While the FBI estimates that email-compromise attacks, which break into the email systems of company’s and use similar email addresses to pretend to be people associated with the organization to gain access to large amounts of funds, accounted for about $1.87 billion in losses in 2020, up from about $1.78 billion in 2019—the costliest category of crime reported to its Internet Crime Complaint Center, or IC3, a maze of rules and minimum requirements within the FBI often lead to similar cases going unaddressed and unsolved, reports the Wall Street Journal. Over the course of one month in 2020, hackers siphoned $650,000 from One Treasure Island, a nonprofit that is redeveloping its namesake island in San Francisco Bay as a haven for low-income and formerly homeless people, yet the U.S. attorney’s office in San Francisco declined to open an investigation and the FBI hasn’t been in contact since.
Experts explain that authorities are unlikely to pursue a case unless the loss is at least half a million dollars and leads haven’t dried up, a triage method that helps the FBI deal with thousands of complaints. Last year, more than 19,300 reports of email-compromise crimes came in nationwide, IC3 data shows. Reports made within 72 hours of a money transfer improve the odds of recovery, said Sounil Yu, chief information security officer at cybersecurity firm JupiterOne Inc. Longer than that and prospects fade, as once criminals move money abroad, it’s harder to trace. In addition, a maze of rules affecting local, state and federal agencies can hinder investigations, said Joseph Neumann, a cyber executive adviser at cybersecurity firm Coalfire Systems Inc. who works with victims of business email compromise attacks. “The legal system in the U.S. is not known to be fast or agile, and is currently trying to chase technology in the 21st century with 19th-century process and tactics,” he said.