The rapid pace of technological advancements and digital transformation has given rise to more complex and dangerous cybersecurity risks. And as these threats grow and evolve, insurers and businesses need to know what they’re up against.
In this article, Insurance Business delves deeper into the biggest cybersecurity threats facing businesses in the US. We will crunch the numbers to get a clear picture of the scope and financial impact of each.
Insurance professionals and business owners can use this guide to gain a deeper understanding of how cyber risks can affect their operations. They can also get expert tips on how to protect themselves from damaging cyberattacks.
Cyber threats come in different forms. From malicious software to social engineering scams, cybercriminals are using more devious tactics to infiltrate computer systems. Here are the biggest cybersecurity threats facing US businesses based on the Federal Bureau of Investigation’s (FBI) latest internet crime report. The list is arranged by business losses.
Total losses: $4.57 billion
Number of complaints: 39,570
Investment scams are designed to entice victims with the promise of huge returns on their investments. Investment fraud has consistently been on the top of the FBI’s list of the biggest cybersecurity threats in terms of losses in the past several years.
Last year, such incidents resulted in $4.6 billion in losses, rising more than a third from $3.3 billion in 2022. Investment scams involving cryptocurrency comprise most of the 39,570 recorded complaints. The losses amounted to almost $4 billion in 2023, up from $2.6 billion from the previous year.
Total losses: $2.95 billion
Number of complaints: 21,489
In social engineering, cybercriminals use emotional and psychological tactics to manipulate a victim into taking a desired action. This type of cyberattack uses powerful motivators such as money, love, fear, and status to get sensitive information.
Attackers then use the stolen data to extort a company or gain a competitive advantage. The use of emotions to trick people makes social engineering one of the biggest cybersecurity threats for businesses in the US.
Social engineering attacks take on many forms. Among the most common is business email compromise (BEC). In a BEC attack, bad actors assume the identity of a trusted individual to trick users into sharing data or sending money.
The FBI received almost 21,500 complaints of BEC attacks in 2023. These incidents cost businesses a whopping $2.9 billion in losses.
Total losses: $534.38 million
Number of complaints: 3,727
Data breaches happen when cybercriminals get unauthorized access to confidential information. Incidents of data breach have been increasing in the past few years, according to FBI’s data. From around 1,290 in 2021, the number of complaints rose to almost 2,800 in 2022 before hitting about 3,730 last year.
In terms of losses, data breaches have cost businesses around $534.4 million, up 16% from $459.3 million in 2022.
Check out the latest data breach incidents that have affected insurance companies in our insurance industry cybercrime report.
Total losses: $394.05 million
Number of complaints: 14,190
This occurs when cybercriminals impersonate a government official to collect money. The FBI reported 14,190 complaints of government impersonation scams in 2023. These incidents have resulted in over $394 million in losses, ranking as the third costliest cybersecurity threat on the list. This figure is up 63% from $240.5 million in 2022.
Total losses: $126.2 million
Number of complaints: 19,778
What makes identity-driven attacks one of the biggest cybersecurity threats? They are difficult to detect. In this type of cyberattack, bad actors steal a valid user’s credentials and masquerade as that user.
Here are some of the most common forms of identity-based attacks:
There were almost 19,800 incidents of cyber-related identity theft reported to the FBI last year. These account for about $126.2 million in losses. Although the value is astounding, this is actually a 55% decline in the past two years.
Get expert tips on how companies can protect themselves against business identity theft in this guide.
Recently, we unveiled our five-star awardees for the Top Cyber Insurance Companies in the USA. By partnering with these insurers, you can be sure that you’re in good hands if you become the target of a cyberattack.
Total losses: $59.64 million
Number of complaints: 2,825
Ransomware is a type of malware that cybercriminals use to prevent a victim from accessing essential files or systems until a ransom is paid. In a ransomware attack, bad actors encrypt the victim’s data and offer a decryption key in exchange for payment.
Ransomware is often launched through malicious links sent in phishing emails. Systems may also be encrypted through policy misconfigurations and unpatched vulnerabilities.
In 2023, ransomware attacks cost more than $59.6 million in losses from 2,825 reported incidents. This amount doesn’t include lost time, wages, and equipment, as well as restoration costs.
Learn more about the biggest ransomware trends that US businesses should be wary of in this guide.
Total losses: $22.42 million
Number of complaints: 540
A denial-of-service (DOS) attack works by flooding a network with false requests to disrupt a business’ operations. When a DOS attack occurs, the victims will not be able to perform routinary tasks, including accessing emails and websites.
This type of cybersecurity threat doesn’t often result in stolen data and can be resolved without paying a ransom. But they can cost companies time and resources to restore operations.
DOS attacks are categorized under botnets in FBI’s data. The organization received 540 complaints last year. These incidents resulted in $22.4 million in losses, up from $17.1 million from the previous year.
Total losses: $18.73 million
Number of complaints: 298,878
Phishing and spoofing schemes are designed to trick users into providing sensitive information to scammers. Although both involve deception, there’s a distinction between these cybersecurity threats.
Phishing uses email, SMS, social media, and social engineering tactics to lure a victim into sharing confidential information or downloading a malicious file on their devices. Phishing takes on several forms, including:
Spoofing happens when bad actors try to convince a victim that they are interacting with a trusted source. Cybercriminals often disguise an email address, sender, phone number, or website URL as something legitimate by changing a character.
The FBI received almost 299,000 phishing and spoofing complaints last year. Although the figure is down 7% from the previous year, these types of attacks remain the biggest cybersecurity threats in the country.
