Edit: an early version of this post was published where the share of phishing reports was grossly under-reported due to me messing-up the decimal separators when handling the source data. Basically I arrived at the conclusion that phishing made 10% of reported crimes however… it’s around 45%. Oooops! The post and charts have been corrected.

While drafting a document for work regarding email scams, more specifically phishing, I came across the FBI’s Internet Crime Complaint Center (IC3) 2021 Annual Report. After looking at the numbers in there, one wonders if the old saying “crime never pays” applies to the electronic frontier.

So, let’s take a break from work and look into it. Keep in mind that since I’m looking into the IC3 report for 2021, that:

• Numbers mentioned here reflect the FBI’s jurisdiction: the United States.
• As it’s often the case with criminal activity, actual numbers could be higher (or at least different) since I’m expecting a lot of this to be under-reported to some extent, especially on cases where the victims are individuals.

You probably are familiar with the term phishing but in case you aren’t, I’ll borrow this definition from the Wikipedia page on Phishing:

Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious software on the victim’s infrastructure like ransomware.

Phishing, Wikipedia.org, Retrieved: 2022-05-21, Online: https://en.wikipedia.org/wiki/Phishing

Before we begin, I’d like to state what should be obvious: that this is in no means a study nor an analysis on the results provided on the report mentioned above. I’m just looking at the numbers and taking you along for the ride.

Phishing is going strong

Internet crime has been on the rise over the last years and phishing is no exception. On 2021, the IC3 saw a 34% increase on phishing complaints alone from 2020 to 2021. Some claim that this rise in cyber-crime is related to the SARS-CoV-2 pandemic. True, a sudden shift to work-from-home operations with most organizations not being ready for it might be a contributing factor. However, criminal activity online has been on the rise since the early days of the internet.

Not only that but phishing makes a considerable chunk of internet crimes, about 45% of complaints were phishing attacks last year. This makes phishing the #1 category reported by number of complaints.

Despite being almost half of all complaints, phishing is associated to less than 1% of all reported losses. Clearly it ain’t the most lucrative of the bunch but still the losses reported for 2021 amount to $44.213.707.

I don’t know about you, but that’s some life-changing amount of money. There were however, 323.972 complaints filed under phishing. The report does not provide much more data than that, so let’s go with an average of $136 per phishing attack. That don’t impress me much, however keep in mind that some attacks might lead to stealing thousands while others nothing at all, since wire fraud might not be necessarily be the immediate goal of a phishing attack.

I went into this looking for some statistics on the damage done by phishing attacks. However, those 44 million USD are less than 1% of all the losses reported to the IC3. I wonder, what are the numbers for the top grossing crime types?

Top 10 internet crimes by losses

During 2021 the IC3 received 720.880 complaints for a total in losses of $7.789.976.708.

Here’s the top 10 internet crime type ranked by losses reported to the IC3:

# 1 – Business Email Compromise or Email Account Compromise $2.395.953.296 (30,76%)

Consists on obtaining unauthorized access to mailboxes of either organizations (BEC) or individuals (EAC). With access to these email accounts, criminals can then proceed to commit wire fraud and/or gain further access.

There were 19.954 complaints filled under BEC/EAC on 2021, for an average loss of $120.074/complaint.

# 2 – Investment $1.455.943.193 (18,69%)

Criminals trick their victims into believing they’re making an investment where in reality no investment is being made and the criminal is cashing-out. Ponzi and Pyramid schemes, which fall under this category, are illegal in many jurisdictions, including the United States. However, for some reason multi-level-marketing (MLM) schemes are still legal in most countries.

There were 20.561 complaints filed under Investment on 2021, for an average loss of $70.881/complaint.

#3 – Confidence / Romance Fraud $956.039.739 (12,27%)

A criminal tricks their victim into believing they’re relatives or into starting a long distance relationship in order to gain their trust and get them to provide with account credentials, Personal Identifiable Information (PII) or even valuable goods.

There were 24.299 complaints filed under Confidence / Romance Fraud on 2021, for an average loss of $39.345/complaint.

#4 – Personal Data Breach $517.021.289 (6,64%)

PII is stolen or leaked from a restricted location or information processing system (for example, customer credit card numbers being stolen from your ISP).

There were 51.829 complaints filed under Personal Data Breach on 2021, for an average loss of $9.976/complaint.

#5 – Real Estate / Rental $350.328.166 (4,50%)

Similar to the Investment fraud but on the real estate market.

There were 11.578 complaints filed under Real Estate / Rental on 2021, for an average loss of $30.258/complaint.

#6 – Tech Support $347.657.432 (4,46%)

Criminals pretend to work for the customer service or technical support departments of a well-known tech/software company. They usually claim there’s some issue that needs fixing and or a refund to be processed and that they need access to one or more of your devices. From there, they may trick users into providing their account credentials, performing wire-transfers and/or locking the victim devices in exchange of a ransom.

There were 23.903 complaints filed under Tech Support on 2021, for an average loss of $14.545/complaint.

#7 – Non-payment / Non-delivery $33.7493.071 (4,33%)

A criminal pretends to buy a product but does not pay the seller despite receiving the shipment (non-payment). Or, a criminal pretends to sell a product but never ships the product despite receiving the payment or ships something of less value, a counterfeit product, etc…

There were 82.478 complaints filed under Non-payment / Non-delivery on 2021, for an average loss of $4.092/complaint.

#8 – Identity Theft $278.267.918 (3,57%)

A criminal steals PII to gain control over the victim’s accounts and commit fraud either against the victim of identity theft by impersonating the victim to commit fraud to third parties.

