Ransomware

FBI’s IC3 Report: Losses from Cybercrime Surpass $12.5 Billion—a New Record 

Share with your network!

The 2023 Internet Crime Report from the FBI’s Internet Crime Complaint Center (IC3) is out. And for defenders, it’s a troubling read. The FBI saw only a minor uptick in reported cybercrime complaints last year from the American public. On the surface, this seems like positive news. There were only 79,474 more complaints filed than in 2022. However, that total is much more significant when you consider the potential losses from cybercrime. Losses surpassed $12.5 billion last year, a 22% increase from 2022 and a new record high. 

That staggering figure is part of a far more complex story about cybercrime in 2023. The report notes that: 

  • Investment fraud losses surged, jumping from $3.31 billion in 2022 to $4.57 billion in 2023—a 38% increase 
  • Business email compromise (BEC) cases were a top concern, with 21,489 complaints and adjusted losses exceeding $2.9 billion—up 7.4% from 2022 
  • The allure of cryptocurrency played a pivotal role in both investment fraud and BEC incidents 
  • Tech support scams were the third-costliest cybercrime category among the crime types that the IC3 tracks 

In this post, we will examine these trends in more detail. And we will explain how Proofpoint can help businesses improve their defenses and meet these threats head-on. 

Figure 1

Complaints and losses from cybercrime reported over the last five years. (Source: FBI’s IC3 2023 Internet Crime Report.) 

The rise of investment fraud 

Investment scams have become the most reported and costliest type of crime that the IC3 tracks. In these scams, bad actors lure victims with promises of big returns on investments. Attackers have been targeting cryptocurrency investors, in particular.  

The rise of this fraud highlights why due diligence and user self-awareness is so important. Users need to think twice and use caution when they are approached with investment opportunities, especially those that relate to cryptocurrencies. 

Figure 2

Investment fraud losses reported over the last five years. (Source: FBI’s IC3 2023 Internet Crime Report.) 

An escalation in BEC threats 

BEC is the second-most prevalent cyberthreat highlighted in the latest Internet Crime Report. The actors behind these scams aim to deceive users and businesses into making unauthorized fund transfers or divulging corporate information. These attacks involve sophisticated tactics like: 

  • The compromise of legitimate business email accounts 
  • Social engineering attacks 
  • Impersonation scams 

As more people use cryptocurrency exchanges and rely on third-party payment processors, it’s increasingly important to stop BEC threats before they reach users. There is also a pressing need for automated remediation and heightened user vigilance to protect against these threats. 

Vulnerable populations at risk for impersonation scams 

The FBI’s IC3 reports that impersonation scams led to over $1.3 billion in losses last year. To carry out these scams, bad actors use deceptive tactics, like directing victims to send cash through shipping companies or online wire services. 

Adults over the age of 60 accounted for half of tech support scams last year. This amounted to $3.6 billion in losses. Individuals 30-39 years old were most likely to report these incidents to the FBI’s IC3. 

The prevalence of impersonation scams underscores the need to raise awareness among the vulnerable populations that are targeted by attackers. Understanding this risk will help them to be more wary and avoid becoming victims. 

Ransomware attacks 

Ransomware attacks encrypt data and cause service disruptions and financial losses. They are also a persistent threat. The FBI’s IC3 received over 2,800 complaints about this attack type last year. Reported losses from these incidents exceeded $59.6 million—an 18% increase from 2022.  

To understand just how costly these attacks can be, consider the plight of MGM Resorts. In September 2023, a targeted ransomware attack cost the entertainment giant over $100 million. MGM Resorts’ filing with the Securities and Exchange Commission notes that its losses included $10 million in one-time consulting cleanup fees. Ransomware-as-a-service (RaaS) group ALPHV, also known as BlackCat, claimed responsibility for this attack.  

Also concerning is attackers’ focus on critical infrastructure sectors. Ransomware attacks affect 14 of 16 sectors tracked by the IC3, including healthcare and energy. The rise of ransomware variants that target critical infrastructure highlights the urgent need for more robust cybersecurity measures and incident response protocols. Recent ransomware attacks on critical infrastructure include the ESXiArgs attacks on VMware ESi servers and the NCR Aloha POS terminals that were disabled by a BlackCat attack

Adversaries are always adapting their strategies. Not surprisingly, the FBI’s IC3 reports new and creative techniques in the ransomware space. This includes: 

  • Using multiple ransomware variants that target the same victim 
  • Threatening data destruction to intensify pressure on victims during negotiations  

Threat actors add an extra sense of urgency to ransomware attacks when they require payment by a specific date and time. For example, Jigsaw is a ransomware program that gained notoriety for its approach in extorting payment from victims. The program includes a timer that counts down and deletes files if the ransom is not paid on time. 

Phishing still reigns supreme 

Phishing was once again the top cybercrime type. The report noted that there were 298,878 phishing complaints in 2023. That’s 5.35x more than the next largest attack type.  

Last year, attackers deceived their victims with a variety of tactics, like vishing, smishing and pharming. Telephone-oriented attack delivery (TOAD)—a form of phishing—was also popular. Proofpoint research conducted for our 2024 State of the Phish report found that malicious actors made 10 million TOAD attempts last year. These attackers compromise security as well as steal funds. 

Figure 3

A comparison of the top five crime types over the last five years. (Source: FBI’s IC3 2023 Internet Crime Report.) 

People protection with Proofpoint 

The findings in the FBI IC3’s 2023 Internet Crime Report make clear that businesses need to prioritize fortifying their cybersecurity defenses. Doing so will help them to face known and emerging threats more effectively—and with greater confidence. 

One critical step that they can take is to adopt comprehensive email security. Proofpoint offers advanced technologies to help businesses: 

  • Counter BEC attempts through artificial intelligence-driven predelivery detection and blocking 
  • Identify users designated as Very Attacked People™ and stop impersonation scams  
  • Detect and block known and emerging ransomware attacks  

By implementing these measures and training users to stay vigilant, businesses can better safeguard their assets, data and reputation in an increasingly hostile digital landscape. 

To learn more about Proofpoint Threat Protection, download this solution brief. And to find out how Proofpoint can help mitigate impersonation risk, check out this brief