FBI Report on Cyber-Crime Extortions

In 2018, the Federal Bureau of Investigation (FBI) reported receiving 51,146 extortion-related cyber-crime complaints that involved adjusted losses of over $83 million. This represented a 242% increase in extortion related complaints from 2017. Extortion occurs when a criminal makes a demand for something of value from a victim by threatening physical or financial harm or the release of sensitive data. Extortion is used in various reported schemes. Virtual currency (BITCOIN) is commonly demanded as the payment mechanism because it provides the criminal an additional layer of anonymity when perpetrating these schemes. Most extortion complaints received in 2018 were part of a sextortion campaign in which victims received an email threatening to send a pornographic video of them or other compromising information to family, friends, coworkers, or social network contacts if a ransom was not paid.

Most Common Cyber Extortion Schemes

• Denial of Service attacks typically involve one computer and one Internet connection to flood networks/systems, making it unavailable to its intended user.
• Hitman Schemes are email extortions in which a perpetrator sends a disturbing email threatening to kill the recipient and/or their family, and instructs the recipient to pay a fee to remain safe and avoid having the hit carried out.
• Sextortion occurs when a perpetrator threatens to distribute an individual’s private and sensitive material unless the individual provides the perpetrator images of a sexual nature, sexual favors, or money.
• Government Impersonation Schemes occur when a government official is impersonated to collect money, most commonly posing as the IRS.
• Loan Schemes involve perpetrators contacting victims claiming to be debt collectors from a legitimate company and instructing victims to pay fees to avoid legal consequences.
• High-Profile Data Breaches occur when sensitive, protected, or confidential data belonging to a well-known or established organization is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.
• Distributed Denial of Service (DDoS) attacks use multiple computers and Internet connections to flood networks/systems.

Safeguarding Tips from Strategic Management

1. Train employees not to click on email links/attachments, or respond to “phishing” inquiries;
2. Provide ongoing employee and contractor training on what to do and not to do;
3. Implement policies/procedures that help to prevent malware;
4. Conduct a risk assessment to understand threats presented by an insider;
5. Conduct regular systems tests to help flag vulnerabilities before a hacker can gain access;
6. Configure email servers to block zip or other files that are likely to be malicious;
7. Continuously monitor employee and vendor networks;
8. Update and upgrade software;
9. Use encryption to guard against information being read by unauthorized parties;
10. Establish multi-factor authentication; and
11. Regularly test users to make sure they are on guard.

For more information on health care provider cyber-security, contact Dr. Cornelia Dorfschmid at [email protected] or (703) 535-1419.

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 2,000 health care organizations and entities in developing, implementing and assessing compliance programs.