The digital age has brought unprecedented convenience and efficiency to the insurance and financial sectors. However, with these advancements comes the growing risk of cybercrime. The Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center (IC3) recently released its 2022 Annual Report, which provides a comprehensive overview of the current cybercrime landscape. This article delves into the key findings of the report and offers actionable insights for insurance and financial professionals to safeguard their organizations and clients.
1. What is the IC3?
The FBI Internet Crime Complaint Center (IC3) is a division of the Federal Bureau of Investigation (FBI) in the United States. The IC3 was established in 2000 to receive, review, and refer complaints related to internet crimes, such as online scams, fraud, identity theft, hacking, and other cybercrimes. The IC3 serves as a central hub for collecting and analyzing data on internet crime, and works with other law enforcement agencies to investigate and prosecute cybercriminals. The IC3 also provides resources and information to the public and private sectors to help them prevent and respond to cybercrime incidents.
2. Overview of the 2022 IC3 Report:
The IC3 Annual Report collates data on reported cybercrime incidents, highlighting emerging trends and providing a valuable resource for businesses, law enforcement, and policymakers.
You can read the full report here: https://motiva.net/ic3report/
In 2022, the IC3 received a record number of complaints, reflecting the increasing prevalence of cybercrime.
- Total complaints: The IC3 received 800,944 complaints in 2022
- Total losses: Reported losses exceeded $10.2 billion, an increase from $6.9 billion in 2021.
3. Business Email Compromise (BEC) Attacks:
One of the most pervasive and damaging cyber threats faced by the insurance and financial sectors is BEC attacks. These sophisticated scams often involve cybercriminals impersonating company executives or trusted vendors to deceive employees into transferring funds or disclosing sensitive information.
- BEC statistics: In 2022, the IC3 recorded 21,832 BEC complaints, with total losses amounting to $2.7 billion.
- Year over year, BEC attacks and victim losses are on the rise.
- From other sources: The Insurance and Financial Sectors account for the highest number of phishing attacks recorded.
To protect yourself, your agency, and clients from BEC scams, it’s crucial to implement a variety of preventative measures, including:
- Implement MFA to reduce BEC risk. Require multiple identification forms like passwords and security tokens to prevent unauthorized access.
- Educate employees on BEC scams. Train them to recognize suspicious emails, verify sender identity, and handle requests for sensitive information or wire transfers.
- Use email filters and spam blockers. Detect and block fraudulent emails before they reach employees. Configure tools to flag messages with common BEC scam keywords.
- Verify wire transfers. Implement verification processes for employees to confirm request legitimacy with the sender through phone or in-person to prevent unauthorized wire transfers.
- Monitor email accounts for suspicious activity. Regularly check for unfamiliar login attempts or unauthorized message forwarding to detect and respond to BEC scams.
- Implement strong password policies. Use complex and unique passwords that users regularly update to prevent brute-force attacks or password guessing.
- Conduct regular security audits. Identify vulnerabilities through reviewing security policies, training programs, firewalls, and intrusion detection systems
4. Ransomware Attacks:
Ransomware continues to pose a significant threat to insurance and financial institutions. These attacks involve encrypting an organization’s data, rendering it inaccessible until a ransom is paid. The IC3 report highlights the growing sophistication of these attacks and the increasing amounts demanded by criminals.
- Ransomware statistics: The IC3 received 2,385 ransomware complaints in 2022, with reported losses totaling over $34.3 million.
- Top Sectors Victimized by Ransomware include Financial Services, Information Technology, Government Facilities, and Healthcare.
To help mitigate ransomware attacks and damage to yourself, your agency, and clients, you need a comprehensive approach to include, but not limited to:
- Regularly test cybersecurity defenses, such as through penetration testing, to identify vulnerabilities and weaknesses in systems and processes. In many states, cybersecurity laws require annual risk assessment tests to be performed by financial sector companies.
- Routinely back up important data to mitigate the impact of ransomware attacks. Store backups securely and test them regularly.
- Train employees to recognize and respond to suspicious emails, attachments, or links. Educate them on data security best practices, such as using strong passwords and avoiding public Wi-Fi networks.
