2 Million Online Fraud Complaints - And Growing...

A dubious milestone was recently reached at the Internet Crime Complaint Center (IC3).  IC3, which sounds like an arthritis and sore muscle liniment, was formerly known as the Internet Fraud Complaint Center, and is a U.S. governmental partnership between the National White Collar Crime Center, FBI, and Bureau of Justice Assistance.  

Sadly, however, November 9, 2010 marked the 2 millionth consumer complaint filed with the IC3 in response to suspected or actual online criminal activity. See Press Release here. This milestone is all the more notable because it took seven years for the IC3 to receive its first million complaints between May 2000 and June 11, 2007. The second million arrived in less than half the time - just under 3.5 years.   According to the IC3, complaints filed with it are “processed and may be referred to federal, state, local or international law enforcement or regulatory agencies for possible investigation,” and whereas this milestone relates to online crime against consumers, the IC3 also recently took part in releasing a joint task force advisory addressing the rise of cyberthefts from corporate bank account takeovers.

The IC3's tally to date is 757,016 criminal complaints referred to law enforcement agencies around the world, with the majority of complaints involving consumer financial fraud.  Further the IC3 reports “the total reported loss from these referrals is approximately $1.7 billion, with a median reported loss of more than $500 per complaint.”

A visit to the IC3’s online Complaint Referral Form reveals it uses a branching series of queries to categorize whether an incident involved SPAM, an email pretending to come from the FBI, contained one of six “incident characteristics” (including sex, threats, money or shopping, computer hacking, copyright or identify theft), and further requests specific contact info for the filer, the bad actor, details on the amount of damages, and an overall description of the events.

Along with referring complaints to appropriate law enforcement agencies, the IC3 compiles statistics on reported incidents that it then uses to provide consumer education about reported incident categories at http://www.lookstoogoodtobeture.com – a website developed with cooperation between federal law enforcement and industry and funded by the U.S. Postal Inspection Service and FBI. The website contains fairly comprehensive details about online frauds, categorizing them as to: auction fraud, counterfeit payments, financial fraud, identity fraud, online advertising fraud, pharmacy fraud, software piracy, and sweepstakes/lottery fraud.

FBI Fraud Advisory for Business Corporate Account Take Over Cyberthefts

While the IC3’s website focuses primarily on individuals and consumer frauds, as evidenced by the two million complaints received, the IC3 also released a joint-agency fraud advisory directed toward businesses and the troubling rise in cyberthefts, crafted by the FBI, IC3, U.S. Secret Service, the Financial Services Information Sharing and Analysis Center (FS-ISAC), the American Bankers Association, NACHA – The Electronic Payments Asociations, and BITS/The Financial Roundtable.

The Advisory, Fraud Advisory for Businesses: Corporate Account Take Overs, available here, addresses the growing problem of criminals targeting small- to medium-sized businesses (SMB’s), local municipalities and school districts for account takeovers.  The take overs culminate in costly and potentially ruinous “cyberthefts” where accounts become subject to a series of wire transfers or ACH payments that empty part or all of the account’s funds to overseas banks. See news accounts here.

The Advisory recounts that "[o]nce the account is compromised, the cyber criminal is able to electronically steal money from business accounts. Cyber criminals also use various attack methods to exploit check archiving and verification services that enable them to issue counterfeit checks, impersonate the customer over the phone to arrange funds transfers, mimic legitimate communication from the financial institution to verify transactions, create unauthorized wire transfers and ACH payments, or initiate other changes to the account."

For SMB’s lacking sophisticated tech security, or whose existing procedures may fall short in the current threat environment, the Advisory provides a useful basic primer on “How it’s Done” that recounts the most frequently successful steps in cybertheft attacks. Cyberthefts have risen dramatically in the past two years because they offer a high reward, low risk venture, as SMBs generally have more of cash on hand than individuals, but less robust security than larger companies.

The Advisory also provides a list of 18 recommendations on “how to protect, detect and respond” to attacks and cyberthefts. While many of the steps are basic, cumulatively the layers can successfully thwart a cybertheft attack.  For example, to enhance the security of corporate banking processes and protocols, the Advisory recommends to:

“Initiate ACH and wire transfer payments under dual control using two separate computers. . . . one person authorizes the creation of the payment file and a second person authorizes the release of the file from a different computer system. This helps ensure that one person does not have the access authority to perform both functions, add additional authority, or create a new user ID.”

Another tip under “understand your responsibilities and liabilities” recommends to “familiarize yourself with your institution’s account agreement. Also be aware of your liability for fraud under the agreement and the Uniform Commercial Code (UCC), as adopted in the jurisdiction, as well as for your responsibilities set forth by the Payment Card Industry Data Security Standard (PCI DSS), should you accept credit cards.”

Given that consumers are protected from any loss of more than $50 due to online fraud via operation of Regulation E (12 C.F.R. Part 205), but businesses and other non-individual consumers are not, the disparity in treatment has garnered notice.  I blogged recently about Senator Schumer's introduction of S.3898 (Amendment to the Electronic Fund Transfer Act Would Shift Risk of Loss to Banks) legislation that would essentially extend consumer protection and liability limitations to victimized local municipalities and school districts.  While it's widely thought S.3898 was run up the legislative flagpole as a warning to the banking industry, cyberthefts won't go away any time soon, if for no other reason than, as John Dillinger reportedly said when asked why robbed banks, "that's where the money is!"  Stay tuned.