Five Key Takeaways from the FBI’s 2022 IC3 Report

As companies invest more and more in their digital transformation, the challenge of securing digital systems will only grow. Adapting to these push-pull requirements of growing digital infrastructure while also working to secure it is among the top challenges businesses face today. Cybercriminals have been well-positioned to take advantage of this struggle as the pandemic and global recession have further accelerated this shift to digital automation and remote work. Unsurprisingly, the FBI’s Internet Crime Complaint Center (“IC3”) 2022 annual Internet Crime Report shows the most significant jump in total losses from cybercrime over the past five years, reaching $10.3 billion.

The IC3 is a public resource to submit reports of cyberattacks and incidents. It collects data, identifies trends, and publishes an annual comprehensive report on its findings. The latest report summarizes and collates data from the 800,944 complaints IC3 received in 2022, providing insight into threat-actor methods and trends in the threat landscape. Resilience has pulled together the top Key Takeaways from the report.

Key Takeaway 1: The Cost of Cybercrime Is Increasing?

The 800,944 complaints the IC3 received in 2022 represent a slight decrease from 2021, falling closer to the 2020 total. However, the losses associated with the complaints grew from $4.2 billion in 2020 to $6.9 billion in 2021 and $10.2 billion in 2022.?

This continues a five-year trend of increasing total reported loss. The sharp increase in total loss combined with a slight decrease in reported incidents represents a significant increase in the average severity of incidents in 2022 compared to 2020 and 2021. The increasing stakes of cyberattacks emphasize the importance of building proper cybersecurity controls, infrastructure preparation, and staff training. The mounting cost of cyber attacks demonstrates that traditional risk transfer and mitigation must evolve holistically for organizations to achieve cyber resilience.

Key Takeaway 2: Social Engineering Tactics Are Growing More Complex?

The IC3 report emphasizes the growing sophistication of business email compromise (“BEC”) attacks. These attacks are evolving from simply hacking or spoofing business and personal email accounts. The report notes an “increasingly prevalent” tactic of BEC scammers spoofing telephone numbers and call-center support lines, a strategy in which threat actors impersonate tech support or employees of the sender they are posing as. This tactic is particularly pernicious, as it preys upon those following the standard advice for attempting to identify a spoofed email—picking up the phone to try to confirm whether the suspicious email is in fact legitimate.

This evolution in sophistication demonstrates the importance of building cyber resilience on multiple levels. Enterprises should continue to train their employees to be wary of unusual requests, emphasize the importance of confirming contact information from sources other than the suspicious emails themselves, and err on the side of caution. This evolution in BEC tactics also serves as a reminder of the importance of combining technical solutions like multi-factor authentication with employee training.

Key Takeaway 3: Bad Actors target vulnerabilities in systems, security, and individuals

Investment scams targeting individuals accounted for $3.3 billion of the $10.2 billion in total reported losses in 2022. The IC3 report also notes that BEC scammers have begun to set their sights on investment accounts rather than simply traditional bank accounts. One likely reason is that individuals are less likely to notice losses from investment portfolios than from their regular day-to-day accounts. Moreover, investment accounts are also likely to have higher balances.?

Remaining aware of common strategies used in these attacks is the best way to avoid falling victim. The IC3 report determined that even though individuals aged 30-39 submitted the most complaints, they experienced less in losses than individuals 40+, likely due to a better understanding of these types of attacks and how they are employed. Individuals aged 60+ experienced the highest losses and second-highest attack frequency.?

While these developments concerning attacks on individuals do not necessarily have a direct impact on business enterprises, they demonstrate that threat actors are constantly evolving their attack methods and have a deep understanding of how to prey on the vulnerable.?

Key Takeaway 4: Ransomware Attacks on Critical Infrastructures

In 2022, the IC3 received 2,385 complaints of ransomware attacks with adjusted losses of over $34.3 million. If this number seems small, it’s because many ransomware incidents are never reported to law enforcement. Resilience and the FBI recommend reporting ransomware incidents immediately. Ransomware attacks can be particularly damaging to business operations, especially when left unreported.?

The IC3 recommends the following to avoid ransomware attacks:?

• Update your operating system and software
• Implement user training and phishing exercises to raise awareness about the risks of suspicious links and attachments
• If you use Remote Desktop Protocol (RDP), secure and monitor it?
• Make an offline backup of your data

Of the 2,385 ransomware attacks reported to the IC3, 870 were from organizations belonging to a critical infrastructure sector. Of 16 classified critical infrastructure sectors, 14 experienced at least one ransomware attack. The IC3 prepared the following chart, demonstrating which critical industries were hit most frequently.?

Key Takeaway 5: Cyber Resilience Strategies Are Proving Successful??

The IC3 report highlights the significant success of its Recovery Asset Team (“RAT”), which implements the Financial Fraud Kill Chain (“FFKC”) process. When the FFKC is timely activated, financial institutions can recall or even reverse transfers to the threat actors’ accounts. The IC3 reports that the RAT’s efforts in responding to over 2,800 incidents resulted in the recovery of $433 million of the potential $590 million that otherwise would have ended up in threat actors’ pockets – a 73% success rate for the FFKC.

The success of the FFKC in preventing any fraudulent transaction depends on the speed with which it is activated. Resilience encourages our clients to report suspected BEC claims as soon as possible, and we stand ready to assist in activating the FFKC. As the IC3 report clarifies, the sooner an incident is reported, the better the chances that the FFKC can prevent or mitigate out-of-pocket loss. Resilience security experts have a longstanding relationship with law enforcement, fostered by years of collaboration on cybersecurity and anti-cybercrime initiatives like the Ransomware Task Force. Our security team proactively aligns our products and objectives with the FBI’s best recommendations and most recent data. We can share insights and cyber threat intelligence gained through our partnerships with our clients.?

The trends identified in the 2022 IC3 report demonstrate the importance of building a cyber-resilient organization—one that is vigilant, prepared, and able to react quickly to an incident. Resilience is committed to serving as a bridge to law enforcement for our clients. We believe this partnership not only helps with better response to incidents when they occur but makes our clients more secure in the first place. Together we can fight back against those who would endanger our digital way of life.?

Thank you for reading. If you liked this post, please?share it with your network, and follow?Resilience?for more thought leadership to help you build #CyberResilience.

About the Author

Daniel Raccuia is U.S. Digital Assets Claims Counsel at Resilience , where his responsibilities include providing legal counsel on coverage, claims, and incident-response matters. Prior to joining Resilience in 2022, he practiced law at Day Pitney LLP, focusing on litigation and arbitration matters concerning insurance coverage and reinsurance disputes.