The True Cost of Online Crime
Has the FBI underestimated the financial impact of the fastest-growing crime wave of the digital age?
Originally published in May 2016 on Huffington Post.
You can’t believe everything you read on the Internet. That’s a lesson I learned long before testifying in 2000 at the trial of a man who’d sold 10,000 fake luxury goods through a website, including counterfeit Rolex, Cartier, and Movado watches. I am a private investigator in New York. He later became the first criminal ever convicted on federal charges of selling counterfeit merchandise online. He certainly wasn’t the last. This week the FBI’s Internet Crime Complaint Center (IC3) released its annual report, tallying record-setting losses of $1 billion reported by 288,000 consumers in 2015. The IC3 notes that less than 15 percent of fraud victims report their crimes to law enforcement. Unfortunately, these numbers are not even close to describing the true extent of the problem.
The Internet Crime Complaint Center (IC3) is a multi-agency task force formed partnership by the FBI and the National White Collar Crime Center (NW3C). It serves as a central repository for receiving and reviewing cyber-crime complaints, referring them for further investigation and prosecution. That’s how it’s supposed to work.
Many people approach my investigative firm after already reporting the crime to IC3 and receiving no response. I receive dozens of inquiries each year from people reporting romance scams, cyber-bullying, phishing attacks, online auction fraud, child pornography and other Internet-based crimes. In one case, a woman in the Midwest reported losses of $230,000. She believed she’d made a series of legitimate loans to the offshore oil business of a Florida businessman she’d met at a dating site - when in truth she had been victimized by an organized crime gang in Africa. Her six-figure losses were nearly 30 times higher than the average loss ($8,421) reported last year to IC3, but she never received a follow-up call or any notification from law enforcement indicating that they were investigating - or were even interested in - her claim.
The FBI describes IC3 as the “front door” for reporting Internet crime. My client knocked, and waited, but it seemed nobody was home. Fewer people will bother reporting crimes to IC3 in the future unless they have reason to believe law enforcement will take action on their behalf. The FBI appears to finally be taking steps to address this deficiency when it launched ‘Operation Wellspring’ with a single Cyber Task Force (CTF) in Salt Lake City 2013 to integrate state and local officers into Internet-facilitated criminal cases that do not meet thresholds for federal prosecution. The operation has expanded to eight FBI field offices, but that still leaves 48 field offices without equivalent capabilities.
In terms of broader analyses, there are serious shortcomings in relying on self-reported complaints to describe the full extent of online crime, because many victims don’t realize they have been attacked. Even if they do recognize something is wrong - an unauthorized charge on their credit card, for example - they often can’t connect the dots to determine if the original exploit occurred on the Internet. They don’t know how their bank records were compromised, their identities stolen, their healthcare records leaked.
Consumer-focused crimes like advance-fee frauds, fake lotteries, and social media scams are rampant. Yet the most serious Internet crime does not focus on specific individuals: it focuses on high-value corporate and government targets containing aggregated data on millions of people. At insurance giant Anthem, for example, hackers used a stolen password to steal 78 million records in 2015. In prior years, well-publicized breaches at Target and Home Depot compromised more than 90 million credit and debit card accounts; an attack at JPMorgan Chase & Co. affected financial accounts of 76 million households; and personal data on up to 145 million people was stolen from eBay. Nearly half (47%) of all U.S. residents had their personal information compromised in 2014 as a result of these kinds of mega-breaches, according to one study.
By now, you’ve probably received an apologetic form letter from some data-looted corporation. Today’s post-intrusion protocol usually involves mailing out a few million mea culpas with an offer of free credit-monitoring services. Yet people who’ve been duly advised they are potential victims of a malicious corporate intrusion don’t step forward to re-report these crimes to IC3, which means they are not counted in the organization’s annual report.
There are other conspicuous omissions from the IC3 report, which does not mention exploits of government systems. In 2015, the Internal Revenue Service (IRS) paid $3.1 billion in fraudulent tax returns due to identity theft, after cyber-criminals accessed 390,000 taxpayer accounts through an unsecure IRS web portal. In a separate incident, confidential information on 21.5 million federal employees was stolen - including fingerprints of 5.6 million people, many with secret clearances - after a malware attack allowed hackers to open a backdoor into the network of the Office of Personnel Management (OPM). The labor union American Federation of Government Employees filed a class action suit against the OPM for $1 billion, but so far, there has been no final accounting of the financial losses related to the OPM attack. For a problem of this magnitude, it is almost impossible to predict what price the nation will ultimately pay. Yet clearly there’s been no attempt to factor these attacks on the government into the IC3 accounting - we don’t even get a guesstimate.
There were at least 780 publicly reported data breaches in the U.S. in 2015, exposing 169 million records. The biggest breaches were directly attributed to hackers. By that basis, IC3 data - with 288,000 total complainants - represent less than 0.2 percent of all incidents and victims. That’s probably still far too generous, since most breaches are never reported. The IC3 group is not a representative sample, which makes it effectively useless for identifying the most significant threats and trends.
The FBI is certainly aware of these breaches and their broader implications. Successful and sophisticated investigations by the FBI Cyber Division have led to numerous convictions of hackers and the Bureau actively pursues perpetrators of other Internet-facilitated crimes such as economic espionage, state-sponsored attacks, and online recruiting by terrorist organizations. They recognize that much of online crime is organized crime, and requires the kind of sophistication, resources and dedication that were once used to disrupt and dismantle the Mafia.
Cybercrime costs the United States more than $110 billion each year according to analysis by the Center for Strategic and International Studies. This emerging criminal industry - which didn’t even exist 25 years ago - has already grown larger than the illegal market for cocaine, heroin, marijuana, and methamphetamine. Drug enforcement has its own federal agency, countless task forces and undercover operations at the state and local level, and a combined policing budget in the billions. When are we going to get equally serious about online crime?
By focusing solely on self-reported complaints from consumers, IC3 delivers a skewed assessment of threat levels, and fails to provide a meaningful, integrated perspective on these troubling trends. It’s time to stop counting all the hoodwinked consumers - and start giving a real assessment and true accounting of the fastest-growing crime wave of the digital age.
About the Author: John Powers is president of Hudson Intelligence, a private investigation agency specializing in financial crimes.