d like to give a “shout out” to Rhea Hess for having received and faithfully ignored more of these fake tech support phone calls than anyone I know.)
Also on the list was the Ransomware category, comprised of 2,047 victims who lost $8.9 million. Now I have to admit, that is quite surprising given the high profile ransomware cases involving several cities, government agencies, and the health care industry last year. Again, that goes towards the question of who reports their victimhood to the IC3.
The final category is one that is significant yet frequently overlooked: Elder Fraud. Overall, the majority of losses and incidents occurred to victims who indicated their age was 60 years or over. That amounted to more than 68,000 individuals for a total of over $835 million in losses. Targeting this group is widespread because cybercriminals will invariably go to where they think the money exists.
The most treacherous scams for the over 60 age group involved Romance Fraud, Grandparent scams, and Family/Caregiver scams. The bad actor deceives the victim into believing there is a trusting relationship. The victim is persuaded to send money, or provide personal and financial information, to the bad actor. This situation frequently leads to Identify Theft or Account Takeover, where the criminal has sufficient personal identifying information that they can commit fraud against the victim’s financial accounts.
Steps You Can Take to Avoid Falling Prey — And What to Do If You Are a Victim
One of the best ways to avoid a lot of grief and heartache from these scams is to exercise a moment’s caution every time you encounter someone who is calling you for any personal information.
Similarly, if you need to contact any company for support, DO NOT search for their phone number! Scammers have already rigged the search results list on Google so that their fake phone numbers appear before the real ones. Those links go to fraudulent websites that will try to obtain personal or credit card information. If you need to contact any company, go directly to their website and look up the phone number.
If you think you’ve fallen victim to a scam, the first thing you should do is call me so that I can assess what has occurred. As appropriate, I will help you file a report with the local police, and work with you to contact your financial institutions.
I am going to insist that you log the case with the IC3 (https://www.ic3.gov). Your complaint must contain all of the required data, including banking information.
In terms of BEC fraud, there are more specific actions to take. These include:
- Contact the originating financial institution as soon as fraud is recognized to request a recall or reversal as well as a Hold Harmless letter or Letter of Indemnity.
- Never make any payment changes without first checking in with the intended recipient. Verify that email addresses are accurate when checking email on a cell phone or other mobile device.
- And for heaven’s sake, call someone if there’s a significant amount of money involved, or if the request differs from your usual business process or procedures.
Thanks and safe computing!