FBI Releases 2007 Internet Crime Report

Last week the FBI released its Internet Crime Report for 2007, and there are some interesting trends when comparing this report to the past couple of years. 

Total monetary loss as a result of internet crime continues to increase.  Between 2005 and 2007 total loss from cases of fraud went from just over $185M to over $239M.  That's an increase of 30% over two years! 

So, what constituted these losses? 
According to the report Financial Institutions Fraud has increased over 400% as a percentage of total complaints received) between 2005 and 2007 from 0.5% of complaints received to 2.7%.  Computer fraud also substantially increased as a percentage of overall complaints during that same time frame (1.4% to 5.3%).   Almost a  300% increase!

That's interesting in and of itself, but how does it translate to real dollars? 

As one might expect (lack of education on the threat, perhaps?), the types of fraud that generated the greatest amount of loss per complaint were actually some of the least prevalent types.  In 2005  and 2006, Nigerian Letter Fraud didn't even appear in the top 10 list of types of fraud, however it topped the list of loss per complaint at $5,000 and $5,100 respectively.  Compare that to 2007, where it cracked the list at number 10, but accounted for the third highest loss per complaint at $1,922.  Auction Fraud, which was the most common fraud complaint for all 3 years had consistently one of the lowest loss/complaint numbers ranging from $385 (2005) and $602 (2006).  Thanks to the increase of stock pump and dump scams investment fraud topped the 2007 list at $3,547 per complaint!  Interestingly though, despite the amount of attention and press that these scams have received over the past year and a half investment scams still didn't crack the top 10 complaint percentage list.

How people were contacted in order to be defrauded stayed pretty static between 2006 and 2007 with email leading the charge at just under 74% for both years.  Where the report shows movement, however is in the increase of the web and phone (vishing) being used as a more frequent vector of communication with victims.  In 2005, the internet and telephone accounted for 16.5% and 4.5% of communication vectors, respectively.  In 2006 and 2007 those numbers were in the low to mid 30s for the internet and around 18% for telephone.

So, if you're still with me these obviously are a lot of stats, but what does it all boil down to? 

What this outlines, among other things, is the constantly changing threat landscape and that the least seen threats are the most dangerous.  As such, it is important to not only educate yourself, but educate your organizations as to the types of threats that are out there.  Make sure they also know what is real and what is not.  There are so many virus hoaxes, some several years old, that still make the rounds on a regular basis that it is easy to see how people either get confused as to what is viable and what isn't, and why others think that internet threats are just the industry crying wolf in an attempt to get people to continue to buy product.  It is these types of threats that have also caused a serious drop in consumer confidence in some brands to the point where many users have developed an aversion technique to any email or correspondence from them because they have a hard time determining whether the message is a scam or not.  This loss of confidence has caused a serious problem for when these brands actually do send out legitimate mail because their response rates have suffered.

Is there an answer? 

Many solutions have been on the table for quite some time between email authentication technologies like SPF/Sender ID and DomainKeys Identified Mail (DKIM), botnet detection technologies, and brand protection companies who (among other services) monitor for look alike domains being registered that are intended to look like common brands to be used in phishing campaigns.  Unfortunately, at this point so much social damage has been done to these brands because they are so frequently targetted for phishing and other fraud campaigns that restoring consumer confidence is an extremely difficult mountain to climb.  I'm not saying that it can't be done, but I am saying that the cyber criminals act much quicker than some of these technologies can react and that doesn't appear to be changing anytime soon.