Cybercrime Victims: A Law Enforcement Perspective

Jim Ellis D/F/Lt. Commander of the Michigan Cyber-Command Center (MC3), Michigan State Police interviewed by Taryn Porter

Victims often turn to law enforcement when they are affected by cybercrime. Most law enforcement agencies are not equipped to take on cybercrime calls. However, some have critical response teams for large-scale cybercrime, like the Michigan State Police’s Emergency Operation: The Michigan Cyber-Command Center (MC3). The MC3 is a group of skilled private and public professionals who are highly trained in emergency response to cyber-events. The MC3 is responsible for combined efforts of cyber-emergency response during critical cyber incidents in Michigan. We interviewed Jim Ellis, D/F/Lt. Commander of the MC3, Michigan State Police and CSN Board Member, about his experience with cybercrime victims and cybercrime recovery.

Q1: The MC3 responds to critical cyber-events. In your experience, what types of cyber events do you see most often?

“Common are network intrusions, business email compromises, ransomware infiltrations, and credential-stealing, which are typically initiated by users being tricked with phishing emails and/or social engineering.”

Q2: In a cyber event like business email compromise (BEC), who is affected?

“Businesses of any size and consumers can be victims of BEC.  Those behind BECs are sending authentic-looking emails, invoice attachments, package delivery notifications, financial requests, anything that looks like normal business or consumer transactions and often look like they are from people you are familiar with or do business with. They are usually asking for payment to be made or a transfer of funds and often indicate a form of urgency.”

Q3: The MC3 emphasizes prevention, response, and recovery from cyber incidents. What advice do you have for victims who want to recover and prevent a future cyber incident?

“For cyber victims that wish to be able to recover from a cyber incident, they must have a continuity plan ahead of time. Educate yourself regarding cybersecurity best practices for your situation and environment. Both businesses and consumers should ensure they have multiple backups of their data including an offsite/offline backup. Validate the integrity of your backups by testing them periodically. If you know you will need help with support, know your contacts ahead of time.  To minimize your risk of becoming a victim, ensure you are using a form of endpoint antivirus/malware protection, keep your operating systems, applications, and drivers up to date; (i.e., Windows, Android, iOS, macOS, etc.) Update the firmware on your hardware devices: routers, switches, vehicles, cell phones, anything IoT: cameras, doorbells, toys, etc. Use a password manager and hard-to-guess long usernames and passwords or passphrases. Use two-factor authentication everywhere it’s offered and encrypt your data, especially on portable devices. This will be a good basic start as you are not excluded from becoming a victim.”

Q4: We believe in the importance of giving victims a voice. In your experience with cyber-events and victims, is there a particular victim story that stands out to you? What steps were taken towards recovery?

“A school district was a victim of BEC.  Due to it being the summer months, the school was under construction for updating and maintenance.  A bad actor, posing as a construction contractor, sent an email to the school with ACH (Automated Clearing House) account information for the processing of payments online, which is not uncommon. The financial bill payer of the school complied and sent two payments over a two-month period.  The first payment was $160,000, the second payment of $140,000. After two months, the contractor contacted the school and asked why they had not received a payment yet. The school advised they had sent one payment each month over the last two months, totaling $300,000. The school then realized the original email they received asking to set up the ACH account was one letter off on the email address domain name from that of the actual contractor email address.  Instead of the email address being (example only), the bad actor used  Instead of a “w”, the bad actor used two ”v’s” to look like a “w”.  

The school district notified the MSP MC3 and an investigation was started. The school district’s bank was contacted immediately, and their accounts were flagged and frozen. The bank put a stop on the payments and prevented about $200,000 of the total funds from being paid to a bad actor.  School district financial personnel were educated on the basics of cybersecurity and social engineering. A procedure was put in place to validate all electronic payments that were over a set dollar amount, by a telephone call to the known recipient. The MC3 worked diligently with bank and school financial personnel along with internet service providers, federal partners, and others. Due to the bad actor hiding his identity and digital footprints, they were not identified. It is theorized that the bad actor researched online Request For Proposals (RFP’s) and bids won by contractors. They purchased the domain name used and set up the ACH account for receiving and transferring of payments.  They then sent emails to the school posing as the contractor and waited for the payments to arrive into their account.”

Thank you to Jim Ellis for taking the time to share his first-hand cybercrime victim experience with us. The MC3 emphasizes the importance of prevention, response, and recovery from cyber-incidents. Cybercrime Support Network supports these efforts, as they align strongly with our own. We believe in the importance of giving victims a voice. When cybercrime victims’ stories are heard, they are able to seek recovery. If you have been affected by cybercrime, visit us at for recovery resources and next steps.