Types of CyberCrime
Law enforcement and national security agencies are currently facing highly diversified cyber threats. For police services, “cyber-crime,” “computer crime,” “information technology crime,” and “high-tech crime” usually fall within two major categories of offenses:
- The computer is the target of the offense, and therefore attacks on network confidentiality, integrity, and/or availability (i.e., unauthorized access to and illicit tampering with systems, programs, or data) all fall into this category; and,
- Traditional offenses such as theft, fraud, and forgery are committed with the assistance of or utilizing computers, computer networks, and related information and communications technology. This categorization is largely recognized by experts in the field and most government agencies.
According to the Federal Bureau of Investigation (FBI), cyber-crime results in serious monetary loss and extensive fraud. In 2020, the FBI Internet Crime Report determined that losses in America exceed $4.1 billion. Between 2016 and 2020, the FBI’s Internet Crime Complaint Center (IC3) received 2,211,396 cybercrime complaints, with 791,790 alone in 2020. The IC3 concludes that over $13.3 billion in losses occurred between the period.
The top five cybercrimes reported are:
- Personal Data Breach
- Identity Theft
Phishing is a type of cyberattack that involves sending emails purporting to be from a legitimate organization to induce recipients to provide private information.
Vishing is a type of cyberattack that involves the fraudulent process of making phone calls or leaving voice mail messages purporting to be from a legitimate organization to induce customer personal information, such as bank card details.
Smishing is a form of phishing that involves using mobile devices as an attack platform to gather personal data from recipients, such as credit card information.
Pharming is a portmanteau of phishing and farming that describes a cyberattack where website traffic is manipulated to steal customer confidential information.
IC3 reported that ransomware made up 2,474 complaints in 2020, with an estimated loss of over $29.1 million.
In 2020, the IC3 received 2,474 complaints identified as ransomware with adjusted losses of over $29.1 million. Ransomware is a type of malicious software, or malware, that encrypts data on a computer, making it unusable. A malicious cybercriminal holds the data hostage until the ransom is paid. If the ransom is not paid, the victim’s data remains unavailable. Cybercriminals may also pressure victims to pay the ransom by threatening to destroy the victim’s data or release it to the public. Although cybercriminals use a variety of techniques to infect victims with ransomware, the most common means of infection are:
• Email phishing campaigns: The cybercriminal sends an email containing a malicious file or link that deploys malware when a recipient clicks. Cybercriminals historically have used generic, broad-based spamming strategies to deploy their malware, through recent ransomware campaigns have been more targeted and sophisticated. Criminals may also compromise a victim’s email account using precursor malware, enabling the cybercriminal to use a victim’s email account to spread the infection further.
• Remote Desktop Protocol (RDP) vulnerabilities: RDP is a proprietary network protocol that allows individuals to control the resources and data over the Internet. Cybercriminals have used both brute-force methods, a technique using trial-and-error to obtain user credentials, and credentials purchased on dark web marketplaces to gain unauthorized RDP access to victim systems. Once they have RDP access, criminals can deploy a range of malware – including ransomware – to victim systems.
• Software vulnerabilities: Cybercriminals can take advantage of security weaknesses in widely used software programs to gain control of victim systems and deploy ransomware. The FBI does not encourage paying a ransom to criminal actors. Paying a ransom may embolden adversaries to target different organizations and encourage other criminal actors to distribute ransomware and /or illicit fund activities. Paying the ransom also does not guarantee that a victim’s files will be recovered. Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to your local field office or the FBI’s Internet Crime Complaint Center (IC3). Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law, and prevent future attacks.
The existing literature on cyber-crime investigation discusses the practical science of computer forensics at the technical level. Most of the writings in the field are intended for an audience already highly skilled in using computers. For example, Reyes (2007) addresses cyber-crime from its technical beginnings, through the law enforcement role of pursuit and apprehension, to the final legal issue of prosecution. However, he does not delve into case management or the over-arching strategy of computer crime investigation. Mendell (2004) addresses computer crime investigations and forensics by examining the factors used in determining whether or not a given computer crime is “solvable.” More precisely, this author explores the allocation of effort and resources in pursuing computer crime based on the probability of ultimately solving the crime. Mendell views computer crime investigation as a case-by-case approach instead of presenting a cohesive model for understanding cyber-crime investigation from a more strategic perspective.
