The $4.2 billion cybercrime tsunami requires a new security strategy

Cybercrime complaints exploded last year during the pandemic. New technology can help.

By Chris Crellin, senior director of product management, Barracuda MSP

Chris Crellin, senior director of product management, Barracuda MSP

The FBI Internet Crime Report for 2020 was released earlier this year, and the news was grim. As expected, the ongoing pandemic, political instability, and sudden shift to remote and home-based work caused a significant spike in cyberattacks.

According to the report, cybercrime complaints are on a steep rise—the report says the FBI recorded a whopping 69 percent increase in total complaints compared to 2019. Financial losses due to these attacks exceeded $4.2 billion.

Business email compromise (BEC) attacks continue to surge and remain the costliest of attacks. Average losses were $90,000 per complaint, but individual instances resulted in millions in losses. Phishing scams were also prominent: 241,342 complaints, with adjusted losses of over $54 million. The number of ransomware incidents also continues to rise, with 2,474 incidents reported in 2020, per the report.

With the rise in BEC attacks and sophisticated phishing scams related to the pandemic, MSPs and VARs in the tech sector will need to offer customers new and more advanced tools to help protect their data and applications, along with training and resources to recognize these new types of attacks.

BEC and EAC Attacks: More Common Occurrences, More Costly Consequences

According to the report, there were a record number of BEC and email account compromise (EAC) complaints related to the use of identity theft and funds being converted to cryptocurrency. “In these variations, we saw an initial victim being scammed in non-BEC/EAC situations to include extortion, tech support, romance scams, etc., that involved a victim providing a form of ID to a bad actor. That identifying information was then used to establish a bank account to receive stolen BEC/EAC funds and then transferred to a cryptocurrency account,” the report said.

Unsurprisingly, COVID-related scams were also rampant in 2020. The FBI received more than 28,500 COVID-19-related complaints last year. Barracuda previously reported a 667 percent increase in COVID-related phishing schemes between January 2020 and the end of February 2020.

Fraudulent unemployment applications received a lot of publicity, along with loan fraud schemes targeting funds from the CARES Act. There were also COVID vaccine schemes that used spear-phishing approaches to trick victims into sharing personal or financial information. 

“As the response to COVID-19 turned to vaccinations, scams emerged asking people to pay out of pocket to receive the vaccine, put their names on a vaccine waiting list, or obtain early access. Fraudulent advertisements for vaccines popped up on social media platforms or came via email, telephone calls, online, or from unsolicited/unknown sources,” the report said.

New Approaches to Protection

The increase in attacks, particularly BEC attacks, has gone from a wave to a tsunami over the past 12 months. For VARs and MSPs, traditional security methods are no longer sufficient to protect their clients (and themselves). The frequency of these email-based scams is simply too high, and they are increasingly designed to get around email security approaches that focus on malicious links and attachments. A multi-pronged approach will be necessary.

First, offer clients regular security training to improve awareness of these threats among the IT team and other employees. The training should include updates on emerging threats so that users know how to spot a phishing email or BEC attack, and more importantly, what to do when they see one. Attack simulations can reinforce this training and identify employees that are most in need of additional training. This can be a critical value-added service.

Provide email security solutions that go beyond traditional firewall and blacklisting approaches. Invest in email security that leverages machine learning to evaluate communication patterns and spot malicious emails, including ones designed to avoid detection and fool recipients. These systems get smarter the longer they’re in place and provide a high level of automation.

Finally, help clients set up internal policies that can help prevent fraud. If there are policies in place that govern how employees share data, financial information, and other assets, the risk of a breach is significantly reduced—even if a malicious email does get through or an email account is compromised. Require multiple authentication levels and authorization to release documents or financial transfers (electronic, in person, and over the phone). This can help employees reduce their chances of inadvertently falling for one of these well-designed scams.

With the pandemic still causing shutdowns around the world, we are likely to remain vulnerable to these types of attacks that have emerged. VARs and MSPs can help clients ensure that their networks are protected in this uncertain environment with strong cybersecurity policies, training, and technology.

Chris Crellin is Senior Director of Product Management for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for leading product strategy and management.