CLEVELAND, OH—With the FBI release of the 2023 Internet Crime Report and National Consumer Protection Week upon us, FBI Cleveland Special Agent in Charge Greg Nelsen reminds the public about scams and frauds originating from across the globe that target Americans, leaving a trail of victims from coast to coast, including right here in Northern Ohio.

In 2023, phishing, which is the use of unsolicited email, text messages, and telephone calls purportedly from a legitimate company requesting personal, financial, and/or login credentials, was one of the most active Internet-based crimes according to the FBI IC3.gov report. According to the report, over 298,000 people reported phishing-based crimes in 2023. Simply, phishing is just like fishing; the criminal casts a “line” via email, text, or pop-up message to see if there are any nibbles and bites. Eventually, someone ends up taking the bait, consequently, getting reeled in as the catch of the day. As a result, the victim’s computer or device has been compromised and open to hackers, malware, ransomware, and other damaging tools that steal passwords, bank account information, or shut down ones access to their own computer system.

“In 2023, The FBI’s Internet Crime Complaint Center received 880,418 complaints with potential losses exceeding $12.5 billion. This is almost a 10% increase in complaints from 2022 (800,944 complaints received) and a 22% increase in losses from 2022 ($10.3 billion). That’s more than 2,400 complaints every single day,” said FBI Cleveland Special Agent in Charge Greg Nelsen. “Ohio ranked number five in the top 10 states of complaints, and number 17 in victim losses at over $197 million. And while we don’t like to see that number grow, we want to remind everyone to step up and report the crime or attempted scam. That is the only way we can identify criminals, investigate their actions, and dismantle their network.”

As scams continue to increase in scope and sophistication, it’s important that law enforcement and the public work together to stay ahead of the risks. If you have been a victim of an Internet-based financial crime, there is some optimism for recovery. The FBI IC3 Recovery Asset Team (RAT), established in February 2018, streamlines communication with financial institutions and assists FBI field offices with the freezing of funds for victims who made transfers to domestic accounts under fraudulent pretenses. The RAT has about a 71% success rate, with $538MM in losses frozen of the $758MM total losses. This greatly reduced the amount of money that would have been “paid” to bad actors by unsuspecting victims.

Protection Against Phishing Campaigns

• The FBI recommends network defenders apply the following mitigations to reduce the risk of compromise:
  • At work: Educate employees on how to identify phishing, spear-phishing, social engineering, and spoofing attempts.
    • Advise employees to be cautious when providing sensitive information—such as login credentials—electronically or over the phone, particularly if unsolicited or anomalous. Employees should confirm, if possible, requests for sensitive information through secondary channels.
    • Create protocols for employees to send suspicious emails to IT departments for confirmation.
    • Mark external emails with a banner denoting the email is from an external source to assist users in detecting spoofed e-mails.
    • Enable strong spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
    • Advise training personnel not to open email attachments from senders they do not recognize.
  • At home: Never accept a pop-up request or open a link that asks you to give control of your computer to another person or perceived entity.
  • Do not give our personal identifying information or provide information as a “correction” if the other person is close.
  • Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to have strong, unique passphrases. Passphrases should not be reused across multiple accounts or stored on the system where an adversary may have access. (Note: Devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each administrative account.)
  • Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
  • If there is evidence of system or network compromise, implement mandatory passphrase changes for all affected accounts.
  • Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
  • Advise family members not to open email attachments from senders they do not recognize and learn how to check carefully for “look-alike” emails and attachments.
  • Enable strong spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.

Since its inception, IC3 has received over 8 million complaints. To learn more about these and other scams targeting Americans visit FBI.gov, and if you believe you are the victim of a scam, take action by reporting it to the FBI’s Internet Crime Complaint Center at IC3.gov or by contacting your local law enforcement agency.