IC3 Report. PHOTO: Cybercrime Magazine.

Video: FBI IC3 Internet Crime Report 2020

Big tech is letting us down. Sponsored by KnowBe4

David Braue

Melbourne, Australia – Mar. 31, 2021

The FBI’s recently released 2020 Internet Crime Report is a rogue’s gallery of cybercriminal attacks, with its 69.4 percent increase in reported breaches documenting an explosion of cybercrime in 2020.

Yet for all the headline numbers, cybersecurity expert Roger Grimes is most surprised not by cybercriminals’ resilience and creativity in extracting money from their victims — but by the massive and ongoing betrayal of consumer expectations by social-media giants, banks, law-enforcement bodies, and the other bodies we want to believe are looking after us online.

“I love reading the FBI report every year, but have you ever reported any phishing attacks against you to the FBI?” he asked during a recent interview with Cybercrime Magazine.

“I don’t know anyone who ever does it — so the hundreds of thousands of people reporting to the FBI are only the people that cared enough to report it.”

Stranger still, he noted, is the relative pointlessness of taking the time to report those crimes: “It’s kind of strange,” he explains. “You’re putting information through [to the FBI reporting service] and there’s no benefit other than data collection. It’s not like they’re going to get your report and say ‘I’m going after that hacker.’”

With 791,790 reports to the FBI’s Internet Crime Complaint Center (IC3) during 2020 alone — up from 467,361 in 2019 — cybercriminals are successfully landing more than 2,200 scams every day that someone considered significant enough to report.

And while the FBI’s Internet Crime Complaint Center (IC3) does say that it “analyzes and shares information from submitted complaints for investigative and intelligence purposes,” even contemplating complaint-driven enforcement, based on that many annual reports, is enough to make an investigator swoon.

Given the assumed massive volume of unreported crimes, Grimes — a longtime security expert and journalist who now works as data-driven defense evangelist with security firm KnowBe4 — believes those figures are “truly the tip of the iceberg.”

And that, he added, makes it even more unbelievable that purveyors of online commerce have sold unassuming internet consumers on the myth that they are there to protect their interests.

Unwrapping the big lie

Indeed, despite their role in helping scam posts proliferate, he warned, the interests of big social-media companies often diverge from those of the people they count among their customer bases.

Grimes, for one, was recently following a scammer who was pushing a Bitcoin investment scam on his Facebook page using fake names, assumed identities, and stolen pictures.

Having dutifully documented the scam on his LinkedIn account, Grimes ultimately fed what he figured would be a slam-dunk takedown through to Facebook’s community-standards review process.

“Five minutes later I got a message back from Facebook saying that the message does not violate community standards, but thank you so much for reporting it,” Grimes recounted.

“I’m not against Facebook — I love Facebook — but if someone using an assumed name and identity and stealing money doesn’t violate community standards? You have a lot of people that trust Facebook to be the law enforcement of the internet — and it’s clearly not happening.”

A similar smokescreen is being sold to users by a credit-card industry that, Grimes said, has bolstered third-party identity monitoring services to sell the image that they’re proactively protecting people’s identities online.

Cybercrime Radio: Herb Stapleton, FBI Cyber Division Section Chief

Ransomware is a growing problem

Cybercrime Radio

Given the widespread availability of millions of people’s personal data on dark web profiling sites — and the ability to easily purchase highly detailed reports on cybercriminal targets that include all kinds of cross-linked personal information — Grimes said those services are barely scratching the surface of the global trade in stolen identities.

“What’s amazing,” he said, “is that the credit card industry, and some of the other people that hold our data, feel like they’re doing a fairly good job of protecting our data — and they’re not.”

Indeed, he said, most financial institutions are less concerned about preventing fraud than they are on spending more money on systems that help them spot fraud without inconveniencing customers with too many false positives.

“The vast majority of the AI, and things like that, is not being done to try to stop your information from being stolen or misused,” Grimes said. “It’s actually being done to make sure you can use your information legitimately — they’re worried about losing you as a customer because they accidentally stopped you from doing something legitimate.”

“Identity theft is so bad, but they are not working as hard to prevent it as you think.”

That leaves companies, and their executives, to make the hard decisions around how to protect their employees and their businesses from the depredations spelled out in the FBI’s latest report.

Ransomware, in particular, had become such a big business risk that many companies had simply resigned themselves to having to pay off ransomware extortionists as a cost of doing business — “like mob payment protection rackets,” he said.

With the sophistication of cybercriminals’ operations already “pretty amazing stuff” and getting more effective every day, Grimes said, policies for dealing with ransomware hits need to be treated as a business decision.

“Attackers seem to be attacking at will, ransomware at will, doing data exfiltration at will,” he said, so the decision “has got to be made by senior management and legal, and made ahead of time. You don’t want to be making the decision about ‘are we going to pay?’ on the fly when it’s happening.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

Sponsored by KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We are a leader in the Gartner Magic Quadrant and the fastest-growing vendor in this space. We are proud of the fact that more than 50 percent of our team are women.