Cybercrime is the fastest growing crime in America and has created an economic crisis. Imagine the financial impact on communities when $420 billion is lost every year. Imagine the emotional impact on the millions of kids cyberbullied and lured away by online predators, or seniors drained of their retirement savings. Think about what happens to the friends, neighbors and family who do not have the money to save for education, a home or retirement. How about the impact of not having enough money to pay rent or medical bills? Then consider how many romance scam survivors are lost to suicide after losing their life savings to someone they thought loved them.
Recently, romance scams alone may have cost over a billion dollars. According to the Federal Trade Commission, “For three years running, people have reported losing more money on romance scams than on any other fraud type identified in Sentinel. In 2020, reported losses to romance scams reached a record $304 million, up about 50% from 2019.” (See Figure 1 below)
It is time to ask a difficult question: How much financial and emotional pain will it take before the U.S. starts to provide support services to the 50 million people[i] who are victims of cybercrime each year?
Why is Cybercrime Booming?
Cybercrime is exploding because it is lucrative. Bottom line, criminals are getting rich quick with little to no consequences. Fraud has always existed, but with the Internet came the ability for criminals to reach anyone, anywhere, at any time with the click of a button. The security community, law enforcement and government agencies were not prepared to react to the exponential rise in a new crime landscape.
There is a need for some understanding and patience as it relates to not having a handle on this newer threat to our communities. In all the history of crime, comparatively speaking, pure internet crime is fairly new.
The iPhone was launched in 2007, then the Android Market, now Google Play in 2008. Facebook, Instagram and Twitter have only been in existence for roughly 11 to 15 years. Criminals capitalized on these new areas of treasure quickly, and the systems that protect people and places have yet to catch up. This perfect storm of technology adoption, criminal cash winfall and lack of support resources has caused an economic crisis that needs to be brought out into the open.
Cybercrime is grossly underreported for three reasons:
1. Feelings of Shame
Most cybercrime happens with the target willingly participating. In order to be successful, this crime needs the victim to click on a link, send money to strangers, or believe something that is untrue. There is an active decision by the victim to engage; therefore, it is human nature to feel that the victim has some responsibility for what happened. Let’s contrast that with an armed robbery. If a criminal comes to a home, physically breaks a locked window and steals money with the victims at gunpoint, no one will blame the victim. This victim did not do anything to enable the criminal.
These examples are not to show proof that cybercrime is the victims’ fault, but rather to show how it can be interpreted as a different type of crime that leads to victim blaming.
2.Where to Report: Confusion Reigns
The Internet Crime Complaint Center (IC3) is currently run by the Federal Bureau of Investigation and started taking complaints from U.S. victims in 2003. “The mission of the Internet Crime Complaint Center is to provide the public with a reliable and convenient reporting mechanism to submit information to the Federal Bureau of Investigation concerning suspected Internet-facilitated criminal activity…”[ii] In 2020, IC3 received over 700k reports[iii] (as shown in Figure 2 below).
The Federal Trade Commission (FTC) has a new and improved reporting system at ReportFraud.ftc.gov. In the FAQs on their website, they give this advice to the question of ‘where else should I report?’ “Your report goes into Consumer Sentinel, a database available to federal, state, and local law enforcement across the country. But you also can file a report with your state attorney general or local consumer protection agency.”[iv]
The data collected by the FTC is shared with 3,000 law enforcement agencies in the country.[v] However, according to the Bureau of Justice Statistics, “Law enforcement in the U.S. includes over 18,000 federal, state and local agencies.”[vi] That leaves 15,000 agencies without access to the data. Now, each of those agencies has the ability to sign up for access to the data, but the dedicated team at the FTC does not have a “marketing” department meant to share resources with agencies across the country. Many useful resources the Federal Government produces need power (money) behind them to reach a broader audience.
Victims involved in Identity Theft, Social Security fraud, COVID-19 related fraud, and IRS fraud have additional phone numbers or websites to access and report complaint information. Without one agreed upon database to collect these reports from across agencies, the true impact of cybercrime and online fraud will not be captured. To address part of this issue, the Cyberspace Solarium Commission has recommended a Bureau of Cyber Statistics.[vii] This would be in addition to the current Bureau of Justice Statistics that last reported cybercrime data in 2005.[viii]
Victims of crimes in the United States are trained to call 911 starting from a very young age. Former U.S. Department of Homeland Security Secretary Kirstjen Nielsen spoke of the issue at a summit in 2018, “I occasionally still hear of companies and locals that call 911 when they believe they’ve been under a cyber-attack.”[ix]
3.The Feeling That No One Can Help
Most people understand that cybercriminals are operating from all around the world. Location challenges alone make it difficult to find and prosecute those responsible for losses. Recovering stolen money can prove even more difficult if it was sent to accounts that are closed or shared through untraceable means such as cryptocurrency or gift cards. If recovery is only defined by getting money back, it can seem futile to report or attempt to trace the funds.