- Regularly patch software vulnerabilities to prevent successful ransomware attacks. Have a patch management process in place to apply critical security updates promptly.
- Use anti-malware and firewall protection to prevent malicious software from infecting systems. These tools can also detect and block ransomware attacks.
- Limit access to sensitive data through access controls to prevent ransomware attacks. Only authorized personnel should access important data, and users should have access to only the information and systems they need to do their job.
- Prepare an incident response plan that includes identifying and containing the attack, restoring data from backups, and communicating with stakeholders in case of a ransomware attack.
5. Investment Scams:
The 2022 IC3 report also highlighted the increasing prevalence of investment scams targeting individuals and organizations within the insurance and financial sectors. These schemes often involve fraudulent investment opportunities, such as cryptocurrency and foreign exchange (forex) trading, with the promise of high returns.
- Investment scam statistics: The IC3 reports losses totaling more than $3.31 billion in 2022.
- Cryptocurrency-related scams: Of the total investment scam losses, $2.57 billion were related to cryptocurrency investment scams.
Here are some actionable items to protect yourself, your agency, and clients from investment scams:
- Conduct thorough due diligence before investing. Research the investment and the platform offering it, including the company or individual behind it, their track record, and any past legal or regulatory issues. Verify the platform’s registration and regulation by relevant authorities.
- Be skeptical of unrealistic promises. Every investment carries some degree of risk, and there are no guarantees in the market.
- Verify the legitimacy of investment platforms. Check if they’re registered with relevant authorities like the SEC. Ensure their website is secure and has a physical address and phone number you can contact.
- Stay educated on investment scams and how to recognize them. Attend seminars or workshops and keep up-to-date with news and regulatory changes.
- Consult with a licensed and reputable financial advisor before investing. They can help evaluate investment opportunities and identify potential red flags.
- Avoid high-pressure sales tactics used to create a sense of urgency and manipulate you into hasty decisions.
- Report suspicious activity to appropriate authorities such as the SEC, FINRA, or your state securities regulator if you suspect being a victim of an investment scam or witnessing suspicious activity.
6. Call Center Fraud:
Cybercriminals often target individuals who may be less technologically savvy or older of age.
- In 2022, over $3.1 billion dollars was lost to victims over 60 years old.
- Total Losses amount to over $10.3 billion in 2022 among all age ranges.
- Over 2,000 complaints received daily.
Common tactics: Scammers use various methods to defraud individuals, including romance scams, tech support fraud, and government impersonation schemes.
Protecting yourself, clients, and loved ones from call center fraud requires a combination of awareness, education, and skepticism. Here are a few actionable items to help:
- Raise awareness to combat call center fraud. Spread the word to help people recognize and avoid fraudulent calls.
- Educate seniors on potential scams. Teach them to be wary of unsolicited calls, emails, or text messages. Encourage them to verify the caller’s identity before giving out any information.
- Report suspected call center fraud to the authorities immediately. Prompt reporting can help prevent others from becoming victims.
- Verify callers before providing personal information or money. Ask for the caller’s name, company, and phone number. Verify their identity by calling back on a trusted number or contacting the company directly.
- Be skeptical of calls or messages that seem too good to be true or threaten negative consequences. Reputable organizations won’t ask for personal information or money over the phone.
- Keep personal information private. Avoid sharing sensitive information over the phone, email, or text.
7. Countries – The Top 20 International Victim Countries
8. States – The Top 10 States By Number of Victims
9. States Cont. – The Top 10 States by Victim Loss
10. Crime Types
Amongst the FBI IC3 2022 Report, the top crime types by victim count include
- Phishing: A form of social engineering that involves the use of fraudulent emails, text messages, or phone calls to trick individuals into providing sensitive information or downloading malware.
- Data Breaches: A security incident in which sensitive, protected, or confidential data is accessed, stolen, or used by an unauthorized individual or group.
- Non-Payment/Non-Delivery: A type of online scam in which a seller receives payment for goods or services but fails to deliver them to the buyer.
