Cisco’s midyear report showed that CEO fraud netted cybercrime five times more money than ransomware [1] over the last three years. CEO fraud is a scam in which cybercriminals spoof company e-mail accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorized wire transfers, or sending out confidential tax information.

The FBI calls this type of scam “business e-mail compromise” and defines BEC as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

In the time period from January 2015 to June 2016, the FBI reported a 1,300% rise in losses from this type of fraud. Most victims are in the United States (all 50 states), but companies in 100 other countries have also reported incidents. While the fraudulent transfers have been sent to 79 countries, most end up in China and Hong Kong. Unless the fraud is spotted within 24 hours, the chances of recovery are small.

The surprising highlight of Cisco’s 90-page report was that cybercrime made $5.3 billion from CEO fraud attacks—called business e-mail compromise (BEC) by the FBI—compared with a “mere” $1 billion for ransomware over a three-year stretch.

One reason for this differential is that ransomware takes time to develop and extensively test before any net Bitcoin comes into the wallet, compared to doing a quick bit of research on LinkedIn and crafting a spoofed spear-phishing attack. CEO fraud simply is faster to pull off. Moreover, your run-of-the-mill spray-and-pray ransomware attacks are often lower-dollar numbers.

[1] A type of malicious software designed to block access to a computer system until a sum of money is paid.

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. Accessing this blog and reading its content does not create an attorney-client relationship with the author or with Miles & Stockbridge. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.

[View source.]