Ransomware, business email compromise, and social engineering are among the top threats facing organizations, but the magnitude of the problem is not well-understood, Europol said in its threat assessment report.
There are plenty of signs suggesting that cybercrime is growing, but organizations don’t always involve law enforcement, making it difficult to quantify the number of incidents, Europol said in its Internet Organised Crime Threat Assessment 2020 report. One reason to not report security incidents to law enforcement is to avoid public disclosure, since the news may damage its brand and reputation.
Victim organizations “appear to be reluctant to come forward to law enforcement authorities or the public when they have been victimised,” Europol said in the report. Since victims aren’t reporting the attacks, investigators have a harder time identifying and investigating the cases.
For many organizations, involving law enforcement is simply not a priority because the focus is on business continuity and recovery. That is especially true in the case of a ransomware attack. The victim organization may be more interested in restoring the data and getting the systems back up and running, in which case they would prefer to just pay the ransom and be done. Calling in law enforcement could potentially slow down getting back to normal. It may make more sense for these organizations to work with privacy security companies or insurers offering specific services to recover from these attacks.
"By using such companies, victims will not file an official complaint, which increases the lack of visibility and awareness concerning real figures of ransomware attacks among law enforcement," Europol said.
Another reason is that the victim organization may not know that these incidents should be reported, or have an idea on how to reach out to the appropriate authority. Over the years, law enforcement authorities in different countries have begun streamlining their processes to make it easier for organizations to file a report after an attack. There are still some obstacles, as some local entities may not have systems capable of accepting these reports, Europol noted in its report. In at least one country, ransomware was not considered a separate category and would be rolled into a general data breaches category. Local and national authorities also need to improve their coordination, so that information is available to investigators.
“Information reported to local police may not find its way to national or central units, meaning law enforcement at is unable to connect the dots on a national scale and with their respective international partners,” Europol said.
Victim organizations may also have the perception that there is no value to reporting the attack because law enforcement entity won’t have the resources to investigate. It’s a circular argument, since many of these entities don’t have the resources because it isn’t clear that there is a problem. If more victims notified law enforcement, then the authorities would be able to ask for more resources to investigate.
“Under-reporting prevents law enforcement from forming the bigger picture and gathering reliable data, and monitoring whether cybercrime has been increasing or decreasing in reality,” Europol said.
If more victims reported cybercrimes, law enforcement would have more information and could uncover connections across different incidents. That would help with education outreach to warn other organizations on what to look out for and avoid becoming victims. Law enforcement authorities may also be able to use the information from other incidents to help organizations recover if they were already compromised.
Criminals are evolving their tactics to adjust to changing circumstances and available tools. For example, cybercriminals are “employing a more holistic strategy” in their social engineering campaigns as they cooperate with other criminals and incorporate new tools, systems, and vulnerabilities. As for business email compromise, cybercriminals “have shown a significant understanding of internal business processes and systems’ vulnerabilities.”
"Not reporting cases to law enforcement agencies will obviously hamper any efforts, as important evidence and intelligence from different cases can be missed," Europol said.