The FBI recently released its 2020 Internet Crime Report (Report), which details and analyzes complaints received through the FBI’s Internet Crime Complaint Center (IC3). In 2020, IC3 received a record number of complaints – nearly 800,000, with reported losses in excess of $4.1 billion. Companies must acknowledge that cybercrime is a real, dangerous threat to their business, and understand how, and why, these threats continue to escalate. At a minimum, businesses should take several proactive steps to protect themselves.
What is IC3?
IC3 is an online platform hosted by the FBI, which exists to provide the public with a trusted place to report cybercrime to the FBI. Since its inception in 2000, the IC3 has received 5.6 million complaints, and has averaged approximately 440,000 complaints over each of the last five years. The complaint figure for 2020 is nearly double that average.
IC3 has five main components to its operation:
- Host a portal where victims can report internet crime to the FBI;
- Provide a hub to alert the public;
- Perform analysis, referrals and asset recovery;
- Host a database for law enforcement via the FBI’s LEEP website; and
- Partner with private sector, and numerous local, state, federal and international agencies.
Each of these pieces plays an important role in fulfilling the FBI’s ultimate goal for the IC3 – the creation of a cohesive environment to build safety, security and confidence into our digitally connected world.
What did the Report conclude?
In addition to reporting the massive number of complaints and extraordinary level of financial loss, the Report also provided details about the types and locations of the complaints, as well as information about the victims. A review of this information provides a glimpse into the various methods utilized by cyber criminals, and also demonstrates how widespread the attacks have become over the last several years.
The Report highlights Business E-mail Compromise (BEC) schemes, Phishing scams and Ransomware as the most troubling and pervasive attacks in 2020. BEC claims continue to be the costliest form of attack, with a loss amount of approximately $1.8 billion. In terms of sheer number of incidents, phishing led the list with nearly 250,000 complaints in 2020, although the losses associated with phishing incidents pales in comparison to the losses associated with BEC schemes. Finally, ransomware attacks continue to increase – although the report notes that these types of attacks are often not reported to the IC3 website.
Individual victims continue to come from all age ranges, although 41% of the attacks were directed at individuals who were 50 years old, or older. In terms of geographical location, California and Florida had the most number of victims, while the greatest losses occurred in California, New York and Texas. However, claims and losses were reported in every state in the union. The information provided in the Report demonstrates that no one is immune to attack, regardless of age or location.
How can I protect my company?
Although the Report identifies a significant increase in cyber crime during 2020, companies can take a number of proactive measures to ensure they can either avoid falling prey to a cyberattack – or recover quickly should defenses fail.
We strongly encourage companies to work with counsel and an outside cybersecurity consultant to take the following steps:
- Identify your company’s “mission critical” assets;
- Analyze your data – map what you have, where it’s stored, who it is shared with, and how it’s protected;
- Develop a comprehensive cybersecurity plan to protect these assets and data;
- Procure cyber liability insurance as a safety net should an unanticipated attack succeed;
- Understand the various regulatory requirements to which your company must adhere;
- Prepare an Incident Response Plan, and conduct table-top exercises to practice; and
- Train your employees to create a culture of proactive cyber awareness to block incidents before they occur.
While this list is not exhaustive, it will certainly provide a solid foundation from which to protect your business against cybercrime. Highly-trained technical experts and attorneys play an integral role in the development of any cyber risk management program, and should be utilized throughout the process.