New FBI Report: $10.3 Billion Lost to Online Fraud in 2022 as Crypto Investment Scams Surge

The Federal Bureau of Investigation (FBI) has released its Internet Crime Report for 2022, revealing the top cybercrime types faced by US networks and the bureau’s efforts to combat rising threats. 

Based on information submitted to the Internet Crime Complaint Center (IC3) – a national security organization with law enforcement responsibilities – the report notes that potential losses due to cyberattacks totaled $10.3 billion in 2022, marking a 49 percent increase from 2021. This is despite the IC3 seeing a five percent decrease in scam complaints compared to 2021.  

Cybercrime 2022 Overview

The report analyzes the last five years’ worth of data (2018-2022) and lists the top five cybercrime types that resulted in the highest amount of reported losses. In ascending order, the top crime types include: 

• Tech support: These scams involve fraudsters tricking victims into believing their accounts have been compromised. Victims are then convinced into moving their funds so the fraudsters can gain control over their finances and computers. The FBI issued a warning in October 2022 about this type of fraud.  
• Extortion: The National Incident-Based Reporting System (NIBRS) defines extortion/blackmail as obtaining funds or other assets through coercive means. Various extortion tactics are used to facilitate ransomware attacks – some of which are discussed on page 13 of the report. 
• Personal data breach: Financial losses related to personal data breaches have increased each year since 2019. These scams involve the use of a computer intrusion to acquire confidential or secured information.
• Non-payment/non-delivery: Prevalent during holiday seasons, these scam types involve a buyer either paying for goods without receiving them or receiving goods without having paid. The FBI issued a warning related to these cyber scams in December 2022. 
• Phishing: Designed to trick victims into providing information to criminals that they shouldn’t have access to, phishing scams were recorded as the cybercrime type responsible for the most financial losses each year since 2020.

Within these crime types, the FBI highlighted four major threats: business email compromise (BEC) scams, ransomware, call center fraud, and investment scams. The total losses relating to each of these threats were:

• Investment scams – $3.31 billion
• BEC scams – $2.7 billion
• Call center fraud – $1 billion
• Ransomware – $34.3 million

Crypto Investment Fraud Rises

Of the total amount lost to investment scams, $2.57 billion was generated through cryptocurrency investment fraud. According to the FBI, this represents a 183 percent increase from 2021. Our 2023 global compliance survey echoes this growing trend, with “investment scams” topping the list of fraud types firms are most concerned about, alongside tax fraud. 

The report also highlights five common crypto investment scam variations that were heavily reported in 2022, including:

• Liquidity mining: Where victims are persuaded to link their crypto wallet to a fraudulent liquidity mining application. Scammers then extract all the funds without the victim’s knowledge or permission.
• Hacked social media: In this method, scammers hack a victim’s profile before targeting the victim’s friends and exploiting levels of trust to perpetrate a fraudulent investment opportunity.
• Real estate professionals: When fraudsters contact a real estate agent, usually offering to purchase an expensive property using cryptocurrency. Once engaged, the fraudster reveals their control of fictitious accounts that have a purported value of millions of dollars to entice the agent to engage in their investment scheme.
• Celebrity impersonation: Scammers pretend to be a celebrity and feign friendship with a victim to perpetrate a fraudulent investment opportunity.
• Fake employment: Victims apply for fake job openings at an investment firm. Instead of a job, the victims are offered investment advice. However, the investment is fraudulent and designed to steal as much money from the victim as possible.

The IC3 Recovery Asset Team (RAT) 

The report also comments on the IC3 Recovery Asset Team (RAT), noting its 73 percent success rate in freezing funds that have been stolen as the result of an online scam. In one of the two case studies presented, the report contextualizes the Financial Fraud Kill Chain (FFKC) process that IC3 RAT uses to freeze accounts. 

In September 2022, a victim from Seattle, Washington notified IC3 they had unwittingly sent $650,000 to a hacker that had posed as an investor. Following the immediate initiation of FFKC and further collaboration with the victim’s financial institution, a return of approximately $645,000 was issued.

2024 Federal Budget Proposal

The FBI’s report was published at the same time the US government released its FY 2024 Budget. Among the budget’s goals and priorities listed on pages 63 and 64, the proposed budget seeks to “advance US cybersecurity,” specifically committing to “making cyberspace more resilient and defensible.” 

The US government intends to do this by providing $98 million to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) – which was signed into law in March 2022 – and $425 million to improve the Cybersecurity and Infrastructure Security Agency’s (CISA’s) internal cybersecurity and analytical capabilities. Overall, the proposed funding for CISA has increased by $149 million from last year, bringing the agency’s total funding to $3.1 billion. 

Key Takeaways

Compliance staff should ensure they are familiar with the Financial Crimes Enforcement Network’s (FinCEN’s) guidance on how to fulfill Bank Secrecy Act (BSA) reporting requirements related to cyber events. When filing a suspicious activity report (SAR), FinCEN also reminds firms to select SAR field 42 (Cyber event) as the associated suspicious activity type. 

Additionally, compliance teams should note the joint cybersecurity advisories and alerts issued by the FBI, the Central Intelligence Agency (CIA), and the Department of the Treasury. As well as highlighting observed tactics, techniques, and procedures (TTPs), the advisories recommend implementing the following cybersecurity measures:

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud)
• Prioritize remediating known exploited vulnerabilities 
• Regularly provide employees with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams)  
• Regularly back up data and password-protect backup copies offline
• Enable and enforce multifactor authentication (MFA)