There were 51.629 complaints filed under Identity Theft on 2021, for an average loss of $5.390/complaint.

#9 – Credit Card Fraud $172.998.385 (2,22%)

A criminal uses a credit card to transfer fraudulent funds.

There were 1.675 complaints filed under Credit Card Fraud on 2021, for an average loss of $103.283/complaint.

#10 – Corporate Data Breach $151.568.225 (1,95%)

A criminal gets unauthorized access to an organization’s sensitive or confidential information.

There were 1.287 complaints filed under Corporate Data Breach on 2021, for an average loss of $117.769/complaint.

The elderly seem to be more at risk of internet crime in general

The age group of individuals aged 60 and above takes the #1 spot both on complaints filed and reported losses.

It’s often said that the older adults are more vulnerable to scams in general, however I don’t see much difference in complaints reported to the IC3 between the 30-39 (21%), 40-49 (21%) and the 60+ (22%) age groups. The report did not however provide a breakdown of complaint type by age, so we can’t tell on this data alone if some crimes target some age groups more specifically. Despite that, it’s wildly believed that the elderly are more vulnerable to scams in general.

On the other side, when looking at the losses reported by age-group we can clearly see the elderly (60+) take a biggest slice of the pie than every other group. More losses were reported from victims on this group than from everyone under 40 combined (27%).

Edit: that last statement is clearly false, the +60 group is absolutely the most exploited compared to any other group individually. What I meant to say is that the older you get the bigger the (potential) losses. This probably has a very simple explanation. Usually the older age groups are the wealthiest ones: they are more likely to own property, have lifetime savings and hold higher positions at work when near retirement.

What can you do?

If you are (or have been) a victim of a scam

Contact law enforcement in your jurisdiction. File a report. I don’t know where you live so I can’t tell you where to go. That said, here’s some resources:

• Scams – Consumer Advice, Federal Trade Commission (US)
• Protect yourself from online scams and attacks, Microsoft
• Independent Age, a charity in the UK dedicated to the care of old people has a page on “What to do if you’ve been the victim of a scam”. As we’ve seen from the IC3 data, the elderly are the most vulnerable to scams in general.

If your credit card and/or bank account was involved, contact your bank immediately and tell them what happened.

If you granted a scammer access to any of your devices (computer, smartphone, tablet…) that system is most likely compromised. Disconnect any compromised device from the network (unplug the cable if wired, turn off the WiFi if wireless). Don’t reconnect them to the network after ensuring they’re clean (I’d personally wouldn’t trust unless disk formatted and operating system clean installed).

I’m not a victim but scammers won’t stop contacting me

If a scammer is trying to reach you, don’t engage! Ignore and move on. Report email as spam (or phishing if your email provider has a separate option). Even if you can tell its a scam and that you won’t fall for it.

Note: no matter how tempted you might be to mess with or bait them, keep in mind that “scam baiters” either work with teams of highly skilled IT professionals and/or are highly skilled themselves. Additionally, “scam-baiting” requires a lot of preparation beforehand to not get scammed, doxxed or even worse. And yet sometimes even the best get scammed. In other words, don’t try this at home.

I’m not a victim and I’d like it to keep it that way

Good. The first thing to realize is that anyone can be scammed under the right circumstances. It’s not a matter of being smart or stupid. Most scams prey on victims by pretending some urgent action needs to be taken, urging you to act before you think.

The government of Canada has made a nice info-graphic that you can refer to and share with others to raise awareness.

That said, watch for the red-flags:

• If it’s too good to be true, then it is.
• No company or bank or government will ask for credentials over email, text or phone.
• No company accepts payments using 3rd party gift cards. Period.
• Neither do courts. Or law enforcement. Or healthcare institutions. Or tax collection agencies.
• No company needs to connect to your computer to process a payment. Or a refund. Or a lottery ticket. Or the inheritance of a prince from some country far away you never heard of before.
• While we’re at it, no-one will ask a random stranger on the internet to help them transfer a huge amount of money to evade taxes. If someone has millions coming their way they can afford a special kind of magician called “accountant”.
• No corporation sends you emails from a @gmail address. Or a @hotmail address. Or an @outlook address. Or pretty much any domain that’s not the company domain.

I could go on, but scammers change their tactics as time passes, since people start catching-up with what’s going on. The best advice is to stay informed, stay aware and don’t act on impulse upon a suspicious email or phone call.

Also, take a look at some of the “scam baiters” so you can get an idea on how these scams operate and what tactics they use. My personal favorites are Jim Browning, Kitboga and Scammer Payback.

There’s also channels like Coffeezilla but he’s more into a different cup of scams, mostly cryptocurrency schemes, MLMs, NFT “rugpulls” and fake financial/trade “gurus”.

DON’T SHAME ON SCAM VICTIMS

Falling for a scam will make someone fell really powerless. All it took for them is a lapse in judgement and when they look back they can’t help but feel ashamed, especially if a lot of damage was done, monetary or otherwise.

Coming forward and accepting you were tricked into doing something harmful to yourself is really tough.

It will destroy your self-esteem. It will impact your trust in others. It will mess with your mind.

Don’t mock scam victims. Don’t shame them. Don’t say stuff like “you had it coming” because it doesn’t help anybody.

It certainly doesn’t help them, the damage is done already and they need to move forward.

It doesn’t help other victims that might not want to report the crime (and have a chance to recover assets, no matter how slim) to avoid dealing with the social pressure of being shamed.

It doesn’t help the community, as the less we talk about this, the more scammers can get away with it.

And it doesn’t help you. Don’t ever assume you’re too good to fall for it.

That’s when they get you.