When investigating cyber-crime, law enforcement agencies face several challenges, including the application of tactics, cooperation with concerned parties, and regularly operating between inconsistent legal frameworks in international investigations.
The work of Hinduja (2007) addresses some key concepts to be aware of when examining the process of cyber investigations, such as the tactics of traditional crime and how they apply to computer crime. The author also discusses the necessity of outsourcing investigations to the private sector, as the ability to cooperate with private companies affects both the investigation process and outcome (success). In the same vein, Sussmann (1999) points out another critical factor in computer crime investigations: international cooperation. Many western countries may be at the forefront of computer crime forensics and investigations, but other nations may not, and cooperation with them is a critical and ongoing challenge.
Finally, funding presents a critical challenge for most law enforcement agencies. The size of a law enforcement agency’s budget determines the number of agents it may employ and the number of resources at its disposal. Investigation resources are always limited, in both the cyber and “real” worlds, inevitably provoking a certain level of attrition in the pursuit of particular cases. There are simply insufficient human resources and resources to adequately develop the workforce’s skills in charge of the cyber-crime investigation. Budget constraints and resource limitations are pervasive factors that heavily impact cyber-crime investigation processes and tactics.
Due to their importance within the realm of national security, crimes that target a computer system are of special interest to governments and private industries. The large quantity of classified information and data stored in government computers and computer-dependent infrastructures within western countries represents critical political, economic, and security assets that require protection from attackers (state and non-state actors) both within and outside of a country. In retrospect, public awareness of a computer network’s critical infrastructure and vulnerabilities never fully developed until 1999, when Y2K became a front-page issue that highlighted society’s dependence on computer systems for everything from ensuring prompt arrival of trains to protect nuclear reactors.
Today, national security preoccupations are directed in part toward large-scale cyber-attacks that could target public and private computer infrastructures. Figure 1 represents the list of victims by the country for 2020. IC3 reports that phishing/vishing/smishing/pharming victimized 241,342 people, more than any other cybercrime.
Despite warning signals from public and private sectors, doomsday and digital terrorist attacks have not yet caused the total collapse of western institutions. Nevertheless, threats of cyber warfare, virtual espionage, and “hacktivism” have materialized in the past two decades. Among the various challenges for national security practices, preventing and neutralizing attacks against the United States’ critical infrastructure at the hands of state and non-state actors is certainly a priority (NSCS, 2003). In that regard, Cavelty (2008) draws attention to the need to adequately secure government and military systems and address vulnerabilities in critical infrastructures in the U.S. by scrutinizing the context of policy planning and international relations. Carr’s examination of the concept of cyber warfare delves deeply into the vulnerabilities and political considerations of this new form of conflict (2010). Specifically, the author underscores the dangers of cyber warfare and outlines future threats and cyber warfare strategies (prevention or defense). This work builds on previous assessments conducted by U.S. law enforcement agencies for internal purposes.
In 2005, the FBI published the results of its computer crime survey. This exercise demonstrates the FBI’s keen interest in preserving the security of the “nation’s businesses.” It provides a broad overview of the computer security problems facing U.S. businesses, how much financial damage these security breaches are causing, and the measures U.S. businesses are taking to protect themselves. The Computer Security Institute (CSI) released information regarding cyberattacks. Cyberattacks have never been more complex or profitable.
In 2016, a group associated with North Korea known as Lazarus launched a cyberattack on the Bank of Bangladesh, committing theft of over $100 million. Lazarus is known to be behind other malicious attacks (CSI, 2021). Evil Corp got its name from the ‘Mr. Robot’s series, but its members and its exploits predate the show. This Russian-speaking group is the creator of one of the most dangerous banking Trojans ever made, Dridex, also known as Cridex or Bugat. The group attacked Garmin in 2020 and dozens of other companies (CSI, 2020).
