How cybercrime is going small time
Blockbuster hacks are no longer the norm – causing problems for companies trying to track down small-scale crime
Cybercrime is often thought of on a relatively large scale. Massive breaches lead to painful financial losses, bankrupting companies and causing untold embarrassment, splashed across the front pages of news websites worldwide. That’s unsurprising: cyber events typically cost businesses around $200,000, according to cybersecurity firm the Cyentia Institute. One in 10 of those victims suffer losses of more than $20 million, with some reaching $100 million or more.
That’s big money – but there’s plenty of loot out there for cybercriminals willing to aim lower. In 2021, the Internet Crime Complaint Center (IC3) received 847,376 complaints – reports by cybercrime victims – totaling losses of $6.9 billion. Averaged out, each victim lost $8,143.
Many identity thefts and online scams, however, net perpetrators even less: just a few hundred dollars. For just $25, cybercriminals can purchase a cloned VISA or Mastercard, plus its PIN. That card data opens a treasure trove for criminals, including locally purchasing gift cards, or other fencible commodities such as electronics and jewelry sold off at a discount.
“Criminals have two primary goals: making money and staying out of harm’s way,” says Nick Biasini, head of outreach at Cisco Talos. Cybercrime provides an attractive avenue for both. “The inherent risk associated with committing cybercrime-fueled fraud is far lower than selling drugs or other types of crime. Additionally, the margins are far better. A criminal can turn a small investment into big profits simply from buying stolen information and using it to commit some form of fraud. During the pandemic unemployment fraud has been a lucrative favorite of criminals. Plus by keeping the monetary values lower they are less likely to draw the attention of state and federal authorities.”
A growing problem for local law enforcement
Cyber criminals can attack virtually anyone from virtually anywhere, and cybercrime as a service, where the non-technically minded can hire tools to hack accounts without any specialist knowledge, has become commonplace. Even organized crime syndicates in Spain and Italy are getting into the game.
Federal authorities, usually alerted by IC3, put their scarce resources toward solving large-scale crimes. They work with financial institutions or corporations most impacted by specific breaches. This means the majority of crimes – with their far smaller paydays – tend to fly under the radar.
A look at the data
But some companies are tracking the rise of small-scale cybercrime. Cisco Talos analyzes data to spot trends that help its incident response team alert customers to potential cybersecurity attacks, and then respond and recover to breaches rapidly.
It has found while drug felonies over the last eight years dropped drastically, before stabilizing during the pandemic, cybercrime has shot up. From 2015 to 2021, the number of reported cybercrimes nearly tripled, and losses soared nearly fivefold.
“Criminals today have a far better technical understanding then they did five or ten years ago,” says Biasini. “Additionally, it shows how they really understand inherent risk, it’s just safer to commit fraud and cybercrime than it is to sell drugs. As an added bonus, they also have become proficient in cryptocurrencies, providing alternative avenues for purchasing illicit goods and money laundering.”
Source: New York Police Department
Source: IC3 2021 Internet Crime Report
An evolving challenge
If this trend continues, the emerging wave of cybercrime will look less like epic breaches and more like scamming citizens out of their tax return or signing them up for fraudulent unemployment benefits. Those two crimes already rank in the top five of identity theft types for 2021, with unemployment scams leading the pack.
How, then, can we expect local law enforcement to possibly keep up? After all, they’re already busy policing and prosecuting what most people consider ‘real world’ crimes. Cybercrime is an entirely different problem. It requires pouring over data both from the criminal themselves and the victims they target with their fraud, trying to somehow build a solid, forensically sound case.
“Cisco Talos has always worked closely with local, state, and federal law enforcement organizations to help them succeed in their tasks,” says Biasini. “We are always willing and able partners to help take cybercriminals off the streets. We provide law enforcement with information we uncover during our investigations and oftentimes lend our people, processes, and technologies to help investigations already underway.”
One solution is for local law enforcement to identify staffers in their ranks with an aptitude for online sleuthing. Cybercrime units are perfect for people who have a research bent, because digital detective work is a big part of the job.
Another alternative forces are pursuing is recruiting young people from computer science programs, or tasking high schools with helping train up a new generation of defenders with the mentality and skills to turn what today is a sideline for police into a mainline function. It’s already happening worldwide: in the UK, a $7 million government program led to the creation of cybercrime units in every police force in England and Wales.
And we’re seeing it here too in the United States. Several organizations have stepped up as resources for law enforcement. Every state has at least one agency devoted to helping police fight cybercrime. And the National Computer Forensics Institute offers courses, both in-person and virtual, to train basic and advanced examiners, first responders, and prosecutors and judges.
It’s all in the aim of trying to crack down on small time cybercrime, preventing the small leaks that turn into a torrent of losses that we know about from thousands of years of history.
People have been swindled since before man created monetary systems. These aren’t new crimes; just new ways to commit them. But as cybercrime increasingly goes small-time, those on the front lines will need new and more effective ways to fight it.
Read the detailed blog on the shifting trends in small time cybercrime in Nick’s blog here. Click here to get to know Cisco Talos, the industry-leading threat intelligence group fighting the good fight.