United States: Cyber Crime Pays! Different Attacks Have Different Values

Cisco's midyear report showed that CEO fraud netted cybercrime five times more money than ransomware ¹ over the last three years. CEO fraud is a scam in which cybercriminals spoof company e-mail accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorized wire transfers, or sending out confidential tax information.

The FBI calls this type of scam "business e-mail compromise" and defines BEC as "a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds."

In the time period from January 2015 to June 2016, the FBI reported a 1,300% rise in losses from this type of fraud. Most victims are in the United States (all 50 states), but companies in 100 other countries have also reported incidents. While the fraudulent transfers have been sent to 79 countries, most end up in China and Hong Kong. Unless the fraud is spotted within 24 hours, the chances of recovery are small.

The surprising highlight of Cisco's 90-page report was that cybercrime made $5.3 billion from CEO fraud attacks—called business e-mail compromise (BEC) by the FBI—compared with a "mere" $1 billion for ransomware over a three-year stretch.

One reason for this differential is that ransomware takes time to develop and extensively test before any net Bitcoin comes into the wallet, compared to doing a quick bit of research on LinkedIn and crafting a spoofed spear-phishing attack. CEO fraud simply is faster to pull off. Moreover, your run-of-the-mill spray-and-pray ransomware attacks are often lower-dollar numbers.

Footnote

^{[1] A type of malicious software designed to block access to a computer system until a sum of money is paid.}