These two groups represent only a small number of cyberattacks on the web. Cybercriminals have hacked major corporations. Some of the most notable cyber-attacks in recent history and what we can learn from them: Capitol One breach, The Weather Channel ransomware, U.S. Customs, and Border Protection/Perceptics, Citrix breach, Texas ransomware attacks, WannaCry, NotPetya, Ethereum, Equifax, Yahoo, and GitHub. The cyberattacks on these organizations affected millions of consumers and cost millions in U.S. dollars. In 2019, 4.1 billion personal identification records were exposed by cyberattacks. It is estimated that 34% of the attacks came from insiders within organizations, 39% from organized crime, and 23% by other actors. Ransomware alone costs over 8 billion dollars. Over $1 billion comes from the victims who make the ransom payments, and the remaining costs are associated with lost revenue and damages to the companies affected by the attacks.
Cyberattack maps show where attacks occur most often. Norse is probably the most well-known organization for cyberattack maps. (See Figure 2). Kaspersky, an anti-virus retailer, produces a real-time cyber attack map. (See Figure 3).
The Verizon Data Breach Investigations Report (DBIR) provides you with crucial perspectives on threats organizations like yours face. The 12th DBIR is built on real-world data from 41,686 security incidents and 2,013 data breaches provided by 73 data sources, both public and private entities, spanning 86 countries worldwide.
The Verizon report suggests that 52% of cyber breaches featured a hacking attack, followed by 33% that included social attacks. Malware attacks made up about 28%, with the remaining breaches caused by other means not specifically associated with planned attacks.
McAfee (2010) conducted a survey on the worldwide prevalence of cyber-attacks in critical infrastructures reported experiencing multiple large-scale denial-of-service attacks every month, with two-thirds of those attacks impacting operations.
While literature is abundant on computer crime, very little is focused on maximizing efficiency in public agencies by analyzing current investigation models and strategies. Most of the research does not address the current state of computer crime investigation processes or how law enforcement and national security agencies effectively address cyber threats. Given that public authorities currently face a wide range of cyber threats, it is important to know:
- How law enforcement and national security agencies set investigation priorities.
- How law enforcement and national security agencies achieve their organizational objectives and goals throughout the investigation process; and,
- The operational definition of “success” as conceived by law enforcement and national security agencies.
This study employs primarily qualitative methods in research design and analysis. Document review served as the initial data collection tool. News stories taken from western media sources, reports produced by official agencies (including press releases), and public records of criminal cases reported by law enforcement and national security agencies were reviewed for cyber investigation content. The information found in public reports and news media sources helped to identify specific cyber investigations and the corresponding federal agencies in charge of them. This data collection was useful in identifying the study participants (investigators) and preparing for interviews with them.
The second set of data was collected through semi-structured interviews with individuals employed by the Federal Bureau of Investigation (FBI), U.S. Secret Service (USSS), and Air Force Office of Special Investigations (AFOSI), all of whom have extensive experience in cyber-crime investigations. These organizations were purposely chosen for inclusion based on their responsibility for investigating cyber threats. Interviews were conducted with lead investigators (participants), and questions focused on the participants’ professional backgrounds, points of view on how they measure success in their cyber-related investigative work, and their understanding of the differences/similarities between traditional crime investigations and cyber-crime investigations. In the United States, the FBI has investigative jurisdiction over all facets of computer crime. The Secret Service is also an important agency to include in the study due to their heavy involvement in financial crimes, a major subset of cyber-crime. AFOSI was chosen as it was able to provide a distinctly different perspective, specifically that of internal counterintelligence gathering from within the federal government. Though AFOSI is a federal law enforcement agency, its jurisdiction in law enforcement is limited to the Air Force and federal government agencies only. However, by playing a role of an insider in the U.S. military apparatus, AFOSI facilitates computer counterintelligence related to cyber threats. Consequently, this agency has a key role at the national security level.
Investigating Cyber Threats: Preliminary Findings
This section presents preliminary findings from interviews conducted with cyber investigator participants working at the FBI, USSS, and AFOSI. More precisely, the analysis focuses on three key aspects explored during the interviews. Responses were examined as to the participants’ professional backgrounds and how those backgrounds do or do not shape investigation processes and tactics. The interviewees’ responses were also called for their perspectives on the investigation process, emphasizing the starting point of the investigation, discretionary investigative power, and case attrition. Finally, this section reports the participants’ responses regarding investigation outcomes.
