The U.S. Federal Bureau of Investigation has delivered its annual internet crime report based on information from 791,790 complaints in 2020, far surpassing 300,000 complaints in 2019.

The report found that the top three crimes reported by victims in 2020 were phishing scams, nonpayment or nondelivery scams and extortion. Victims lost the most money to business email compromise scams, romance and confidence schemes and investment fraud. The total lost in 2020 to cybercrime is estimated to be $4.2 billion, up from $3.5 billion in 2019 and $1.5 billion five years ago.

Appearing for the first time in the report was the emergence of scams exploiting the COVID-19 pandemic. The FBI’s Internet Crime Complaint Center received 28,500 complaints related to COVID-19.

“These criminals used phishing, spoofing, extortion, and various types of internet-enabled fraud to target the most vulnerable in our society — medical workers searching for personal protective equipment, families looking for information about stimulus checks to help pay bills and many others,” the report said.

Justin Albrecht, security intelligence engineer at mobile security solutions provider Lookout Inc., told SiliconANGLE that 2020 brought with it numerous events generating curiosity, alarm and urgency within society, factors that threat actors feed on when leveraging social engineering to target their victims.

“Between vaccinations, elections, government aid and the general thirst for information regarding COVID-19, cybercriminals were afforded a broad range of topics with which to tempt their victims into falling for phishing schemes,” Albrecht said. “In addition, COVID-19 restrictions led to more people not only working from home, but also increased online activities such as shopping, banking, and doctor’s visits. These environmental factors, coupled with improved attacker techniques, helped to cement phishing attacks as the most prolific threat of 2020.”

Hitesh Sheth, president and chief executive officer at artificial intelligence cybersecurity company Vectra AI Inc., said it makes sense there was a spike in scams given that so many people had to live so much of their lives online during the pandemic.

“What’s shocking is how vulnerable many still are – especially cohorts like the elderly,” Sheth added. “A key IC3 function is promoting public awareness of online crime, but the 2020 numbers tell me we’re falling short in that department. And as long as internet connections and devices proliferate without consumer street smarts to match, I fear these reports won’t improve.”

One standout in the report was data showing business email compromise or BEC attacks are costing organizations nearly $100,000 on average. Rami Habal, chief product officer at business email compromise firm Abnormal Security Corp., noted that the financial damage is actually much greater when the attack comes from a trusted vendor that has been compromised.

“It’s not at all surprising to see that business email compromise is the most costly type of attack for victims,” Habal said. “Attackers across the world have become increasingly adept at these types of attacks, which are aimed at employees and impersonate a colleague or a trusted partner or vendor to compromise accounts.”

Digging further into BEC attacks, he noted that the FBI data shows the average BEC attack costs organizations about $92,000. But he said that figure rises sharply when it’s a trusted vendor that’s compromised.

“Vendor email compromise attacks have surged in the wake of the Solar Winds hack and our data shows that the average cost for those attacks are $183,000 – nearly twice as much as a typical BEC attack as reported by the FBI,” he said. “It is unrealistic to expect employees to be able to ascertain when a vendor email has been compromised, which is why it’s so important for security teams to be vigilant of any abnormalities that would indicate a problem.”

Image: FBI