FBI: A record $12.5b was lost to cybercrime in 2023

The FBI’s Internet Crime Complaint Center (IC3) has just revealed that cybercriminals hit Americans harder than ever last year, causing record losses of $12.5 billion. That’s a whopping 22% increase from 2022’s already dizzying total.

According to its latest Internet Crime Report, IC3 says it received over 880,000 cybercrime complaints in 2023, up 10% from the prior year. Both financial losses and cybercrime complaints have risen year-over-year since 2019, painting a grim picture of a threat that’s rapidly escalating.

Let’s look at the four biggest culprits according to the IC3. 

Business email compromise (BEC) scams cost $2.9b

This type of scam tactic, one that’s frequently used against finance and accounts payable (AP) teams, was the second costliest type of cybercrime. BEC scams target both businesses and individuals by compromising legitimate email accounts through hacking or social engineering tactics.

Once they gain access, fraudsters impersonate trusted vendors, executives or colleagues to trick employees into making unauthorized transfers of funds. Common BEC tactics include requests for:

• Payments to compromised vendor accounts
• Employee W-2 tax data
• Real estate transaction funds
• Large gift card purchases

Among Eftsure’s database, we’ve seen increasingly sophisticated BEC tactics, including malicious actors infiltrating both the target organization and its vendor. From there, they’ll construct lengthy, organic-looking email chains and communications. AI is turbo-charging these tactics, with invoice swapper tools helping scammers scale their efforts and complex deepfakes deceiving staff into making fraudulent payments.

In 2023, the FBI logged 21,489 BEC complaints totaling over $2.9 billion in losses. But what’s especially concerning is how tactics are evolving. Last year, scammers began dispersing stolen money through cryptocurrency exchanges and third-party payment processors more frequently. By having targeted individuals send funds directly to these platforms, the money can be quickly cashed out before theft is detected.

With BEC actors adopting these harder-to-trace methods, the FBI stresses that using multi-factor authentication to secure accounts is now vital. Organizations should also implement procedures to independently verify any payment or purchase requests outside of email. The more layers of verification you require, the lower your risks – and the right processes and tech solutions can help standardise these additional layers without compromising team efficiency or productivity. 

For instance, additional verification might include calling known or independently sourced numbers (that is, numbers that are not listed in the potentially compromised email) to authenticate requests. Other best practices include carefully examining email addresses, URLs and spelling for any red flags before clicking links or responding.

Investment fraud losses hit $4.57b

While BECs might be a more urgent risk for organizations and their finance teams, investment scams still topped the overall list as the costliest cybercrime in 2023. With crypto scams up 53% and accounting for $3.94 billion in losses, investment fraud took a massive $4.57 billion toll. Tactics like fake websites and “pump and dump” stock manipulation fueled this crime category’s 38% overall increase.

Ransomware caused more than $59.6m in losses

Ransomware remained a potent threat in 2023, with incidents rising 18% over 2022 levels according to 2,825 complaints received by the FBI. While slightly fewer cases than the peak levels seen in 2021, reported losses jumped a staggering 74% to over $59.6 million.

Ransomware is a particularly insidious form of malware that encrypts an organization’s data, rendering it completely unusable. Criminals then demand payment to provide a decryption key and restore access. Increasingly, ransomware gangs also steal sensitive data and threaten to publicly leak it if their ransom isn’t paid.

The rise in losses reflects how ruthlessly these cybercriminal groups have escalated tactics. The FBI has observed deploying multiple strains of ransomware against single victims, as well as using destructive data-wiping malware to increase pressure on organizations to pay up.

No sector was safe from ransomware’s crosshairs in 2023. Out of 16 nationally critical infrastructure categories, 14 had members hit by ransomware incidents last year according to the FBI. Some of the most prevalent strains included LockBit, ALPHV/BlackCat, Akira, Royal and Black Basta.

While $59.6 million in reported losses is staggering, it likely only scratches the surface. Many organizations choose not to disclose ransomware incidents, so the true total is almost certainly far higher.

Tech support scams stole over $1.3b from the elderly

Posing as legitimate companies, fraudsters scared victims into paying for bogus computer repair services. This widespread scheme disproportionately targeted older adults, leading to over $1.3 billion in losses.

Unreported losses and attempts: the tip of the iceberg? 

These grim totals represent only known cybercrime losses reported to the FBI – the actual scope is undoubtedly much larger. Many incidents go undetected or unreported each year.

While the losses seem bleak, there were victories too. The FBI’s Recovery Asset Team (RAT) works with financial institutions to trace and freeze funds stolen through cybercrime.

In 2023 alone, RAT recovered a whopping $50 million lost in a major BEC scam by a New York organization. They also clawed back a $426,000 BEC theft targeting a Connecticut company and froze nearly $45 million tied to various internet crimes.

Still, many losses go unrecovered, and the risks for organizations aren’t just financial. Falling victim to scams or cybercrime also carries serious operational and reputational risks, not to mention damaged relationships with customers or vendors. 

What can leaders do to lower their cyber risks?

Fortunately, there are steps leaders can take to lower those risks. There’s no single panacea, of course – in fact, leaders will need to look for multi-faceted solutions that encompass everything from the right culture to the right processes. In general, there are three main areas to consider. 

1. People. Are your staff trained on the latest threats and scam tactics? Do they practice good security hygiene, such as using multi-factor authentication? Are you fostering a culture in which people feel free to ask questions when an email sounds dodgy, or even slow down a process when something feels amiss? Almost every single cybercrime tactic relies on human fallibility – so executives should be looking to arm their people with the best knowledge and support, as well as building up stronger protections around the staff who have greater access to sensitive data or processes. 
2. Processes. Even if your control procedures are robust, cyber threats are constantly evolving and malicious actors are always looking for ways to undermine existing processes. Pressure-testing can help you understand where your biggest vulnerabilities might be and prioritise updates. 
3. Technology. Cybercriminals are notorious for finding new and creative ways to apply the latest technology in nefarious ways. Don’t let them keep the upper hand – routinely reassess your tech stack and remember that cyber threats are multi-faceted. That requires multi-faceted, layered tech solutions that don’t depend on a single platform or system to be the final guardrail against fraud or cyber attacks. 

Want to protect your business from cybercrime?

Check out our free resource for finance leaders, The Cybersecurity Guide for CFOs, which will help you understand emerging threats and defend your money against cybercriminals. 

Download Now