May 27, 2020
IC3 Turns 20
Tracking the Evolution of Online Crime
Steve Lewis: By the late 1990s, the internet already played a key role in most our lives.
You were probably buying airline tickets online but maybe hadn’t switched over to online banking. Social media wasn’t a thing yet. Your camera likely still had film in it, and your cell phone—if you had one—had buttons.
Then, in early 2000, the dot com bubble began to deflate. Investors were learning that not every technology company or online venture would actually make money.
At the same time, the FBI and law enforcement across the country were seeing more activity from one group who had figured out how to definitely make money online—criminals.
On this episode of Inside the FBI, we mark the 20th anniversary of the Internet Crime Complaint Center, or IC3, which serves both the public and law enforcement as a central repository for collecting reports about online scams.
You’ll hear from our host Monica Grover and Herb Stapleton, chief of the FBI’s Cyber Criminal Operations Section, which the IC3 is a part of.
I’m Steve Lewis, and this is Inside the FBI.
Monica Grover: So, back to the year 2000. Police were hearing more and more reports from people who’d lost money in scams online.
But many departments weren’t sure what to do with these types of crimes. While the victim might’ve been in their town or city, but the criminal could have been anywhere in the world.
And at the FBI, we didn’t have a Cyber Division yet—so a lot of these investigations ended up with white-collar crime squads and were prosecuted as wire fraud.
This is Monica Grover with Inside the FBI, and on this episode, we’re going to highlight a project the Bureau first launched on May 8, 2000.
That project—now known as the Internet Crime Complaint Center, or the IC3—helps law enforcement connect the dots when it comes to internet-enabled crime and scams.
Herb Stapleton: They bring those complaints all into one data source. Through automation and through human analysis of the complaint data, we aggregate and draw connections between these different frauds that are happening all over the country and, in fact, all over the world.
Grover: That was Herb Stapleton, chief of the FBI’s Cyber Criminal Operation Section, which the IC3 is part of.
For the public, the IC3’s website—ic3.gov—plays two main roles—one, it’s where you can file a complaint about any online scam you’ve been a victim of or have knowledge about. In its 20 years, the IC3 has received more than 5 million of these complaints. And two, it’s where you can read warnings about emerging and ongoing scams. These announcements are issued in response to actual complaints the IC3 has received from the public.
For law enforcement, the IC3 puts all the puzzle pieces in one box.
Say someone gets conned out of $300 in California and someone else loses $500 in Florida. These might just look like small, one-off crimes on opposite ends of the country. But if these victims both report their experiences to the IC3, things can start adding up.
Stapleton: We eliminate the criminal organization behind that particular crime and show it to really be a broad global criminal enterprise that’s responsible usually for millions or tens of millions of dollars in loss. Once we start to make those connections, then we can help find a law enforcement agency, like a cyber task force, who has the proper venue and can undertake that enterprise investigation, which is much more likely to lead to some type of consequences than investigating a single complaint on its own.
Grover: Coming up, we’ll hear from Stapleton about some common internet-enabled scams and how this type of crime has changed over the last 20 years.
And you’ll learn what the FBI is doing to combat these crimes and some ways to protect yourself or your business from becoming a victim.
Man: Did you make that transfer to Hong Kong for the Emerson project?
Woman: I was just about to. But did you see the boss’ email? It doesn’t look right.
Man: It looked fine to me.
Woman: And I don’t remember him mentioning the Emerson project at our last meeting.
Man: The bank in Hong Kong closes in 15 minutes. Make the transfer.
Woman: Yes, sir. Money’s on the way.
Man [on the phone]: Mr. Jacobs, just transferred the money for the Emerson project.
Mr. Jacobs [over the phone]: What Emerson project?
Voiceover: Don’t be that guy. Trust but verify.
Grover: OK, pop quiz. You’re going to hear from Herb Stapleton again—this time, he’s going to read two emails. It’s your job to figure out which one is the scam.
Stapleton: "By virtue of our position as civil servants and members of this panel we cannot acquire this money in our names. In this regard, I have been delegated by my colleagues of the review panel to look for an oversee partner into whose account we would transfer the sum of $21,320,000."
Grover: That was the first email. You think it’s a scam? Let’s listen to the next one.
Stapleton: "Hi Linda, please confirm if you can set up an outgoing wire payment of $25,623. Get back to me so I can provide you with the beneficiary details, as the payment needs to be sent out today. Thank you, John."
Grover: That’s email number two. Have you figured out which one’s the scam? I’ll let Stapleton tell you the answer:
Stapleton: It’s a trick question. These are really both scam emails.
