FBI Logs Rapid Increase in Email Scams, Investment Fraud

The FBI reported complaints concerning online scams and investment fraud have now reached a record-breaking level.

The FBI’s Internet Crime Complaint Center (IC3) received its six millionth complaint on May 15, 2021. It took nearly seven years for the IC3 to log its first million complaints, but only 14 months to add the most recent million.

According to the agency, annual complaint volumes increased by close to 70% between 2019 and 2020. The most common crimes reported were phishing scams, schemes relating to non-payment or non-delivery and extortion attempts.

The report noted that business email compromise (BEC) scams, romance and confidence schemes and investment fraud were all leading financial loss attacks.

“Attackers know that if they’re able to compromise an individual’s account or device through a personal channel, they could gain access to corporate data stored on the device or that the device is connected to through tools like VPN,” said Hank Schless, senior manager of security solutions at Lookout. “Organizations need to ensure that no unauthorized users can gain access to their infrastructure.”

Hybrid is Here to Stay

Schless pointed out that even as parts of the world emerge from the pandemic and some employees start to return to the office, hybrid work is here to stay, at least in some capacity, for a long time.

“This means that employees will continue to use unmanaged or personal devices from outside the traditional corporate perimeter, which makes them very difficult to monitor for risk that might be introduced into the organization,” he said. “Employees expect to be able to access any resource from any location on any device.”

He noted in the case of organizations that have a complex hybrid infrastructure, this creates a situation where the organization needs to ensure the same level of secure access to everything.

Schless explained that while cloud apps and infrastructure are built with integrations into modern identity and access tools, lots of legacy on-premises solutions aren’t.

That means security teams need to be able to extend the security benefits of cloud-based infrastructure to on-premises resources.

John Morgan, CEO at Confluera, a provider of cloud cybersecurity detection and response, agreed organizations must also factor in that many employees are working from home.

“They can no longer simply turn around to ask others whether an email is legitimate or whether others have also received such notifications,” he said. “Most have also been educated by the organization’s IT staff to err on the side of caution. These factors all add up to the increased complaints we are experiencing today.”

Morgan said organizations should educate employees on some of the more recent tactics used in cyberattacks so that they can be extra vigilant, pointing out, for example, that the creation of a fictitious colleague via LinkedIn and other social media platforms is now a common method of attack. Creating a fictitious company to add credibility to their claims is also not uncommon.

“In addition to phishing and other traditional attacks, organizations should update their employee education,” he said. “Employees need to adopt a culture of lower trust in digital contact and verify as much as possible before engaging. It’s the ‘how to verify’ that needs the training.”

Joseph Carson, chief security scientist and Advisory CISO at ThycoticCentrify, said employees continue to fall for phishing and other online scams because the emails look so authentic and it is difficult to tell the difference from the real thing.

Stopping Email Scams

However, he said there are many ways to stop these scams from being successful – the quickest being to develop better cybersecurity hygiene by educating employees on ways to detect online scams.

Another way to prevent such scams is to use a good email spam filter that will help reduce the chances that such email scams make it to the employee’s email inbox. If an email does make it into their inbox, then go to the website and call the number to check if it is authentic and do not call the number if provided within the email as, most likely, it is fake also.

“Check the email sender address, rather than the display name. Also, check the email for spelling mistakes and check any hyperlink addresses by hovering over them to see where they send you. However, do not click on the links,” Carson said. “These simple tips will help employees avoid a potential cybersecurity nightmare for their organization.”

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 240 posts and counting.See all posts by nathan-eddy