Pratum Blog

FBI Building Shield

An Overview of the FBI Internet Crime Report

The FBI has released the 2019 Internet Crime Report. This annual analysis highlights the internet-enabled crimes and scams reported to the FBI’s Internet Crime Complaint Center (IC3). In the nearly 20 years the IC3 has been in existence, 2019 had the highest number of complaints and the most money reported lost. We’re going to look at where these attacks are happening most frequently, and what you should be on the lookout for in 2020.

Where Complaints are Highest

The Internet Crime Report not only shows which crimes are happening most frequently, it details where in the world they are being reported. Perhaps unsurprisingly, the highest number of complaints in the U.S. came from states with the highest populations. California, Texas, Florida, and New York had more than 20,000 complaints each in 2019. South Dakota had the lowest number of victims with 473. You can see where each state ranked on the chart below.

FBI IC3 US Map

While those states had the most complaints, that doesn’t necessarily mean they had the most money lost. For example, Ohio had fewer than 10,000 complaints. However, they ranked higher in losses than most states with more than $200 Million gone. California residents and businesses lost the most overall with more than $500 Million in losses.

On an international scale, the United States outpaces the rest of the world for internet crime reports. The United Kingdom had just over 93,700 victims. Canada was next on the list with more than 3,700. The state of Illinois alone had more victims than Canada, with over 10,000 reported in 2019.

How Much Was Lost

The number of people impacted by cybercrime was higher than ever in 2019, but so was the amount of money lost. Worldwide, an estimated $3.5 Billion was lost by individuals or businesses within the year. The path of getting that money varied. Using social media, scammers were able to access more than $78,775,000. Virtual currency losses made up over $159,329,000.

While some states had a lower number of complaints, they still lost a substantial amount of money. As we mentioned above, South Dakota had the lowest number of victims in the United States. Despite that low ranking, they still lost more than $3,086,000 to cybercrimes in 2019.

Who’s Being Targeted

Looking at the Internet Crime Report, it’s not hard to see who’s getting hit the hardest with online scams. People over the age of 60 years old make up the majority, with more than 68,000 victims. The total losses for that age group was over $835,164,000.

As the age range decreases, so do the number of victims. However, even the youngest group of under 20 years old still has 10,724 victims, with $421,169,232 lost. This bolsters the point IC3 tries to drive home, which is that anyone at any stage in life could fall victim to a cyber-attack as criminals become savvier.

IC3 Chart with Victim Ages

Which Scams to Lookout For

Which cybercrimes are causing the most trouble? According to IC3 Chief, Donna Gregory, the center didn’t see an increase in the types of fraud coming out. Rather, there were new tactics used and techniques changed to carry out the existing scams.

“Criminals are getting so sophisticated,” Gregory said. “It is getting harder and harder for victims to spot the red flags and tell real from fake.”

Emails are a prime example of this. Phishing scams are not new, but the way criminals are executing the crime is changing. In the past, scams would come in the form of a legitimate looking email address, from a business executive many times, asking for a payment of some type to complete a business transaction. While that’s still being used today, there are new Business Email Compromises (BEC).

In 2019, IC3 saw an increase of complaints related to the diversion of payroll funds. In this scenario, a Human Resources employee or Payroll Department receives an email that looks like it came from an employee, asking to update their direct deposit information. Instead of the employee who appears to be sending the email, the money starts being transferred into a cyber criminal’s account.

This sort of crime was very prevalent in 2019. The IC3 recorded more than 23,000 BEC complaints and more than $1.7 Billion lost.

In addition to email, scammers are also utilizing texting and pharming scams. A common method for text scams is a message claiming to be from your bank, asking you to verify your account. Once you hand over that private information, the scammer has free reign over your finances. With pharming, you could be searching for a legitimate site and end up on a fraudulent webpage. That fake site will gather your bank or credit card information, while you assume it’s safe.

Overall, the most financially harmful complaints were BEC, romance or confidence fraud, and spoofing.

How to Report Cyber Crimes

With more than 1,200 complaints per day, on average, the FBI sees a wide range of attack methods. With this knowledge, they are becoming better equipped to help victims of cybercrimes. The FBI’s Recovery Asset Team was able to recover more than $300 Million for victims in 2019.

Reporting cybercrimes quickly not only helps law enforcement possibly track down the fraudulent transactions before money is gone forever, it also helps the FBI spot trends and learn more about which crimes are most used and how to approach them.

