FBI’s IC3 Report Reconfirms Impact of Phishing on Consumers

It may be one of the oldest types of digital attacks, but according to the FBI’s IC3 report phishing remains a top vector.

According to the report, the most prevalent crime types reported by victims were non-payment or non-delivery, personal data breach, and phishing. The top three crime types with the highest reported loss were BEC, confidence or romance fraud, and non-payment or non-delivery. Many, but not all, digital crimes are also the result of phishing, which can include the likes of BEC attacks.

Like our annual Phishing Trends and Intelligence, there are numerous sources of information that help the security community gain a better understanding of how threat actors are evolving and changing their tactics. In 2016 the primary headline grabber was ransomware, but in 2017 that wasn’t the case. Now, threat actors are targeting the enterprise more than anything; however, the FBI’s latest report does provide some other interesting data points regarding the most prevalent attack vectors.

Phishing By the Numbers

According to the FBI’s IC3 report, there were $1.42 billion in victim losses in 2017, an average of 800 complaints a day or 284,000 a year, and the numbers continue to rise. The report also shows that people over the age of 60 may be targeted* the most of any age group, with 49,523 victims with a total loss of more than $342 million.

This is just slightly higher than the next most targeted age group of 30-39 year olds with 45,458 victims and a loss of more $156 million. Less surprising, though there may be more victims and targeting in younger age groups, those that grew up and are more attuned to these threats result in less dollars lost. This of course is just a generalization.

The IC3 report also identifies the top 10 states that reported various digital attacks.

  1. California: 41,974
  2. Florida: 21,887
  3. Texas: 21,852
  4. New York: 17,622
  5. Pennsylvania: 11,348
  6. Virginia: 9,436
  7. Illinois: 9,381
  8. Ohio: 8,157
  9. Colorado: 7,909
  10. New Jersey: 7,657

*Note on those targeted: Victims reported are based on those who called and complained, but excludes the countless people who did not report said attack or those with unlisted ages.

Prevalence of Digital Attacks

Below are the top five digital attack types based upon fully reported victim numbers:





Personal Data Breach


Phishing, Vishing, or Smishing




Identity Theft


Interestingly there were also just shy of 20,000 victims of digital attacks where social media was used as the medium, and more than 4,000 attacks that involved digital currency.

Before digging into a few of the callouts from the report, here are some key figures that indicate how prevalent they are. Also, it’s worth noting that tech support fraud in particular uses a combination of phishing, vishing, and in some cases malware induced popups.



Financial Impact

BEC Attacks


$675 million



$2.3 million

Business Email Compromise (BEC) Attacks

Business Email Compromise or BEC attacks are particularly effective because they often employ spear phishing. In turn, this means that a phishing lure has been custom developed for the intended target, in some cases using a compromised email account, which in turn socially engineers an ideal outcome for the threat actor.

“BEC and EAC are constantly evolving as scammers become more sophisticated. In 2013, victims indicated the email accounts of Chief Executive Officers or Chief Financial Officers were hacked or spoofed, and fraudulent emails were sent requesting wire payments be sent to fraudulent locations.”


Although 2016 was a banner year for ransomware, 2017 saw much fewer headlines. According to our annual Phishing Trends and Intelligence report there were very few new threat families added or making their way around, but that is not necessarily a positive metric in itself. The market for ransomware has instead matured, which means that the more successful attacks are still pervasive, and that leaves less room for threat actors to add their own into the mix.

According to the report, “recent iterations target specific organizations and their employees, making awareness and training a critical preventative measure.” They also do not suggest paying the requested ransom, because not only is there no guarantee of information retrieval, having a backup of your information would already solve the issue.

Phishing Will Remain a Threat

Regardless of the delivery medium, the size of your screen, or the messaging involved, phishing is not going away. The IC3 report is just one of many sources of data that highlights why one of the oldest digital attack vectors, phishing, continues to be wide reaching and costly for both consumers and the enterprise. The security industry has benefited by technology reducing the impact that phishing creates; however, training is still the most effective method for reducing the damage done.

*** This is a Security Bloggers Network syndicated blog from The PhishLabs Blog authored by Elliot Volkman. Read the original post at:

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)