Lessons and Takeaways from the FBI’s 2022 Internet Crime Report

Spanning 32 pages and featuring statistics galore, there’s a lot to unpack in the FBI’s 2022 Internet Crime Report. The Bureau’s Internet Crime Complaint Center (IC3) compiled the 2022 report based on 800,944 complaints of cyberattacks and incidents received from members of the public.

To save you from information overwhelm, this article presents the most pertinent findings from the report along with some lessons and takeaways to help improve your cyber defenses in response to the findings.

Business Email Compromise (BEC) Scams Continue

Business email compromise (BEC) scams are sophisticated social engineering attacks that target both individuals and companies. Data from the FBI’s 2022 Internet Crime Report revealed total losses from BEC stood at $2.7 billion. This figure represents around a fifth of all losses, which shows just how effective BEC scams are.

The classic BEC scam sees an employee, usually in the accounting or finance department, receiving an email from a compromised or spoofed account purporting to be a colleague or someone from an important company vendor. The email typically uses social engineering techniques to convey a sense of urgency around unpaid invoices in order to instigate unauthorized transfers of funds.

While the classic scams still occur, the report notes an uptick in measures to increase the credibility of any communication with the victim. One tactic was the spoofing of vendor phone numbers to confirm fraudulent bank details. Threat actors likely deploy this tactic to circumvent increased awareness about classic BEC scams among employees.

In response, it might be worth adopting the following two practices:

  • Update your cybersecurity training and awareness materials to inform employees about BEC scams now using spoofed phone numbers.
  • Have a system in place for verifying payment details that does not require relying on emails alone or on any of the contact information contained in an email.

Ransomware Attacks Decline, But Health Sector Heavily Targeted

Total ransomware complaints decreased to 2,385 in 2022 from 3,729 complaints in 2021. This reported fall in perhaps the most high-profile type of cyberattack mirrors findings from other reports. But it’s risky to interpret this data as an impetus to disregard the threat of ransomware.

There are several possible causes of this drop-off in ransomware. One factor is the disbandment of several prolific, high-profile ransomware gangs like Conti. Hackers may also have become more selective about the companies they target with ransomware. Improved security defenses taken by businesses in response to ransomware threats might also have helped.

Despite the notable fall in ransomware, the introduction of the FBI’s 2022 Internet Crime Report indicates it’s dangerous to let your guard down – “We assess ransomware remains a serious threat to the public and to our economy.” The top variants noted belonged to HIVE, BlackCat and Lockbit. Each of these three gangs contains Russian-speaking members, and all three gangs likely run their operations in Russia.

An interesting trend found in the data was that of 870 reports of critical infrastructure sector

organizations hit by ransomware, 210 of them were in healthcare. The underlying nature of sensitive data stored in IT systems combined with the criticality of operational technology systems make healthcare a prime target for malicious actors.

There is clearly a perception among ransomware groups that cybersecurity defenses haven’t kept pace with rapid digital transformation in the healthcare sector. With lives at stake, healthcare organizations must consider other ways to bolster their cyber defenses, such as implementing micro-segmentation to prevent lateral movement and availing of managed detection and response services for 24×7 endpoint visibility.

Large Jump in Financial Losses from Cybercrime

In a document full of interesting numbers and stats, one that stands out is the large jump in financial losses from cybercrime. Despite the FBI receiving almost 47,000 fewer complaints in 2022 versus 2021, losses spiked from $6.9 billion in 2021 to $10.3 billion in 2022. These U.S. figures appear in line with global predictions of financial losses from cybercrime reaching $10.5 trillion by 2025.

The increase in financial losses from cybercrime despite fewer reported complaints could point to attacks becoming more damaging. The growing use of online financial services, such as cryptocurrency exchanges and platforms, also provides malicious actors with more financial targets to hit. The report seems to reflect this idea by calling out investment scams as the costliest scheme reported to the IC3, with total financial losses of $2.57 billion.

Many investment scams target individual consumers directly via social media and celebrity impersonation. However, some scams see threat actors masquerading as other businesses.

In one type of scam, a hacker or group of hackers impersonates a crypto startup looking for small loans of crypto assets, only to clear out the accounts of any donors (liquidity mining). Crypto platforms can help to prevent these scams by looking out for attempts to impersonate their brand through a spoofed domain or fake social media account (automated tools can do this).

Data Powers Improved Cyber Defenses

The cyberthreat landscape continues to grow and evolve, and the FBI’s annual Internet Crime Report is one of the best sources of data to stay current on what’s happening. If your business gets targeted by any cyberattack, it’s worth reporting as much detail about the attack as possible to the IC3. All of this combined data is valuable for both individuals and companies alike.

Lastly, it’s worth remembering each business and sector faces a unique set of security challenges and competing priorities. At Nuspire, our cybersecurity consulting services provide a tailored approach to incident readiness, incident response, threat modeling and more. We view protection as a continuous improvement cycle that accounts for constant change in the threat landscape.

Contact us here to learn more.

Have you registered for our next event?