When reporting a crime to IC3, make sure you have as much information as possible. Include everything from email addresses used, account information given, phone numbers scammers called from, and anything else that may help officials track down who’s behind the cyberattack.

To report a cyber threat or tip, you can file a complaint with IC3 online. Click here for a direct link. (https://www.ic3.gov/complaint/default.aspx) The page will prompt you to read the information they require and establishes that submitting a complaint to the IC3 is not the same as notifying your credit card company. You will need to notify your financial institution and any businesses or organizations involved separately from this complaint form. Also note, that you may not receive any additional information or communication from the IC3 regarding your submission but know that you have put the effort forth to help alert on potential scams or other types of fraud.

The next time you face a suspicious email or unwarranted text, check the source and make sure it’s coming from a reliable outlet. Don’t become another statistic for the IC3 to report in 2020.

(Source: https://pdf.ic3.gov/2019_IC3Report.pdf)
Validating Vendors' Cybersecurity Practices

How much is too much? The biggest mistake many organizations make is spending too much money on things they don’t need when reviewing their cybersecurity. While tools like technology can be valuable at times, cybersecurity should be focused on the business.

In cybersecurity, there are a lot of security options available to help protect your business. Trying to keep up with all the latest and greatest trends can be expensive, and often unnecessary. Instead, try to focus on what makes your business secure!

A good first step is to assess the make-up of cybersecurity.

Three Pillars of Cybersecurity:

  • Confidentiality – Keeping things safe and secure. Determine what’s on a need to know basis.
  • Integrity – Is the data you saved the same data you come back to? Have unauthorized changes been made that aren’t known or detected?
  • Availability – Is data available to those who need it, when they need it?

The three pillars help you determine which cybersecurity controls to put in place. What happens to your business if the system is offline, data is corrupted, or secrets are exposed? How you answer these questions will determine the next steps in your cybersecurity plan, and whether you need to spend money on more security.

Find the biggest risk to your business.

First, look at your business and see what would happen if the three pillars are impacted? Find the area you have the greatest likelihood of being attacked, and where the biggest impact would be. That’s where you need to begin to address what is necessary to keep your business secure.

Defense in depth is a cybersecurity best practice. You should create a plan to deter, prevent, detect and respond to security incidents. Think of it this way, – “Can I deter an attck? If not, can I prevent it? If I stop the problem at one level, a threat might still get through. If that happens, how do I detect the attack and then recover? Where could it go next, and how do I address it from there?”

You should think of your cybersecurity in layers. Each layer has different controls in place to address the threat potential at that point in the process. That means your process should be adapting over time to match any changes to your company. When your business grows or evolves, so should your cybersecurity plan.

What’s worth the investment?

Investing in cybersecurity is all about prioritizing your risk versus the cost. When you analyze security expenses for technology or process or personnel, you need to be able to show a return on that investment. If something is reducing your risk of being hacked, or gives you an edge over the competition, it’s probably worth the investment. If it’s not helping you earn or keep money, don’t waste resources on it. It’s all about perspective.

While you want to be critical of where your money is spent, you should be investing in your cybersecurity. One efficient use of money is investing in the people who work for you.

Teaching your employees how to handle situations like a phishing email or a suspicious person in the building will protect your security interests. Once people learn how to respond to threats and why cybersecurity is important, proper security processes and awareness will continue to protect your business.

Focus less on technology and more on business.

The goal of most businesses is to generate profits. If a process or technology does not provide or protect profit, it should not drive your business decisions. What you should strive for is decision-making based on business objectives, the technology will follow.

As your business evolves, so should your cybersecurity. Constantly evaluate what is happening in your business to decide what investments should be made. Don’t just throw money at one thing, expecting it to fix all your problems. Understanding what the problem is, how it should be handled, and who should be involved will help you decide if technology investments are needed.

Physical Security

Would a criminal be able to walk into your building and steal private information? You hope the answer is “no”, but there are only a few ways to try to keep your business secure. Pratum has a solution for that; it’s called Social Engineering.

Essentially how this works is a business hires Pratum to test their physical security. In some cases, that means going to the business location and trying to enter the building or attempting to find sensitive information around the facility.

