Tech: Inside The FBI's Cybercrime Survey

Ever receive a "Dear friend" e-mail from a "West African widow" you've never met? Did this person claim to have access to millions of dollars in "leftover funds" and want to transfer them to a "foreign partner" such as yourself for safekeeping, for which you would be handsomely compensated?

Did you, even for just one second, consider replying to that e-mail?

If you did, you're not alone. Gullible greedies laid out, on average, $5,100 a pop in response to such "419" e-mail scams (named for the section of Nigerian criminal code they violate), according to the recently released FBI's Internet Crime Complaint Center (IC3) annual survey. The IC3 reports that during 2006, consumers filed 207,492 complaints, down 10 percent from the year before. There may have been fewer complaints, but victims say they lost more than ever online—$198.4 million, the highest total in the six years the FBI has released the report. The highest average losses per victim were among those snookered by the Nigerian 419 letter fraud. But of all Internet crime complaints, online auction fraud was the by far the most reported, accounting for nearly half (44.9 percent) of all complaints.

NEWSWEEK's Brian Braiker recently spoke with James E. Finch, assistant director of the FBI Cyber Division, about the survey and why, if an online offer looks too good to be true, it probably is. Excerpts:

NEWSWEEK: Nearly half of all complaints last year were about auction fraud [primarily people collecting money on bids without delivering the promised items]. Does it surprise you that it's such a large piece of the pie?
James E. Finch:
It is surprising to me, but then again you look at the number of people who use the online auctions who have very little computer-security skill. Online auctions are really a way for a lot of people to make money, and that naturally attracts many people—trained and untrained—to the auctions. Based on the number of online auctions, I would think those numbers would probably continue to go up.

Losses were highest among victims of the Nigerian letter scam. Is it astonishing to you how gullible some people still are? This thing has been around for years.
If you look at the delivery method, the Internet has allowed the Nigerian letter fraud scam to be—I wouldn't say perfected—but certainly reach a lot more potential victims. In many cases with the postal services, you didn't have that broad reach. With the Internet you can reach thousands with the push of a keystroke. This is a scam that is reaching people who have never been touched before by it.

It predates the Internet?
Oh, yeah. This plagued the postal service for many years. Now, every year you get a new batch of potential victims. There are so many different twists to that fraud. People see this as a something-for-nothing type deal. I'm seeing variations of the Nigerian letter fraud, but for the most part it's the same thing that's been going on for years.

This survey tallies allegations of fraud that have been reported. There must be countless other people who feel they've been victims that don't come forward.
We have no way to accurately gauge underreporting. It would be merely a guess. Certainly I agree there is probably a lot. There are those who have not realized they were scammed or were victims of a scam. Some don't report due to embarrassment—there are numerous reasons. But as the scams become more perfected, people start to lose more money, certainly they believe there is more recourse. We are starting to see more litigation where people are following through and seeing successes.

But the number of complaints has gone down over last year.
Yeah, they have. It could be due to perpetrators going after larger targets—that's difficult to prove. It could be the result of other things. I would not say we have any reason to believe that is going to be the case for '07 that they go down even further.

Are you noticing any trends in these numbers? Anything about, say, child pornography, phishing or identity theft?
What we've actually seen is that the skill set of the perpetrators is getting better. Are the tools to counter that improved skill set available? I believe the tools are out there. However, some people do not avail themselves of those tools. That's why we're not seeing a downtrend. The hackers are getting better, and we're getting new people online every day, new potential victims on a regular basis. I suspect at some point online auctions will probably provide a different type of security to counter the vulnerabilities that actually allow auction frauds.

So we'll see a correction in the marketplace?
If it negatively impacts the bottom line, they correct. I expect to see the online auctions change to meet the increased skills of the hackers, the perpetrators of online frauds.

I've noticed that just over the course of this year I've been getting more spam than ever. Why is that?
I do see spam being more focused. And a lot of spammers are putting their services out for hire. There are a lot more sites available to those who would like to spam. There is easier access to tools necessary to spam. So you are seeing more people do it who didn't have the ability before.

Symantec, the Internet-security software company, recently reported that cybercriminals are consolidating much in the same way IT vendors are.
Without a doubt. You have entire groups who have never physically met who come together as an organization with different assignments in the organization to perpetrate organized crime online.

Any tips for people who may not be the savviest users of the Web?
Certainly all of the security tips continue to be good ones: antivirus software, spyware software, software that looks for rootkits. Many of the suites out there are certainly useful for online- or cybersecurity. Using wireless connectivity, they should certainly change the default of the SSID number—people buy routers with default passwords and they never change them, so right away someone owns your system because you didn't change the password. Users should certainly avail themselves of encryptions. Many people don't, and as a result, they are putting their information at great risk, especially personal identification information.

A lot of the perpetrators are from out of the country. Romania ranks fifth on your list.
We've seen them from all over the world. I don't think Romania has the market cornered on organized online crime. I think what you can probably surmise is that the same countries that were involved in mail fraud, in insurance scams, are taking advantage of the Internet, taking advantage of the anonymity and speedy delivery.

Does their being abroad make it harder for the FBI to combat?
Working closely with our international law-enforcement partners is an absolute must in combating cybercrime. It's not unusual for me to deploy one of our Cyber Action Teams to a country to assist them. And in most cases we're going after organized groups. But because the Internet has no boundaries, it has forced us to forge those relationships overseas. That includes an international child-pornography task force, the Innocent Images International Task Force, where officers [abroad] commit to working six months along[side] our agents to combat child porn facilitated by the Internet, so it's worked out well.