Professional Background, Skills, and Tactics
One of the interesting characteristics noted from our interviews is that none of the individuals interviewed began their careers as cyber investigators. In general, the participants have between seven and eleven years of experience in cyber-crime investigations, though all of them started as police officers. According to their responses, the skills acquired as law enforcement officers are critical to their current work due to the feeling that the nature of the threats in cyberspace still requires traditional law enforcement tactics. According to the interviews, it seems that a background in traditional law enforcement, combined with current work within the arena of national security, provides a valuable composite lens through which to recognize and negotiate the differences in the handling of traditional crime investigations and cyber-crime investigations.
A finding reported by all interviewees was the necessity for traditional crime investigation techniques to remain an integral part of cyber-crime investigations. Despite the technical nature of the crimes they are fighting, there is always a human element that is a major consideration in traditional crime-solving. No matter how complicated and technological a computer crime may be, the perpetrator, the victim, and the investigator are still human.
Another reportedly critical aspect taken from traditional law enforcement techniques and featured in the response set is the ability to present investigative findings to a judge and/or jury. When a cyber-arrest is made and prosecution begins, the preparation for court requires traditional tactics. The evidence and case against the accused need to be presented in a form that anyone can understand and, in a manner, appropriate for a court of law. The members of the jury or the judge may not be as skilled in the realm of computers and information technology as the investigators are, making simplicity and clarity in the presentation of evidence and investigative processes essential.
In a traditional investigation setting, it is widely understood that the solvability of a crime will be a critical element in the decision to conduct an in-depth investigation. Usually, the factors determining a case’s solvability consist primarily of technical and physical evidence and other aspects such as the severity of potential damage or damage done. Though these investigative considerations are important in the case of cyber-crime, they are not central. The two main considerations indicated by interview responses had to do primarily with threat elimination and the possibility of prosecution. Threat elimination relates to the level and scale of the crime itself, as well as the possibility of the investigation leading up the “chain of command” of a larger organization.
The possibility of prosecution refers to the decision of the Assistant to the U.S. Attorney in the relevant district “to be on board” with the cyber investigation case. U.S. Code, Title 18, Chapter 47, Section 1030 outlines the federal law regarding the amount of damage that must be done for federal prosecution to occur. This legal prerequisite represents a significant limitation to the investigative process and accounts for considerable case attrition in cyber investigations. If the loss is not great enough, a prosecution is not possible at the federal level. Even when the loss is sufficient to be considered a violation of federal law, the Assistant to the U.S. Attorney must agree with the investigators to prosecute the case. According to the interview responses, if the cooperation between the investigators and U.S. Attorneys’ offices is not established in the early stage of the investigation, much effort may be wasted.
Regarding the smaller cases of cyber-crime, it appears that many cases involving less damage are often left to the local police to investigate and prosecute. However, not all smaller cases are left to the locals. For example, the FBI may open a lower-order case if it is believed that the case will serve as the basis of an investigation into a larger organization. This notion ties in with the concept of threat elimination and its importance to federal investigators. The elimination of larger threats may begin at the lower levels, and the trail of investigations may lead the FBI or Secret Service up the ladder to a larger threat. The tactic of building an investigative ladder from the lower threats to the greater threats parallels the intelligence-led policing model. Interview responses point out that the cybercriminals that pose the greatest threat are often at the top of organizations that operate on an international scale. These top-level individuals present the opportunity for the largest amount of threat elimination through a single investigation.
In general, cyber investigations are handled on a case-by-case basis. According to the study participants, no two cases are approached the same way. For example, AFOSI does not actively monitor systems in the Department of Defense (DoD), over which it has investigative jurisdiction. The investigation process begins when AFOSI receives specific requests from a federal agency, such as DoD. Once a request is received, AFOSI will investigate the affected system and monitor it for continued breach attempts if the system remains online. The FBI and Secret Service begin many investigations similarly, through complaints or notification from private companies or government agencies. For all three agencies, the starting point of a cyber investigation is mainly reactive or in reaction to a complaint. This observation shows a critical departure from the ILP model, emphasizing proactive (rather than reactive) investigation initiatives.
