The FBI Internet Crime Complaint Center (IC3) released their annual report. Overall, the statistics and trends are pretty much what we would have expected to see from reading the news every day. Complaints about crime increased year over year for the past 5 years, with the most significant increase in number of reports occurring in 2020. And unsurprisingly, the cost of crime each year also increased year over year.
There are so many statistics in the report (pdf) that bear further scrutiny and discussion, but for now, consider one more overview table from the report: crime types by victim count. This year, extortion was the third most common crime type reported at 76,741 reports. That number is nearly double the number of extortion incidents that had been reported in 2019, but significantly, the reported cost of extortion crimes (not depicted in the table below, but provided in another table in the report) shows that the cost of extortion cases has decreased significantly year over year for the past three years. Are more victims refusing to pay extortion, resulting in lower demands or lower totals?
What may appear surprisingly low in the results below is the 2,474 ransomware incidents reported. While the costs associated with extortion decreased year over year, the costs associated with ransomware tripled from 2019 to 2020 to almost $30 million for the year. Those costs do not include all costs of an incident, but still, anyone who is aware of some ransoms in the tens of millions will be wondering how the cost for the year can be [only] $30 million.
Keep in mind that the IC3 report statistics do not include complaints to field offices — it only includes reports to the IC3. And of course, we know that many victim entities do not report their breaches at all. The report notes:
* Regarding ransomware adjusted losses, this number does not include estimates of lost business, time, wages, files, or equipment, or any third-party remediation services acquired by a victim. In some cases, victims do not report any loss amount to the FBI, thereby creating an artificially low overall ransomware loss rate. Lastly, the number only represents what victims report to the FBI via the IC3 and does not account for victim direct reporting to FBI field offices/agents.
So take their numbers on ransomware as a significant underestimate of the true number of incidents and cost.
Business email compromise continued to account for the largest number of complaints to the IC3.
You can access the full report here.