Grover: You probably figured out pretty quickly that the first one is a scam. You’ve likely seen or even gotten these sorts of emails yourself at some point in your life.
That particular email was received in June 2000, just weeks after the IC3 was launched, but it’s a scam that still goes on today.
It’s called an advance payment scam—basically, you’re asked to pay a fee in exchange for a bigger payout at a later date: pay me $10 now and I’ll pay you $100 next week. But after you send your money, you’ll never receive anything in return.
Stapleton: When you look at that first email, a lot of the clues are within the text of the email, the way that it’s worded and those sorts of things. That’s sort of indicative of what we call advance payments scams. A lot of times, you can kind of read the stilted or off-kilter English and determine, "Okay, this doesn't sound like it’s legitimate."
Grover: But what about that second email, received by the IC3 almost 20 years later? When you listen to it, it sounds like a legitimate request, right? Especially if your name is Linda and you work with John. So what makes this one a scam?
Stapleton: In the second one, you really can't find those clues within the text of the email for the most part, right? That particular email, the body of it, reads like any email you would normally receive on a regular workday.
And that second email is really indicative of what we call business email compromise scams, or BECs for short. And so the clues that you have to look for to determine whether or not there’s a BEC are really outside the context of the email.
Grover: In that second email, everything may seem to line up until you start to think about the details.
The criminal’s aim is to get Linda to send more than $25,000 to an account number he provides.
So if you were Linda, that’s what you might do if you don’t stop and ask yourself some questions. Were you expecting this sort of request right now? Is John usually the one who asks you to make these transfers? Is John’s email address spelled right, or is there maybe a letter missing? Can you call the real John and just double check?
To pull off these types of scams, criminals often use techniques called spoofing and phishing.
Stapleton: Spoofing really just refers to a legitimate website or email that’s designed to look like something that would really be used by a legitimate vendor or bank or anyone that you might do business with throughout the day.
Grover: So in this case, John’s email address could have been spoofed. It was a legitimate email address made to look very close to his actual email address. It’s an easy detail to miss.
But what if that email also contained a link asking Linda to “click here to complete the transfer?” Stapleton says that’s phishing—with a ph—and it’s one of the most common scams the IC3 sees reported these days.
Stapleton: Phishing is an email that is basically designed to cause the recipient to click on a link or provide information that they think is going to some trusted source or someone they have a relationship with, when in reality the information provided will really go to some type of scammer or cyber criminal. The other thing that a phishing email can do is if it entices that recipient to click on the link, it could actually download malware onto your computer or your computer network.
Grover: And so how do scammers even get the necessary information to pull off their scams? A lot of times, they’ve done their homework, researching who’s doing business with what vendors and what might be the most convincing way to pull off a scam. In other cases ...
Stapleton: What the scammers have figured out is that they can exploit businesses and organizations by trying to find holes in their cyber security or trying to use social engineering tactics to get individual employees to sort of let them in the back door of the network.
Grover: So to protect yourself from falling for a spoofing or phishing scam, it’s always a good idea to give a little extra scrutiny to emails you receive and websites you visit.
Don’t click on anything in an unsolicited email or text message—that’s right, these types of scams can happen over text messages, too.
And take a good look at email addresses, URLs, and spelling in any requests that you get. Scammers often use just slight differences to trick you—and that’s why it works.
The two emails we just talked about were sent 20 years apart and demonstrate how these types of scams have evolved over time.
BEC scams require more time and effort for the criminal, but they’re often more personal and look more convincing to the victim—and as a result, they can yield more profit for the scammer.
Generally speaking, over the last two decades, cybercrime has grown more sophisticated—and at the same time, the tools needed to execute it have become readily available.
Stapleton: We've moved from the era of strictly advanced-fee internet fraud scams in to a very complex ecosystem of cyber threats.
Grover: Another one of those threats is ransomware. This type of malicious software, or malware, prevents you from accessing your computer files, systems, or networks and demands that you pay a ransom for their return. Ransomware attacks can cause costly disruptions to operations and the loss of critical information and data.
Stapleton: We've seen the tactics and the techniques of the people perpetrating these schemes really evolve. And so, in 2001 there were no ransomware malware variants out there, that wasn't a thing being used, and the business email compromise really hadn't come into prominence yet. So what we've seen is new tactics and techniques that are designed to produce larger payouts and they've been successful in doing that.
Grover: And these bigger payouts are sometimes much bigger. Each year, the IC3 releases a report that details the financial losses these scams cause.
In 2001, the average victim lost roughly $400. Then in 2019, the average victim lost more than $7,000—and some individuals or businesses lost hundreds of thousands of dollars.