Beyond the initial detection, cases evolve depending on the magnitude and nature of the threat detected. This is one of the core principles of combating high levels of cyber-crime, as reported in participant responses. A consistent reaction to a large number of cyber cases involving a lesser severity of damage was not to pursue the criminal at all. Participants’ responses from all three agencies indicated that the reaction would strengthen the target for crimes of a lesser degree, much like the problem-oriented policing in traditional crime. For AFOSI, this translates into making or advising changes in security measures or systems. Meanwhile, the FBI and Secret Service each have established extensive partnerships with private businesses, especially large businesses and financial firms, allowing them to exchange information on threat patterns and crime prevention. Moreover, the Secret Service also benefits from partnerships with research institutions such as Carnegie Mellon University and the University of Tulsa.
According to all the interviewees, the perception of success within their agencies was not solely oriented toward the arrest and prosecution of offenders. Statements made by individuals from all three agencies emphasized the maximization of threat elimination regarding cyber-crime and counterintelligence in the realm of national security. Threat elimination is broad and encompasses various outcomes from efforts to single out ringleaders or more valuable targets for strengthening potential targets in the private and government sectors. As detailed in interview responses, the definition of success in cyber-crime investigations revealed a policy and technique mirroring the lessons learned from studying other strategic threats like organized crime and terrorism. In other words, when the success of an investigation is defined by the number of arrests and prosecutions, the likelihood of an investigator going after lesser offenders is greater, which results in a safer operating environment for the more dangerous and larger players in the cyber-criminal world.
The participants’ responses that emanated from a national security standpoint offer different ideas of what success means. These responses reported the possibility of gaining counterintelligence from a cyber-threat to measure success in an investigation. When a cyber-criminal infiltrates a system, and it is determined to be a national security issue versus a criminal issue, then the possibility of a prosecution decreases significantly. In a national security matter, the priority becomes attribution, discovering the country or group the individual is from. If that can be done, then the presence and activity of the individual can be used as a valuable source of intelligence. As long as the value of the information gained outweighs the risks the intruder is causing, they may be allowed to continue their activities.
E-commerce Crime (ECrime)
This term refers to the illegal exploitation of computer technologies, usually involving the Internet, to support crimes such as fraud, identity theft, sharing of information, sales of stolen and counterfeited merchandise, and embezzlement.
- Auction Fraud.
- Classified Fraud.
- Non-Delivery of Goods / Payment.
- Sales of Stolen / Counterfeit Merchandise.
- Shill Bidding / Feedback Schemes.
- Credit Card Fraud.
- Identity Theft.
- Theft of Customer Information / Data (Data Breach).
II. The Impact on the Industry
A. IC3 (Internet Crime Complaint Center)
- Internet auction fraud entails 64% of all Internet fraud that is reported; and
- Complaints against individual subjects, as opposed to complaints against businesses, account for 84% of all complaints received.
III. TOP 5 Origins of Victims by State
- New York
Internet auction fraud involves schemes attributable to the misrepresentation of a product advertised for sale through an Internet auction site or the non-delivery of products purchased through an Internet auction site. In advance of purchasing on an Internet auction site, be sure to review the site’s fraud prevention tips and additional security alerts.
Credit/Debit Card Fraud
Credit and debit card fraud is a form of identity theft that involves an unauthorized taking of another’s credit card information to charge purchases to the account or remove funds from it. This theft can occur physically when the actual credit and debit card is taken, or the theft can occur when just the numbers are stolen from an unprotected website or a card reader at a gas station.
