It's a bit dated, but a member of our team recently brought up a few statistics from the FBI IC3 2016 Internet Crimes Report (that can be found here: https://pdf.ic3.gov/2016_IC3Report.pdf). He pointed out a few numbers that were a bit surprising to me and I think most readers of this blog will agree, specifically financial institutions.
The FBI IC3 (Internet Crime Complaint Center) releases the report annually. It is a compilation of reported internet-facilitated criminal activity.
The shocking thing for me was the list of the top 4 and where some other "high-profile" events landed. Keep in mind, in 2016, IC3 received reports of $1.33 Billion in losses.
Of that, $840 Million (63%) came from the top 4 crime types out of a list of over 30:
#1 $360 Million - Business Email Compromise/Email Account Compromise: BEC is a scam targeting businesses (not individuals) working with foreign suppliers and/or businesses regularly performing wire transfer payments. EAC is a similar scam which targets individuals. These sophisticated scams are carried out by fraudsters compromising email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds.
#2 $219 Million - Confidence Fraud/Romance: An individual believes they are in a relationship (family, friendly, or romantic) and are tricked into sending money, personal and financial information, or items of value to the perpetrator or to launder money or items to assist the perpetrator. This is basically the Grandparent's Scheme and any scheme in which the perpetrator preys on the complainant's "heartstrings."
#3 $138 Million - Non-Payment/Non-Delivery: Goods and services are shipped, and payment is never rendered (non-payment). Payment is sent, and goods and services are never received (non-delivery).
#4 $123 Million - Investment: A Deceptive practice that induces investors to make purchases on the basis of false information. These scams usually offer the victims large returns with minimal risk (Retirement, 401K, Ponzi, Pyramid, etc.).
TOTAL: $840 Million
What about ransomware? What about ID Theft? Here's where some of the other well-known crime types landed:
#5 Corporate Data Breach - $95 Million
#9 ID Theft - $58 Million
#12 Card Fraud - $48 Million
#15 Phishing - $31 Million
#18 Extortion - $18 Million
#21 Denial of Service - $11 Million
#24 Malware - $3 Million
#25 Ransomware - $2 Million
TOTAL: $293 Million
Not that any of these numbers shouldn't be taken seriously. But the second list, comprised of 8 "hot-topics" in cybersecurity, the ones that the media love to sensationalize, make up only a third of the total dollar amount of the top 4.
The point I'm trying to make here is this: financial institutions spend a lot of time and resources preventing and preparing responses to things like ransomware, ID theft, DDoS, and data breaches. (Again, I'm not trying to say that these things are unimportant.) But how much effort is put into Business Email Compromise or Confidence fraud or Investment fraud?
If we look at the top 4 crime types, 2 things come to mind: 1. As a financial institution, you will be involved in these schemes as they are directed toward your customers; and whether it's fair or not, you carry reputational and financial risk with all of them. 2. All 4 of the top crime types can be drastically reduced through customer awareness training.
My challenge to all financial institutions is to put in place processes and training to reduce the top 4 forms of cybercrime. Here are some ideas below, but I'd love to hear what your bank or credit union is doing to fight fraud (just email us at support@bedelsecurity.com).
- Implement verification procedures and explain to your business customers why they are in place.
- Offer online resources for training, but also include live in-person training events for your less computer-savvy customers (keep in mind that over 30% of the total crime affected people 60 and over in 2016).
- Train your staff to ask the right questions when a customer that never wires money suddenly wants to send out thousands of dollars.
- Encourage your customers to contact bank staff if they are ever unsure if a transaction is legitimate.
As always, thank you for reading and please use our social buttons to share with others.