Phishing attacks doubled, COVID scams raged, and ransomware wreaked havoc in 2020. According to the FBI’s 2020 Internet Crime Report (IC3), phishing claimed the most victims, with non-payment/non-delivery, extortion, personal data breaches, and identity theft rounding out the top five cybercrime types of 2020. Below are the most standout cybercrime statistics of the year.
The FBI received 19,369 reports of business email compromise (BEC) in the US in 2020. Although the number of victims decreased from the previous year, the costs increased. BEC, or spear phishing, cost US businesses more than $1.8 billion in 2020, up from $1.7 billion in 2019.
BEC affects businesses of all sizes and in all industries. As the FBI notes, attacks have become more sophisticated in the last few years, with significant advancements in social engineering tactics. Cybercriminals have branched out from standard CEO fraud involving wire transfer requests to scams targeting the real estate industry, vendor and lawyer impersonation, gift card fraud, and personal email compromise.
The FBI highlighted a BEC case from Chicago in which a business specializing in hand sanitizer wired nearly $1 million to hackers. The victim company believed they were investing in ventilators. They were just one of tens of thousands of businesses and citizens who fell victim to COVID-19 scams in 2020.
The oldest trick in the book made a big comeback in 2020. Phishing attacks doubled in 2020. According to IC3, 241,342 victims reported phishing to the FBI in 2020, compared 114,702 victims in 2019. Unlike BEC, phishing costs decreased slightly, with $54 million in losses in 2020, down from $57 million in 2019.
Like BEC, phishing attacks have reached new levels of sophistication, with social engineering being at the heart of most phishing attacks. Like the BEC example above, cybercriminals leveraged the COVID-19 pandemic in a large number of attacks. Most COVID-19 phishing scams revolved around a handful of themes related to the pandemic and its economic impact on businesses and citizens:
Additionally, according to the FBI, government agencies were among the most impersonated in COVID-19 phishing scams. Exploiting the fears and insecurities of the public, cybercriminals promised early access to vaccinations while emptying bank accounts and stealing sensitive account credentials.
While extortion and high ransomware demands were previously reserved for big-budget enterprises, ransomware hit the SMB sector hard in 2020. According to Datto, the average ransomware payment demand for SMBs in 2020 was $5,600, while the cost of downtime dwarfed that number, reaching $247,000 and representing a 94 percent increase from 2019.
Seventy-seven percent of North American MSPs and 85 percent of European MSPs reported ransomware attacks against their clients in 2020, and 95 percent of MSPs reported attacks on their own businesses.
Phishing emails were the #1 cause of ransomware attacks, according to MSPs, followed by poor user practices and lack of cybersecurity training. Additionally, 59 percent of MSPs said that ransomware bypassed their antivirus/anti-malware solutions, while 42 percent reported that it bypassed legacy signature-based antivirus solutions.
According to IC3, the overall cost of ransomware in the US tripled in 2020, with $29.1 million in losses compared to just $8.9 million in 2019. IC3 received 2,047 ransomware complaints for the year; however, the FBI notes that both the total cost and victim counts are likely higher than reported. Downtime, wages, files, equipment, and third-party remediation are not factored into adjusted ransomware losses reported by the FBI.
The FBI notes that without factoring in these losses, the result is an “artificially low overall ransomware loss rate.” Additionally, the numbers reflect only those attacks reported to the FBI, and it’s well known that many businesses attempt to manage ransomware attacks on their own to avoid public scrutiny. Finally, the numbers do not reflect ransomware attacks reported to FBI field offices or agents.
The IC3 report also revealed cybercrime statistics related to the most common mediums and tools used in cyberattacks. Factoring in all victim reports from 2020, social media and virtual currency were the commonly used mediums and tools to facilitate cybercrime. Social media was associated with $155,323,073 in damages, while virtual currency accounted for $246,212,432 in damages.
Social media platforms have become highly useful tools for hackers in recent years. With billions of users, each connecting their accounts to multiple third-party apps, social media platforms provide hackers with both the bait and the hook. Vade has noted a significant uptick in social media phishing since 2018, with social media representing 13 percent of all unique phishing URLs in 2020, and Facebook being the most impersonated brand. Cryptocurrency, on the other hand, is the primary payment method for both extortion and ransomware that allows cybercriminals to both collect and remain anonymous.
COVID-19 is, remarkably, not over yet. We expect COVID-related phishing scams to continue as workers around the world remain at home, waiting for their spot in line at a local vaccination site.
Other COVID scams that are still making the rounds are tax related. In just the past month, Vade detected four million phishing emails targeting those with tax debt, along with scams related to COVID-19 stimulus payments.
In light of the recent Microsoft Exchange hack, we expect reports of spear phishing, BEC, and ransomware to increase among businesses affected by the initial breach. Vendors and customers of those affected will likely also become targets.