Internet classified scams are twists on Advance Fee Scams, a fraud that has been around for many years. The scam artist capitalizes on advancements in cheap technology to create an email address, produce a glitzy website, manufacture authentic-looking counterfeit checks, and replicate official-looking logos and trademarks to make the scammer appear legitimate. Communication between potential buyers and sellers is established through online classified sites, such as craigslist.com or ebay.com. While most communications occur via email or text message, some scammers negotiate through phone calls, using Caller ID spoofing to hide the scammer’s actual telephone number. Whether on the buying or selling side of the transaction, the scammer uses various appeals to persuade the victim to send the scammer money by using fake online pay systems or wiring money to the scam artist. Once the payment is made, the scammer disappears along with the victim’s money.
- Non-Deliver of Merchandise*
Non-delivery of merchandise is a scheme most often linked to Internet auction fraud. A seller on an Internet auction website accepts payment for an item yet intentionally fails to ship it. Sellers like these sometimes will relist the item and attempt to sell it again through a different username.
Non-delivery of merchandise can also be considered a form of business fraud in several cases. For example, some web-based international companies advertise in the U.S. for affiliate opportunities, offering individuals the chance to sell high-end electronic items, such as plasma television sets and home theater systems, at significantly reduced prices. When these items sell, and the funds are forwarded to the companies from their affiliates, the items fail to ship to the individuals who sold them and thus never make it to their respective buyers.
Counterfeit consumer goods are goods, often of inferior quality, made or sold under another’s brand name without the brand owner’s authorization. Sellers of such goods may infringe on either the trademark, patent, or copyright of the brand owner by passing off its goods as made by the brand owner.
Shill bidding is when someone bids on an item to increase its price, desirability artificially, or search standing.
Shill bidding can happen regardless of whether the bidder knows the seller. However, when someone bidding on an item knows the seller, they might have information about the seller’s item that other shoppers are unaware of. This could create an unfair advantage or cause another bidder to pay more than they should. We want to maintain a fair marketplace for all our users, and as such, shill Bidding is prohibited on eBay. For more details on what constitutes shill bidding, please see our full policy guidelines below.
Credit Card Fraud
Credit card fraud is a form of identity theft that involves an unauthorized taking of another’s credit card information to charge purchases to the account or remove funds from it. Federal law limits cardholders’ liability to $50 in the event of credit card theft, but most banks will waive this amount if the cardholder signs an affidavit explaining the theft.
Credit card fraud schemes generally fall into one of two categories of fraud: application fraud and account takeover.
Application fraud refers to the unauthorized opening of credit card accounts in another person’s name. This may occur if a perpetrator can obtain enough personal information about the victim to fill out the credit card application or create convincing counterfeit documents. Application fraud schemes are serious because a victim may learn about the fraud too late, if ever.
Identity Theft is the illegal use of someone else’s personal information (such as a Social Security number), especially to obtain money or credit.
Theft of Customer Information / Data (Data Breach)
A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. Other terms for this phenomenon include unintentional information disclosure, data leak, information leakage, and data spill. Incidents range from concerted attacks by black hats or individuals who hack for personal gain, associated with organized crime, political activists, or national governments to careless disposal of used computer equipment or data storage media and unhackable sources.
References and Sources
Carr, D, & Sringer, K.W. (2010, June 18). Advances in families and health research in the 21st century.
Dunn Cavelty, M. (2008). Cyber-Security and Threat Politics: U.S. Efforts to Secure the Information Age.
Hinduja, S & Patchin, J.W. (2007) Offline Consequences of Online Victimization, Journal of School Violence, 6:3, 89-112, DOI: 10.1300/J202v06n03_06
Mendell, J. T., Sharifi, N. A., Meyers, J. L., Martinez-Murillo, F., & Dietz, H. C. (2004). Nonsense surveillance regulates the expression of diverse classes of mammalian transcripts and mutes genomic noise. Nature genetics, 36(10), 1073–1078. https://doi.org/10.1038/ng1429
Reyes, J.W. (2007). May. Environmental policy as social policy? The impact of childhood lead exposure on crime. National Bureau of Economic Research. https://www.nber.org/system/files/working_papers/w13097/w13097.pdf
Sussmann, M.A. (1999). The Critical Challenges from International High-Tech and Computer-Related Crime at the Millennium, 9 Duke Journal of Comparative & International Law 451-489. https://scholarship.law.duke.edu/djcil/vol9/iss2/5