The Federal Bureau of Investigation said it received more than 241,000 complaints about phishing attempts during 2020, a marked increase from the previous year, as hackers zeroed in on concerns about the coronavirus pandemic and attempted to exploit widespread remote working.
Although losses from phishing were down in 2020, at $54.2 million compared with $57.8 million in 2019, the number of reports surged by more than 126,000, the FBI said in an annual report from its Internet Crime Complaint Center, or IC3, published Wednesday. Total complaints across all categories rose by 69%, the FBI said, reaching a record 791,790.
“These criminals used phishing, spoofing, extortion, and various types of Internet-enabled fraud to target the most vulnerable in our society—medical workers searching for personal protective equipment, families looking for information about stimulus checks to help pay bills, and many others,” the FBI said in the report.
Hackers have used a range of strategies to exploit Covid-19 concerns. Early last year, individuals and companies received emails pretending to be from the World Health Organization that led to websites laced with malware. Other scams since have focused on unemployment benefits and business loans made available as part of government pandemic response efforts, the FBI said.
Around 28,500 complaints that the IC3 received were directly related to these issues, it said.
Email phishing attacks, and similar methods that use text messaging and other communication technologies, usually attempt to trick users into divulging sensitive personal, professional or financial information, or to click on links that contain malware.
Part of the reason for their effectiveness, said Justin Albrecht, security intelligence engineer at San Francisco-based security company Lookout Inc., is due to an increased reliance on mobile devices during pandemic restrictions for shopping, banking and other tasks.
“It’s harder to spot a phishing attack on mobile than it is on a desktop. Since mobile devices have smaller screens and a simplified user experience, people are less inclined to verify the sender’s real email address or identity,” he said.
Successful phishing attacks don’t just stop with the victim, he said, but are then often used to launch more complex cyberattacks, such as business email compromise, or BEC.
These attacks generated the largest losses in 2020, which the FBI said rose to $1.86 billion, from $1.77 billion in 2019. BEC attacks involve a hacker gaining control of legitimate email accounts to steal company funds or launch other cyberattacks.
“BEC is not getting the attention it deserves. With an adjusted loss of approximately $1.8 billion from only reported BECs, this type of crime presents one of the most significant risks to businesses today,” said Rick Holland, the chief information security officer at San Francisco-based cybersecurity firm Digital Shadows Ltd.
As long as internet connections and devices proliferate, without consumer street smarts to match, I fear these reports won’t improve.
Security companies whose technology intercepts such attacks say that the FBI figures make for sober reading, but also expressed frustration that simple attacks such as phishing still appear to be succeeding widely.
“What does surprise me is that we have not adequately addressed this epidemic,” said Setu Kulkarni, a vice president at application security company WhiteHat Security Inc., based in San Jose, Calif. “This is no longer limited to a section of technology users—with the pandemic, everyone virtually is a technology user.”
More work needs to be done by governments and technology companies to raise awareness about cybersecurity best practices, and to educate the general public about the threats they face from hackers, said
president and chief executive at San Jose-based cybersecurity firm Vectra AI Inc.
“As long as internet connections and devices proliferate, without consumer street smarts to match, I fear these reports won’t improve,” he said.
Write to James Rundle at [email protected]
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8