What Programs Are Working?
The U.S. lags behind its international partners in addressing the issue of serving individuals and small businesses impacted by cybercrime. Israel, Australia and the UK are examples of countries that provide a one-stop solution for individuals and consumers to call and reach a human who can give them support with reporting and recovering from a cybercrime.
The nonprofit sector is coming to the table with solutions and collaborations to address critical gaps. Information sharing, reporting and recovery resources are coming out of these organizations funded by both public and private sector sources, thus proving the need for all parties to contribute and work together.
The Cyber Threat Alliance (CTA) has brought together leading security companies that have key threat indicators that were previously shared in silos. Under the leadership of Michael Daniel, the CTA works to, “…improve the cybersecurity of our global digital ecosystem by enabling near real-time, high-quality cyber threat information sharing among companies and organizations in the cybersecurity field…”[x] With over thirty-two security companies coming together daily to share threats, CTA is providing a never-before-seen window into the criminal playbooks.
The Cybercrime Support Network (CSN) was founded in 2017 to fill a large gap for victims of cybercrime. In the absence of a federally run national program, CSN created fightcybercrime.org and partnered with federal, state and local governments to share the resources with millions of people in the United States.
In addition to a website where individuals and small businesses can find help with reporting, recovery and reinforcing their security after the fact, CSN also piloted a call-center approach in six states. Utilizing the existing 211 human services referral lines run by United Way organizations, CSN trained Call Specialists to walk victims through the fightcybercrime.org site, and also on how to give guidance to the victims so they could report the crime to the FBI, FTC or other relevant agencies. Over 90% of callers reported being satisfied or very satisfied with the service (as illustrated in Figure 3 below).
CSN was awarded a $1.6M cooperative agreement by the Cybersecurity Infrastructure Security Agency (CISA) to develop a State, Local, Tribal and Territorial (SLTT) Reporting and Threat Information Sharing Pilot for cyber incidents impacting consumers and SMBs. The cooperative agreement will produce a feasibility study showing the need for a national program to support individuals and small businesses and share critical information with SLTT partners.
The Identity Theft Resource Center (ITRC) was “…established To Empower And Guide Consumers, Victims, Business And Government To Minimize Risk And Mitigate The Impact Of Identity Compromise And Crime”[xi] with a live agent available to walk victims through the complex and time intensive process of restoring personal credit. The ability to talk to a person who understands the complexities of identity theft and know they are there to help at no cost is a game changer for so many suffering to put their lives back together after being impacted by cybercrime.
What is Needed Moving Forward?
Legislative solutions are needed to address multiple cyber ecosystem problems, and the Cyberspace Solarium Commission is having more success in this space than has been seen at any other time in U.S. cyber history. Twenty-six Solarium recommendations were included in the 2021 NDAA, “…representing the most comprehensive and forward-looking piece of national cybersecurity in the nation’s history.”[xii]
Thanks to the work of the Commission, the potential for more progress to address the plight of cybercrime victims is on the horizon. The Cyberspace Solarium Commission Transition Book[xiii] for the Biden Administration recommends a National Center along with federal funding for nonprofits serving cybercrime victims:
Create Support for Victims of Cybercrime
“The uptick in fraud and other malicious activity during the COVID-19 pandemic has provided an unwelcome reminder that major emergencies present opportunities for criminals to further stress overburdened public services and the American people. The Biden-Harris administration should work with Congress to create institutions that would provide relevant support to victims of cybercrime by creating a National Cybercrime Victim Assistance and Recovery Center, as well as a grants program to fund nonprofits that aid victims of cybercrime.”
Cybercrime is at an all-time high with no end in sight. Comprehensive, distinct, and public facing solutions are critical to make a dent in the economic and emotional damage experienced by everyday consumers and small businesses in the U.S. The issue needs to be spoken about as a crisis, and to be addressed with an “all of community” approach. Government, private sector and NGOs cannot solve this in silos. Education and awareness is not enough, and the time to act is yesterday.