But it’s not just the changes in the scams themselves. Criminals have been meeting us where we’re now going shopping and doing our finances.
Stapleton: Far more people are comfortable conducting business online and even really sensitive types of business, like seeing your doctor or contacting your bank or doing online banking. And so, as a result of this explosion of internet usage for our day to day business, that really a much larger attack surface for people who would take advantage of victims in the United States and elsewhere.
Grover: But that’s not all—Stapleton warns that scammers take advantage of the fact that many people use the internet to connect with others.
Stapleton: Romance scams have really become one of the most financially damaging types of internet fraud that’s out there.
Grover: In a romance scam, a criminal adopts a fake online identity to gain your affection and trust. The scammer will seem genuine, caring—and believable. Eventually, these scammers will ask for money, usually for something like a medical expense or a legal fee, but it’s all just a ploy to steal from you.
Stapleton: Now you would think that that’s not a thing that would be more prevalent now than it was in 2001. Because more people are used to having online relationships, people are utilizing electronic means of communication, like email and social media more than they ever did in the early 2000s. That creates the type of environment where scams like romance scams and others can really, really thrive.
Grover: Right now, as you learn more about these scams, you might be certain of one thing—that will never be me. I’ll never fall for any of these. But it’s not as simple as that, and criminals know this, so Stapleton cautions against that kind of thinking.
Stapleton: It’s not only the most vulnerable that fall for these types of scams. It’s important to note that we all have our vulnerabilities that can be taken advantage of.
And a really good example of this is the COVID-19 crisis that we are currently in. People who might ordinarily be very wary about sending money to an overseas vendor to purchase any type of product because of the types of pressures, and some of the worry that’s involved with a global pandemic, people feel sometimes as if they don't have any other choice but to do that. So, the criminals unfortunately have gotten really, really good at finding our vulnerabilities and making the indicators of a scam hard to spot.
Grover: You just heard Stapleton mention the COVID-19 crisis. We spoke in April 2020, during the pandemic, and as he said, scammers have been taking advantage of the times—in one six-week period during the pandemic, the IC3 saw their daily report intake triple.
Stapleton: Some of the examples that we have seen are related to stimulus checks. We have seen some emails out there that are phishing emails around the stimulus check. Some other phishing emails we've seen have been related to potential COVID cures, natural oils, or cures that people claim cure COVID. We've seen some emails that advertise PPE that may or may not exist and is really designed to just get people to click on a link.
We've seen a number of emails or spoofed websites out there that claim to give updated information about the COVID-19 crisis or government guidelines related to that, but in reality that link really takes you to a credential stealing website or takes you to or install some type of malware on your system.
Grover: Now keep in mind that’s even not a full list of the COVID-19 scams they’re seeing, but it gives you a good idea of how creative—albeit for all the wrong reasons—these scammers can be and how quickly they can stand up these scams.
And also—those are just scams directly related to the pandemic. Other scams have been popping up during this time, too, taking advantage of the ways many of us have had to abruptly change our daily lives.
Stapleton: Many many more people have been pushed over to online working or are not able to go into their offices and so they have to utilize remote tools or teleworking capabilities. So as a result of that there’s an atmosphere and an environment where people are working from home and it’s an atmosphere that lends itself to increased targeting of individuals by cybercriminals.
Grover: And unfortunately, the current COVID-19 crisis isn’t the first time we’ve seen criminals exploit a high-profile disaster or tragedy.
Stapleton: Every time a natural disaster or some type of national emergency or tragedy emerges, we see some level of criminals trying to take advantage of that situation for their own profit.
So, some of the historical examples that we've seen over the past 20 years include Hurricane Katrina fraud, where the examples of internet scams trying to pedal fraudulent supplies or setting up fake charities for people to donate money to was really rampant. Other examples are fake charity scams in the aftermath of the Boston Marathon bombing. We see every time there is some type of national emergency or tragedy, we see these things pop up.
Grover: These charity fraud scams can come to you in many ways: emails, social media posts, crowdfunding platforms. So make sure you only give to established charities or groups that you know and trust—and keep in mind that some fake charities use copycat names to trick you. You can also research the track records of these organizations at consumer.ftc.gov. And to learn more about scams related to the COVID-19 pandemic, visit fbi.gov/coronavirus.
Grover: Coming up—we’ll learn what the FBI and law enforcement are doing to combat these crimes and more ways individuals and businesses can protect themselves from becoming victims.
Man: Ms. Stevens, I just wiped malware off our system. People have got to stop clicking unsolicited email links and downloading free software unless it’s from a trusted source.
Ms. Stevens: Sounds great.
Man: We need a data back-up plan in a separate location in case we get hacked.
