For seven years, the FBI’s Internet Crime Complaint Center (IC3) has tallied the reports the US law enforcement agency receives about all different types of digital crime, and it has consistently found that business email compromise (BEC) scams resulted in the highest total losses each year. But in its latest Internet Crime Report, released today for incidents in 2022, “investment” scams have overtaken all others as the biggest digital threat, with $3.3 billion in losses last year.
IC3 reported that BEC—in which attackers trick businesses into making bogus payments or intercept legitimate payments—resulted in nearly $2.4 billion worth of losses in 2021 and $2.7 billion in 2022. In other words, those attacks are still a significant and rising threat. But investment scams, particularly those that claim to offer a path for cryptocurrency investment, have exploded over the past 18 months. They have been particularly fueled by so-called “pig butchering” scams, in which attackers cold-contact a target via texts or other messaging platforms, start a conversation to build trust, and then say they can help the individual get in the door on a lucrative investment deal.
The $3.31 billion of overall investment scam losses in 2022 compares with $1.45 billion in 2021, an increase of 127 percent. And the FBI notes that cryptocurrency investment scams specifically caused losses of $2.57 billion in 2022, up from $907 million in 2021—an increase of 183 percent.
In 2021, IC3 tracked pig-butchering attacks by that name and categorized them under the umbrella of “romance scams” rather than cryptocurrency scams, citing $429 million in losses related to pig butchering that year. In the new report, IC3 doesn’t mention the phrase “pig butchering” but says in an appendix that “one complaint may have multiple crime types.”
The figures seem to reflect IC3’s efforts to quickly adjust its understanding of how these scams are operating amidst pig butchering’s sudden rise. But it’s hard to get a definitive picture, since it depends on how you categorize the different types of scams. For example, romance scams (also called “confidence fraud”) dropped from 24,299 complaints in the 2021 report to 19,021 in 2022. The associate losses dropped from $956 million to $736 million. But the US Federal Trade Commission said last month that it had received reports of close to 70,000 romance scams in 2022 and losses of $1.3 billion.
“Crypto-investment scams saw unprecedented increases in the number of victims and the dollar losses to these investors,” the FBI wrote in the 2022 Internet Crime Report. “Many victims have assumed massive debt to cover losses from these fraudulent investments.”
Researchers who have been tracking pig butchering say the trend is unmistakable. In recent research by the security firm Sophos, for example, senior threat researcher Sean Gallagher tracked one criminal campaign that originally appeared to have amassed about $500,000 worth of stolen cryptocurrency in one month. After continuing to investigate and identifing more wallets linked to the attackers, though, Gallagher concluded that the gang had stolen about $3 million over five months.
“This is one of the craziest times I’ve ever seen,” says Ronnie Tokazowski, a longtime researcher and principal threat adviser at the cybersecurity firm Cofense. “BEC has been number one for seven years in a row, and we as a society struggled to get our heads around the BEC stuff when it was primarily coming from West Africa. Now we’re seeing a shift to an entirely different geography, with most pig-butchering attacks coming out of Southeast Asia. It’s concerning that now we have two geographies and billions of dollars in losses to deal with.”
In addition to BEC and investment scams, IC3 counted 2,385 complaints about ransomware in 2022 totaling $34.3 million in losses, down from 3,729 ransomware reports in 2021 that resulted in $49 million in losses.
The FBI is always quick to emphasize that the numbers in IC3 reports likely undercount real totals, as it depends on victims from all over the world voluntarily reporting their experiences. This means that increases and decreases can’t be assumed to correspond perfectly with the true numbers, which are unknown. But researchers say that IC3 data are a useful and valuable indicator. It’s striking, for example, that the rise in investment scam losses came in a year when the FBI received 5 percent fewer reports overall than the previous year—800,944 complaints in 2022, down from 847,376 in 2021.
“Though cybercriminals are continuously seeking to make their attacks more resilient, more disruptive, and harder to counter, public reporting to the IC3 helps us gain a better understanding of the threats we face daily,” Timothy Langan, the FBI’s executive assistant director, wrote in the report. “As these threats increase, we continue to encourage victims to report cyber incidents and cyber-enabled frauds to the FBI so that we may impose risks and consequences on malicious cyber actors.”