- Extortion: A criminal activity in which an individual or group threatens to harm a person or organization unless a ransom or other demand is met.
- Tech Support: A scam in which fraudsters pose as tech support representatives and trick individuals into paying for unnecessary computer or software repairs or providing remote access to their computer.
- Identity Theft: A type of fraud in which someone uses another person’s personal information, such as Social Security number or credit card details, without permission to steal money or gain other benefits.
- BEC (Business Email Compromise): A type of scam in which criminals target businesses by posing as an employee, vendor, or other trusted party and request wire transfers or sensitive information.
11. State Statistics
The IC3 annual report detailed the overall statistics of number of victims per state, across all 50 states and outlying islands.
12. State Statistics Cont.
13. Cybersecurity Compliance and Laws Commentary
The FBI’s IC3 2022 Annual Report highlights that California, Florida, New York, and Texas are among the top states for cybercrime and victim loss for several reasons. These states are home to large populations and older age populations, making them attractive targets for cyber criminals. They also have highly developed technology industries and are major economic centers with many businesses and financial institutions, providing more opportunities for cyber criminals to steal sensitive data or funds.
New York, for example, is a global financial hub, with many of the world’s largest banks and financial institutions based in the state. New York has responded to the increased threat of cyber-attacks by enacting several cybersecurity and data privacy laws, including the New York State Department of Financial Services (NY DFS) Cybersecurity Regulation, which requires financial institutions to implement robust cybersecurity programs and protections, and report cyber incidents to the NY DFS. The NY DFS Law is quickly becoming adopted as the standard across other states due to its comprehensive nature.
In addition to cybersecurity and data privacy laws and regulations, there are also penalties for data breaches and cybersecurity compliance failings for financial and insurance institutions. These penalties can include fines, legal action, and reputational damage.
For example, the NY DFS Cybersecurity Regulation includes penalties for non-compliance, including the suspension or revocation of a financial institution’s license or charter, fines, and other legal action.
At the federal level, the Federal Trade Commission (FTC) Safeguards Rule requires financial and insurance institutions to implement comprehensive information security programs to protect clients’ personal information. This rule applies to all financial institutions under the FTC’s jurisdiction, including banks, credit unions, and non-bank financial institutions.
Under the Safeguards Rule, financial institutions must develop, implement, and maintain a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the institution and the sensitivity of the client information it collects. The program must be regularly monitored and tested to ensure its effectiveness, and employees must be trained to understand and comply with the program’s requirements.
Failure to comply with the Safeguards Rule can result in legal action by the FTC, including fines and injunctive relief. In addition, financial institutions that experience data breaches or cybersecurity incidents may face additional penalties and reputational damage.
The 2022 FBI IC3 report highlights the increasing threat of cybercrime in the insurance and financial sectors, which underscores the importance of adopting comprehensive cybersecurity measures. Professionals in these industries must remain vigilant and educate themselves and their employees about the different types of cyber threats.
The first step is to educate yourself and your employees about the different types of cyber threats and how to spot them. Implementing cybersecurity awareness training can go a long way in preventing successful attacks. Additionally, regularly updating software and operating systems can help prevent vulnerabilities that hackers can exploit.
Another crucial step is to implement strong passwords and two-factor authentication. Strong passwords should be complex, unique, and changed regularly, while two-factor authentication provides an extra layer of security. It is also essential to have a backup system in place to ensure that valuable data is not lost in the event of an attack or system failure.
Moreover, regularly monitoring financial accounts, credit reports, and online activities can help detect suspicious behavior and mitigate potential damage. It is also recommended to have a cyber insurance policy that covers losses resulting from cybercrime.
By implementing comprehensive cybersecurity measures, staying informed of emerging trends, and complying with relevant laws and regulations, institutions can better safeguard themselves and their clients from the growing menace of cybercrime.
With over 25 years of experience, we at Motiva Networks can help you plan and see if your agency’s data has been compromised with a Free Confidential Cybersecurity Risk Assessment. Or you can schedule a quick 10-minute call to discuss the best options for your Agency or small business, or go over any questions you might have HERE.