Ms. Stevens: We need to focus on making profits, not spending them.
Voiceover: Learn to protect yourself from ransomware. If you become a victim, contact your local FBI office.
Grover: Sometimes, it feels like an impossible problem to tackle. These scammers are hiding behind computer screens all over in the world. They’re always coming up with some new technique to steal our money or our personal information. And they’re launching scams alongside national emergencies.
So how do we put a stop to it?
The FBI is involved in much of the effort to combat these crimes, from prevention to investigation, but we can’t—and we don’t—do it alone.
Stapleton: What we need is a whole of society approach to this problem, and we're making great strides in that area. This is a threat and an issue where the FBI plays a unique and critical role, but we can't do it on our own. So as a result of that we have engaged in partnerships with state and local law enforcement agencies across the country through our cyber task forces. We have very robust relationships with private sector partners, both technology companies, as well as financial institutions and retailers and entities across all the sectors of critical infrastructure within the United States.
Lastly, working with our other partners in the federal government to try to investigate and prosecute these cases, but also to warn people in advance about how they can prevent this from happening to them or prevent a cyber criminal from being able to attack their business.
And then on the other end when people do unfortunately get victimized, which is a reality, being prepared to step in as the premier cyber investigative agency in the world and lead an effort to impose consequences on those who try to do harm through cyber intrusions.
Grover: So say I do get scammed. I’m a now a victim. What happens next?
First, report the incident to the IC3 at ic3.gov. Depending on the type of scam, the next steps might vary, but it’s always important to submit your complaint—because it could be a much needed puzzle piece.
Stapleton: There are certain types of complaints where we may just not have enough information yet to take investigative action, but those complaints are still very valuable because we may later find that investigative piece that connects that particular complaint to a bunch of other complaints. But in many instances, victims will be contacted by the investigator who is assigned to the case.
And regardless of whether a victim hears back immediately from a person, those complaints are part of the FBI’s holdings and are being used to benefit investigations out in the field that will lead to indictments and arrests of bad guys.
Grover: Another thing—if you realize you’ve wired money to a criminal, maybe as a result of a BEC scam, and you can file your complaint to the IC3 within 72 hours, there’s a chance you can get your money back before it even reaches the scammer. The IC3’s Recovery Asset Team works with banks nationwide to recover money that’s been sent to cyber criminals.
Stapleton: We've had remarkable success with this particular initiative, roughly about 70% of the losses that have been reported within the eligible window of time, which translates to tens of millions dollars over the course of just a couple of years. So the importance of that particular team is to remind people that if they can report that victimization as soon as possible when it involves a wire transfer, there is some possibility of getting their money back, all or some of their money back.
Grover: At the end of the day, we all want to avoid becoming a victim of any of these or other online scams. In many cases, the best things you can do to protect yourself are to practice good cyber hygiene and exercise caution.
Stapleton: I think the most important thing that you can do is to start to have really good cyber situational awareness. When you are transacting business online, make sure that you are sort of recognizing what types of links you are clicking on. Are you clicking on something that is really coming from a trusted source or does it come from an email address or a website that just doesn't really make sense in the context of the kind of business that you're doing?
Another important thing that individuals can do is to never really provide personal information through a link on the internet. Most businesses that utilize that type of information won't ask you to provide it, like a date of birth or a social security number—they won't email and ask you to provide those things in a link to a website over email.
Grover: And passwords and passphrases play a key role in staying safe online.
Stapleton: Another important tip is to use strong passwords, don't use the same passwords for all of your different accounts, and to make those passwords contain a mixture of numbers and letters and whatever the protocols of the account that you're using call for. But many, many people still have weak passwords or passwords that they use over and over in the same accounts and this opens you up to different types of attacks if you don't change those passwords.
Grover: And as we’ve learned, it’s not just personal data that criminals are after—they’re going after businesses, too, and there are steps companies can take to protect their assets and their employees.
Stapleton: For businesses, I think all the same things apply: educating your employees on those good cyber hygiene practices like strong passwords, like being aware of phishing emails, and not clicking on suspicious links.
Grover: And in case businesses are hit by ransomware, Stapleton says it’s important that your data back-ups are offline and not connected to your company’s networks. That way, you can restore your network without paying the scammers.
Thanks to Herb Stapleton of the FBI’s Cyber Division for sharing these tips on how to stay safe and for talking with us about common scams we might encounter online.
For more information about these scams and the IC3, visit fbi.gov/ic3turns20.
And if you need to file a complaint, go to ic3.gov.
This has been another production of Inside the FBI. I’m Monica Grover with the FBI’s Office of Public Affairs. Thanks again for tuning in.