The latest reports from FBI and ITRC reveal that cyber incidents in 2023 broke records for financial loss and frequency.
Published on April 4, 2024
Cyber incidents reported to the FBI’s Internet Crime Complaint Center (IC3) in 2023 totaled 880,418. These attacks caused a five-year high of $12.5 billion in losses, with investment scams making up $4.57 billion, the most for any cybercrime tracked. Phishing, with 298,878 incidents tracked (down from its five-year high in 2021 of 323,972), continues to reign as the top reported method of cybercrime.
The 2023 Data Breach Report from Identity Theft Resource Center (ITRC) reveals that last year delivered a bumper crop of cybersecurity failures – 3,205 publicly reported data compromises, impacting an estimated 353,027,892 individuals. Meanwhile, supply-chain attacks increased, and weak notification frameworks further increased cyber risk for all stakeholders.
Email compromise, cryptocurrency fraud, and ransomware increase
In addition to record-high financial losses from cybercrimes overall in 2023, the report revealed trends across crime methodology and targets. Investment fraud was the costliest of all incidents tracked. Within this category, cryptocurrency involvement rose 53 percent, from $2.57 billion in 2022 to $3.94 billion. Victims 30 to 49 years old were the most likely group to report losses.
Ransomware rose 18%, and about 42 percent of 2,825 reported ransomware attacks targeted 14 of 16 critical infrastructure sectors. The top five targeted sectors made up nearly three-quarters of the critical infrastructure complaints: healthcare and public health (249), critical manufacturing (218), government facilities (156), information technology (137), and financial services (122).
Adjusted losses for 21,489 business email compromise (BEC) incidents climbed to over 2.9 billion. The IC3 noted a shift from dominant methods in the past (i.e., fraudulent requests for W-2 information, large gift cards, etc.). Now scammers are “increasingly using custodial accounts held at financial institutions for cryptocurrency exchanges or third-party payment processors, or having targeted individuals send funds directly to these platforms where funds are quickly dispersed.”
The report disclosed a $50,000,000 loss from a BEC incident In March of 2023, targeting “a critical infrastructure construction project entity located in the New York, New York area.”
The IC3 says it receives about 2,412 complaints daily, but many more cybercrimes likely go unreported for various reasons. Complaints tracked over the past five years have impacted at least 8 million people. The FBI’s recommendations for solutions to minimize risk and impact include:
Ramping up cybersecurity protocols such as two-factor authentication. More robust payment verification practices. Avoiding engagement with unsolicited texts and emails.The scale of 2023 data compromises is “overwhelming.”
According to the ITRC, the surge in breaches during 2023 is 72 percent over the previous record set in 2021 and 78 percent over 2022. To add more perspective, the ITRC notes that “the increase from the past record high to 2023’s number is larger than the annual number of events from 2005 until 2020, except for 2017.”
Meanwhile, as the report highlights, two other outsized trends converged: increasing complexity and risk. The number of organizations and victims impacted by supply-chain attacks skyrocketed. The notification framework conspicuously weakened, too. Since some laws assign liability for notification to organizations owning the leaked data, the notification chain would stop there, leaving downstream stakeholders unaware. For example, a software company servicing nonprofits might duly notify its direct B2B customers but not the individuals served by the nonprofit organization.
The ITRC has been reviewing publicly reported data breaches since 2005, and it now has a database of more than “18.8K tracked data compromises, impacting over 12B victims and exposing 19.8B records.” This ninth report forecasts a bleak outlook for the coming year. Specifically, “an unprecedented number of data breaches in 2023 by financially motivated and Nation/State threat actors will drive new levels of identity crimes in 2024, especially impersonation and synthetic identity fraud.”
The faster a breach is identified and reported, the faster all potentially affected parties can take measures to minimize impact. However, reporting regulations can vary across jurisdictions and businesses, and their supply chain partners may hesitate to disclose breaches for fear of impacting revenue and brand reputation. ITRC outlines its forthcoming uniform breach notification service designed to enable due diligence, emphasizing swift action and coordination with business and regulatory authorities. The service will be offered for a fee to companies looking to better handle cyber risk in their supply chains and regulatory requirements. Other recommendations include the increased use of digital credentials, facial identification/comparison technology, and enhancing vendor due diligence.
The increased risk and rising financial losses from cyber risk likely drive growth for the cyber insurance market, which tripled in volume in the last five years. Gross direct written premiums climbed to USD 13 billion in 2022. For a quick rundown of how cyber insurance coverage supports risk management for organizations of all sizes, take a look at our cyber risk knowledge hub. To learn more about the fastest-growing segment of property/casualty, look at our recent Issues Brief.