I was just reviewing the latest FBI report from the Internet Crime Complaint Center (IC3) here (PDF), and although Iâ€™m sure that a lot of security vendors out there are going to jump on the â€œ33% increase in internet fraud last yearâ€ statements, looking into the actual numbers, itâ€™s important to realize how â€œoffâ€ they are. As â€œNon-deliveryâ€ and â€œAuction fraudâ€ top the charts (with 32.9% and 25.5% respectively), this means that the report only sees the tip of the iceberg. These are just the money mule schemes that are intended for laundering all of the profits actually made by eCrime. And it makes sense â€“ most of the focus for law enforcement is on the lowest hanging fruit, and in the eCrime business model this means money laundering.
Another insight on how eCrime actually works can be learned from the amounts reported (average) per complaint type â€“ the â€œnon-deliveryâ€ types (of merchandise or money) ranges around $800 per complaint, while check and confidence fraud are at the $2000-$3000 loss per complaint. This makes sense as when an eCrime â€œtransactionâ€ starts, it is usually based on banking/financial institution account directly, harvesting large sums of money that are later split to smaller amounts (to lower visibility) and laundered through the â€œfield operativesâ€ (i.e. money mules). Bottom line â€“ we still donâ€™t have the full picture and (unfortunately) still cannot amass the true impact of eCrime in economic terms.
The bright side is that there is more awareness in the public (hence the rising numbers â€“ remember that these are based on REPORTED casesâ€¦). Although the main focus as I mentioned is still on the perimeter of the business model, hopefully the continued cooperation between law enforcement and the industry (kudos again to the e-Crime congress which I had the pleasure to be part of last month) will get us all to the phase of handling the actual core of the business model and deal with it properly. Weâ€™ll keep doing our job in investigating both the technical aspects of the attacks associated with eCrime, as well as the back-office operations, and hope to get everyone lined up to deal with this growing threat.