In a recently released report about the increasing threat of cybercrime, the FBI emphasized that it is crucial for individuals and entities to report cyber incidents to its Internet Crime Complaint Center (IC3), “as that valuable information helps fill in gaps that are crucial to advancing our investigations. Your efforts are critical to our ability to pursue the perpetrators and share intelligence to protect your fellow citizens.”
The IC3 enables the FBI to collect data, identify trends, and pursue threats related to cybercriminal activity.
“Today’s cyber landscape has provided ample opportunities for criminals and adversaries to target U.S. networks, attack our critical infrastructure, hold our money and data for ransom, facilitate large-scale fraud schemes, and threaten our national security,” the 32-page Internet Crime Report 2022 report reads. “At the FBI, we know ‘cyber risk is business risk’ and ‘cyber security is national security.’”
As of December 31, 2022, the IC3 had received more than 7 million complaints, according to the report. In 2022 alone, the IC3 received 800,944 complaints. Although this was a 5% decrease from 2021, the potential total dollar loss jumped from $6.9 billion in 2021 to more than $10.2 billion in 2022. California led the nation in the number of cyber victims in 2022 (80,766), followed by Florida (42,792) and Texas (38,661).
“We have seen cyber threats emanate from around the world and witnessed the scope and sophistication of these scams and attacks deepen,” according to the report. “As these threats increase, we continue to encourage victims to report cyber incidents and cyber-enabled frauds to the FBI so that we may impose risks and consequences on malicious cyber actors.”
Freezing of Assets
The FBI’s Recovery Asset Team (RAT), which was established in 2018, streamlines communications with financial institutions and FBI field offices to assist freezing of funds for victims of cybercriminal activity. In 2022, RAT initiated the Financial Fraud Kill Chain (FFKC) on 2,838 Business Email Compromise (BEC) complaints involving domestic-to-domestic transactions with potential losses of over $590 million. A monetary hold was placed on approximately $433 million, which represented a 73% success rate. In 2022, RAT saw a 64% increase in FFKCs initiated compared to 2021.
State Actors Especially Dangerous
Mikhail Gofman, PhD, Director of the Center for Cybersecurity at California State University in Fullerton, said so far this year the number and sophistication of cyber attacks are both on the rise. “Especially dangerous are state actors looking to attack the critical infrastructure, including health care, with ransomware being a popular form of attack against health care organizations,” Dr Gofman said.
He added, “It is critical that all health care organizations implement good security governance where security policies govern all operational aspects of the organization, the policies are enforced, and each employee is trained in their obligations of protecting the organizational security.”
By quickly reporting cyber attacks, Dr Gofman said, all affected parties can take the proper measures to help limit the negative impacts. Further, he noted that the affected organizations can receive assistance from their vendors, contractors, and federal and state agencies in limiting the impacts of the breach. All these entities can help investigate the cause.
“In addition, reporting one’s incidents will have an overall positive effect on national security by prompting organizations to prepare and take proper measures,” he said. “For example, when a health care organization is a victim of a ransomware attack, reporting the incident can help other health care organizations prepare for and prevent the attack.”
John Pescatore, Director of Emerging Security Trends at SANS Institute, a private US for-profit company specializing in information security and cybersecurity training, said rapidly determining the extent of an attack and notifying impacted customers is critical for businesses and government agencies. “That often results in press coverage, but it is always better to be the one who tells your customer first,” Pescatore said. “Notifying law enforcement or other officials is less important, but often required by regulations.”
Cybercriminals Getting Better
In general, he said, regulatory officials are not going to help health care businesses directly. However, once regulatory agents have knowledge of the issues they can generate statistics.
“Attackers are continually getting faster in exploiting vulnerabilities and more sophisticated in avoiding detection,” Pescatore said. “In the medical world, it is well known that washing hands and wearing masks is essential hygiene. The same is true in cybersecurity; there are several essential security hygiene practices that make it easier to both evade threats and to quickly detect those attacks that get through.”
He said 90% of successful attacks use phishing emails to steal reusable passwords. “Using multi-factor authentication, as simple as an added text message, thwarts over 90% of those attacks,” Pescatore said.
Noah Jellison, Executive Director for The Risk Institute at Fisher College of Business at The Ohio State University in Columbus, said there are tens of thousands of cyber attacks, if not more, that occur on a daily basis, and the number keeps increasing. “Therefore, it is virtually impossible to report every single cyber attack that occurs,” Jellison said. “In some cases, it could take months or even longer to definitively identify whether a cyber attack had occurred or not.”
Vigilance Is Tough
Cyber attackers can leverage the knowledge of knowing who business partners are, according to Jellison. If an attacker knows that your health organization is doing business with another organization that has potentially less mature cyber security standards and practices than you, then they might directly target and attack that health care organization to get to you. He said it is now much more like a game of chess where you must try and think so many steps ahead of the opponent. “Even staying vigilant becomes an overwhelming endeavor, especially in the health care space and especially with physicians and smaller medical practices, which may not have the resources, funds and/or technical expertise to be vigilant enough,” Jellison said.