In terms of losses, phishing and spoofing attacks account for $18.7 million in 2023. This is a huge drop from $160 million in 2022.
Total losses: $7.56 million
Number of complaints: 1,498
Copyright infringement is the illegal use of others’ intellectual property. This ranges from trade secrets and proprietary products to music, movies, and even computer software. There were about 1,500 reports of intellectual property rights infringement last year. These violations cost businesses more than $7.5 million.
Total losses: $1.21 million
Number of complaints: 659
Malware, short for malicious software, is any program or code created to harm a computer, network, or server. The goal is to steal sensitive data and disrupt a business’ operations.
This type of cyberattack tricks users into downloading what seems to be harmless files or links. If successful, these programs enable bad actors to access not only the victim’s computer but also the entire network within a company.
Malware is the most common form of cybersecurity threat, primarily because it comes in many forms. These include ransomware, which is also part of the list. Other examples are adware, spyware, trojan, and worms.
There were 660 incidents of malware reported to the FBI last year. These amount to $1.2 million in losses. The figures exclude ransomware.
The FBI’s internet crime report recorded around $12.5 billion worth of losses from almost 692,000 reports of cyber incidents. The 10 biggest cybersecurity threats on our list account for more than two-thirds or $8.6 billion of the monetary losses.
With the constantly evolving threat landscape, cybercrime losses are predicted to reach $10.5 trillion globally by 2025. This highlights the importance of having solid cybersecurity measures for all businesses.
Nathan Little, vice-president of digital forensics and incident response at Arctic Wolf, notes that most cyberattacks are financially motivated. Only a small subset is driven by other factors, including political, social activism, and military goals.
“The cybersecurity threat landscape is broad – attackers have an array of tools and tactics that have made mitigating risk much more complicated in the last several years,” he said.
While cyber criminals can gain access in a variety of ways, bad actors often turn to tried-and-tested methods, including through:
“Once inside a business' network or account, the threat actor can conduct whichever attack is most likely to turn a profit for the attacker. Currently, that is wire fraud and/or ransomware attacks.
“The attackers are located all over the world, but they are typically located in countries that are less likely to cooperate with the US law enforcement or other countries that they attack.”
Once an attack is turned into profit – often via fiat currency or cryptocurrency – the attacker reverts to typical money laundering tactics to turn their profits into usable cash.
“Often, these attackers are part of a larger organized attack group working together, but there are many solo attackers, too.”
One of the biggest misconceptions about cybersecurity threats is that you have to be a large corporation in America to be vulnerable. This belief leaves many small businesses unprepared once they have become targets.
There are several practical ways, however, for small and mid-size enterprises to protect themselves without the need to deplete their resources. Here are some suggestions from the US Small Business Administration (SBA).
Businesses need to have a deep understanding of the risks they’re facing. A cybersecurity risk assessment can help them identify their vulnerabilities and help them create a plan of action. This can include user training, guidance on securing email platforms, and advice on protecting business’ information.
“While it is important to have the right tools to manage an organization’s environment, it’s even more critical to have 24x7 visibility into your system and be properly staffed to shore up defenses,” Little said. “By unifying and operationalizing the needed security tools, IT teams will be freed up to dedicate their time to business-critical functions.”
It helps to have a proper vulnerability detection service. “This is a service that continuously looks for common causes of incidents and ensures that they are patched before an attacker gains access.”
Employees and emails have become a leading cause of data breaches because they provide a direct path into the business’ computer systems. Training staff in basic cybersecurity best practices can go a long way in preventing cyberattacks.
“Continuously train employees to identify phishing attempts,” Little says. “Hammering home cyber hygiene training once a year isn’t enough with more sophisticated technology like AI making it easier for threat actors to craft believable email scams. Create a year-round approach with tests for your team members so they can learn to be vigilant and flag any suspicious emails.”
Businesses must ensure that their systems are equipped with the latest antivirus software and antispyware. They must also keep these programs regularly updated.
Businesses can safeguard their internet connection by using a firewall and encrypting all their data. Companies must also ensure that their Wi-Fi networks remain hidden and secure.
One of the simplest ways to improve cybersecurity is to use strong passwords. A strong password has:
Multi-factor authentication (MFA) is a verification process that requires users to provide two or more proofs of their identity to access their accounts. This adds another layer of security. For example, businesses can require users to provide a password and a code sent to a different device before granting them access to an online account.
One of the most cost-effective cybersecurity measures, backing up data ensures that essential information can be recovered if a cyberattack or computer issues occur.
Businesses should work with their banks to make sure that the most trusted and validated tools and anti-fraud services are being used. Companies must also isolate payment systems from less secure programs. They should use separate computers when processing payments and surfing the internet.
Companies should prevent unauthorized individuals from accessing or using business-owned computers. They should also grant administrative privileges only to trusted IT staff and key personnel.
Cyber insurance helps cover the financial losses resulting from a cyber incident. It can also pay for claims made by individuals or groups that may have been harmed due to an attack on the business.
“As threat actors continue to advance, breaches will happen inevitably no matter how careful we are,” Little said. “Embracing offerings in the insurance realm can help businesses bounce back in the wake of an incident.”
“Given the rapid adoption of cyber insurance and the prolific nature of threat actors and their attacks – this is a step I recommend organizations evaluate as they build their response plans.”
If you’re searching for a cyber insurance provider that offers the best coverage, our Best in Insurance Special Reports page is the place to go. You can be assured of the highest levels of service and support from these companies if faced with a cybersecurity threat.
Have you experienced being targeted in a cyberattack? How did cyber insurance help? We’d love for you to share your story below