For each assignment there are two Pratum employees directly involved in the process. One does the physical entry work, while the others set up the parameters with the client to establish boundaries and expectations. In this blog we are interviewing one person who helps set up these tests, Tony Schwarz, Information Security Consultant. We’ll also hear from someone with a lot of experience testing physical security, Tanner Klinge, Information Security Analyst.

What are some methods of physical social engineering?

Tanner: I typically do dumpster diving and facility access. I use tailgating, where I follow someone without their knowledge into the building without a keycard or code to get in myself. Other times I will use piggybacking, which is where someone lets me into building by holding the door open for me because my “hands are full” or they are being polite. Sometimes I imitate a vendor or friend of an employee to get into the building. I do media drops, like flash drives left around the office or outside the building. I also check exterior doors to see if they’re locked.

When would a company need to use these services?

Tony: It’s all about their risk. If they have assets they need to protect, which most businesses do, they need to have those services done. They may see indicators that tell them that people are dumpster diving or trying to get in after hours, or see unexpected people going through the office. Having a third-party come in and test the controls that can show you what needs improvement. If you protect the money or personal information of customers, or if you have access to another location with sensitive data, you may need this.

Sometimes it’s due diligence. Sometimes it’s regulatory or compliance. Some auditors will request a social engineering report.

What sort of things have been uncovered in these tests?

Tanner: During dumpster diving outside offices I have found a lot; driver’s license numbers, social security numbers, addresses, full names, birthdays, personal banking information such as bank account numbers, pin numbers, and account totals.

I have found confidential or sensitive information from a business standpoint, like proprietary designs from a company. I’ve seen sales and finance information and HR documents.

There’s also been more personal stuff like child support documentation. Really all kinds of things!

How do you avoid being detected?

Tanner: There are times I will wear small disguises such as safety glasses or a fake badge that is visible. It depends on what I know about the company that I can use to blend in with the other employees. I’ve noticed people have a hard time engaging with others. People still don’t “see something, say something”. As long as I’m walking in with confidence people don’t question it. Most people do not like confrontation.

Are there safeguards for if you do get caught? To prove you’re there with permission.

Tanner: We’ve started talking to local law enforcement in the jurisdiction of the clients we serve. Then we notify police when and where we’ll be working. We will also carry ID and a statement of work (or contract with the company). Plus, we have a point of contact with the client, in case we need to reach someone to prove we are who we say we are.

What changes have employers made after our testing?

Tony: Some organizations will add or improve security controls related to the method Pratum is able to get into the environment. After events like this clients may either upgrade controls, or they accept the risk. An example control could be another layer of security between a reception area and the main part of their business.

How often should this be done?

Tony: At least annually, or more frequently if you have lots of things that were discovered, and you want to validate that your new protocols are working. It comes back to the risk. If you have a big room of gold or nothing, where on that scale are you? The more you have to lose, the more you have to do to put controls in place.

What does the client receive after a test? What is on a social engineering report?

Tanner: The clients are given photos and a synopsis. The photos are taken when I’m at the facility. They are proof of how far I was able to get and what I had access to. The report, or synopsis, details where I went and who I talked to. I try to be very detailed and give a chronological report. I want the reader to feel like they were there with me, to fully understand the situation.

What is the best result from these tests?

Tanner: I would need to be stopped at the door and approached by an employee. Someone should stop me in the first few minutes. Validation is key.

For example, I was at a bank and claimed to be a maintenance worker doing some work for the facility manager. I told the clerk a different name than my own. I looked around and said I needed to get behind a counter. I had a fake work order in hand to look legitimate. They did ask for my ID, so I handed over my real driver’s license, with a different name than what I told them. They made a copy, gave it back to me, and I signed the sign-in sheet. No one checked to see that the driver’s license didn’t match what I told them. I was able to get behind the counter where the money safe was at and had access to the network closet.

Tony: I would hope that management has more information on what choices they should make on how to run their business. At the end of the day it’s up to management to either accept the risk or spend money and time to make changes to reduce the risk. It really just depends on what they’re dealing with and the culture of that organization.

Final Notes from Tanner and Tony for Businesses:

1. Be familiar with your building.

2. Shred your trash.

3. If you see something, say something!

4. Respond quickly if you notice something unusual. Don’t wait for something to happen.

5. Test security controls on a regular schedule.

6. Make sure security measures, like cameras, are working.

7. Management should be training their employees on security protocol.

For more information on how you can test your organization’s physical security, reach out to a Pratum representative today to set up Social Engineering services.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.