FBI: Internet fraud complaints up 33 percent in 2008

With attackers becoming more sophisticated, Internet crime complaints have jumped

2008 was the busiest year yet for online fraudsters according to an annual Internet Crime Report released Monday by the U.S. Federal Bureau of Investigation.

The FBI's Internet Crime Complaint Center (IC3) logged more than 275,000 complaints last year -- a jump of 33 percent from the year before -- accounting for about US$265 million dollars worth of losses, according to the center's 2008 Internet Crime Report.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Complaints to the IC3 had been dropping since 2005, but last year broke the previous record of 231,000. The median dollar loss per complaint was $931. In 2007 it was $680.

The jump in complaints isn't surprising. Computer security experts say that 2008 was a watershed year for cybercriminals as they perfected their techniques, building automated "SQL Injection" programs that could quickly place malicious attack code on thousands of Web sites, and running massive networks of botnet computers that could be used to steal sensitive information and infect other computers.

As in previous years, online auction fraud and nondelivery of merchandise accounted for more than half of the complaints, although auction-fraud complaints dropped more than 10 percentage points from 2007 levels.

Credit and debit card complaints were up in a year when two major payment card processors -- Heartland Payment Systems and RBS WorldPay were hacked. In 2007, credit and payment card fraud made up 6.3 percent of complaints. Last year, with even more complaints on the books, this kind of crime accounted for 9 percent of the total.

Most fraudsters use e-mail to reach their marks, and spam designed to steal sensitive financial information was "one of the more significant scams" the IC3 saw last year. In one new scam, the criminals sent messages doctored to look as though it had come from the FBI, asking for bank account information in order to help with a financial investigation. "Many of these e-mails also contain an element of extortion," the IC3 report states. "Recipients are told that if they do not comply with the FBI's request for information they will be prosecuted."

In another widespread scam, the criminals would hack into a victim's e-mail account and then send out messages to friends, claiming that they were stranded in Nigeria or some other foreign country and needed some quick cash to get out of a jam.

The IC3 data comes from the cybercrime victims themselves. It is then shared with law enforcement and regulatory agencies that use it to get a track on crime trends and to prosecute criminals.