Cybercrime cost US businesses and individuals alone $3.5 billion (£2.6 billion) in 2019, according to the FBI’s annual Internet Crime Report.
The figures are based in part on the agency’s Internet Crime Complaint Center (IC3) data — which received an average of 1,300 complaints every day.
The FBI found that the attacks that cost businesses the most were business email compromises (BEC) and confidence fraud. BEC attacks last year resulted in 23,775 complaints to the office and cost organisations more than $1.7) billion.
(Its recently launched IC3’s Recovery Asset Team, which assists in recovering funds for victims of BEC schemes, has now helped recover $300 million, boasting a 79 percent return rate of reported losses in its inaugural year, the FBI said).
Yet other analysis suggests cybercrime cost to businesses is stunningly higher than these estimates, which rely on data for incidents reported to law enforcement. Recovery of $300 million, ultimately, is likely to be the tip of a much larger iceberg.
Emsisoft Analyis: Ransomware Alone Netted Cybercriminals over $1 Trillion
A new report by New Zealand-based security firm Emsisoft estimates that ransomware alone cost the UK $1.8 billion in 2019 and the US a stunning $9 billion.
With accurate assessments exceptionally hard to make, owing to how tightly businesses guard ransomware incidents and their responses, the security firm admits that its analysis may “significant over- or underestimate” cybercrime cost.
Here’s how it reached its assessments, as captured in the table above.
1: Every confirmed ransomware submission to ID Ransomware: there were 452,151 submissions during 2019. Half of these are for a ransomware type called “STOP which has a below-average ransom demand and mainly affects home users.
Emsisoft halved this number to play safe.
2: The average ransom demand is $84,000. An estimated 33 percent of companies pay the ransom demand. Ransomware incidents meanwhile also result in an average of 16 days downtime. Gartner puts the average cost of downtime at more than $5,600 per minute, so the security firm used an “extremely conservative” $10,000 per day.”
“As downtime is experienced whether or not a ransom is paid, the minimum cost is based on 50 percent of the submissions to ID Ransomware while the estimated cost is based on that reduced number times four”, Emsisoft said.
The figures are nebulous enough to represent little more than a bold back-of-a-fag-packet guess, which the firm acknowledges, but it is brave attempt and if Emsisoft is even close, the response from law enforcement needs to be sharply ramped up.
As the security firm notes: “Accurately estimat[ing] the costs… is impossible due to a dearth of data, but [we aim to] shine a light on the massive economic impact of these incidents in the hope that doing so will help governments and law enforcement agencies formulate a proportionate response to the ransomware crisis.”
With such huge revenues coming in, criminal gangs are getting bolder, planting “sleepers” in cleaning companies so that they can physically access IT infrastructure, a senior police officer with responsibility for cybercrime warned this month, urging businesses to bolster their physical security processes in the face of the growing threat.
Shelton Newsham, who manages the Yorkshire and Humber Regional Cyber Crime Team, told an audience at the SINET security event that he was seeing a “much larger increase in physical breaches” as cyber crime groups diversify their approaches.
Recent reports suggest that cybercrime will cost firms around the world $6 trillion annually by 2021 – making it more profitable than the global drugs trade.