Wednesday, June 23, 2021

Say $6 Trillion Again ... I DARE you: Examining the roots of a total BS Marketing Number

Disclaimer: The principle of Academic Freedom has been the same for 80 years or so.  I do not speak officially for my employer.  That isn't how Academic Freedom works.  This blog post represents my own thoughts and opinions.

How often have you heard the quote that the Cost of Cybercrime is $6 Trillion?

As I was doing some reading on Ransomware I came across this bolded quote yesterday: "Ransomware is set to cause $6 trillion in damages by 2021."  

Wow.  Makes you want to run right out and buy cybersecurity products, doesn't it?  Fear, Uncertainty, and Doubt, the marketing department's dream formula! You really can't fault the marketing folks who wrote that though ... every cybersecurity marketing department is jumping on the bandwagon.  And when dozens of journalists share the number blindly with no examination of the facts, how can they be blamed? 

Every time you see the preposterous number "$6 Trillion Dollars" with regards to cybercrime costs, even when mis-used, as above, the source will be traced to a Cybersecurity Ventures report. I did an analysis of that report back in October 2017 and wanted to walk you through it here, gentle reader, so that you would have a place to point people who quote the Six Trillion Dollar Charlatan.  Here is where things started for me, when I saw this report:The original $6 Trillion Charlatan

Whether I'm grading a student paper, or reviewing a journal article submission, my approach to facts is the same.  Check the source. I'm hardly the only academic that has pointed out the shoddiness of many of the claims such as this one.  For another example, see the Journal of National Security Law & Policy article, "Advancing Accurate and Objective Cybercrime Metrics" by Stephen Cobb.  I love this quote from his peer-reviewed article:

"There is no shortage of data pointing to a dire state of affairs in cyberspace, published under headlines like “Global Breach Costs Set to Top $5 Trillion By 2024,” or "Global Breach Costs Set to Top $5 Trillion By 2024," and “Mobile Cyberattacks on the rise.” The manner in which such numbers and claims are quoted – and requoted – may lead the casual observer to believe they are based on official cybercrime metrics, yet few if any of these reports are the product of a comprehensive effort to consistently and objectively catalogue cybercriminal activity over time." (emphasis mine)

(Full disclosure, Stephen quotes my blog in his article - specifically my 30SEP2018 article "FBI's Crime Data Explorer: What the Numbers Say about Cybercrime.")

A reasonable approach to estimating the impact of Cybercrime might be to create various categories, suggest a reasonable maximum for each of them, and add them all together to create your estimate. That is the approach taken by some of my greatest cybersecurity heroes, in their excellent paper, "Measuring the Changing Cost of Cybercrime," presented at the 18th Annual Workshop on the Economics of Information Security. Is that the approach taken by Cybersecurity Ventures?  No. Not even close.

The $6 Trillion number that seems to be the point of the entire report seems to hinge on a single blog post from Microsoft, entitled, "The Emerging Era of Cyber Defense and Cybercrime" published 27JAN2016.  The Cybersecurity Ventures article has a footnote listing this as their source for their $3 trillion base.  Their Editor-in-Chief, Steve Morgan, by the way, continues to reference this number and use it in his fresh forecast.  In his 13NOV2020 prognostication, he now claims "Cybercrime to Cost the World $10.5 Trillion Annually by 2025" and STILL references the Microsoft blog in the highlighted link "$3 Trillion USD in 2015."

One would presume that the blog post linked by Steve to the words "$3 trillion USD in 2015" would make a claim that the cost of cybercrime in 2015 was $3 trillion.  But that isn't what the Microsoft article says at all!  What the Microsoft blog post by Pete Boden, General Manager of Cloud and Enterprise Security,  actually says is that "The World Economic Forum estimates the economic cost of cybercrime to be $3 trillion worldwide." 

But even that is a mis-statement.  The World Economic Forum certainly doesn't believe that the cost of cybercrime is two orders of magnitude higher than any reasonable estimate.  What did they actually say?

The report is "Risk and responsibility in a Hyperconnected World" published by the World Economic Forum, in collaboration with McKinsey & Company.  

World Economic Forum / McKinsey Report
Click image for report

Here's what they actually say ... 

"Current trends could result in a backlash against digitization, with huge economic impact.  Major technology trends like massive analytics, cloud computing, and big data could create between US $9.6 trillion and US $21.6 trillion in value for the global economy.  If attacker sophistication outpaces defender capabilities -- resulting in more destructive attacks -- a wave of new regulations and corporate policies could slow innovation, with an aggregate economic impact of around US $3 trillion." - p.3 

Three things to note: 

1) the loss they are forecasting is A REDUCTION IN FUTURE ECONOMIC VALUE of certain technologies (analytics, cloud computing, big data) DUE TO A SLOW DOWN IN INNOVATION.

2) that loss would only come about IF THERE ARE NEW REGULATIONS IMPOSED that would stifle creativity in these areas.

3) The CUMULATIVE EFFECT between the time of the report (2014) and SIX YEARS LATER (2020) was said to have a potential of reaching $3 Trillion. 

So how on earth did Cybersecurity Ventures reach their number?

First, they clearly never read the World Economic Forum / McKinsey report, or they would certainly have been unable to say that the impact of Cybercrime had been $3 trillion in 2015.  Again, the $3 trillion was OVER THE COURSE OF SIX YEARS (or $500 Billion per year on the average) and ONLY IF REGULATORY CONDITIONS CHANGED DRAMATICALLY causing "unrealized potential economic value" to the tech industry.

But how did they get from $6 Trillion to $3 Trillion, even if they wrongly believed that the $3 Trillion was an annual number?  Simple.  In their report, they say there were 2 billion Internet users in 2015, they predict there will be 6 billion Internet users by 2022. They then say "Like street crime, which historically grew in relation to population growth, we are witnessing a similar evolution of cybercrime.  It's not just about more sophisticated weaponry; it's as much about the growing number of human and digital targets."  (See: "2019 Official Annual Cybercrime Report," p.4).  In other words, since there are so many more people, the false $3 Trillion is now $6 Trillion, right? No. That isn't how crime works, and it isn't how cybercrime works either.

According to the Cybersecurity Ventures report, the $6 Trillion in damages would consist of: 

  • Damage and destruction of data
  • Stolen money
  • Lost productivity
  • Theft of intellectual property
  • Theft of personal and financial data
  • Embezzlement
  • Fraud
  • Post-attack disruption
  • Forensic investigation
  • Restoration and deletion of hacked data
  • Reputation harm
But is that what the World Economic Forum said? ABSOLUTELY NOT!!!  

Just to keep beating the point home - the WEF said that the FUTURE GROWTH of certain tech industries may be slowed by $3 Trillion between 2014 and 2020 IF AN ADVERSE REGULATORY ENVIRONMENT is created.

How Much Is $6 Trillion?

According to Steve, the annual Cost of Cybercrime is $6 Trillion (and increasing!)  Ask yourself this question:  

If you agree with Steve's number, you believe that the Cost of Cybercrime is greater than the TOTAL REVENUE of Citibank, JPMorgan Chase, Bank of America, and Wells Fargo.  

You also believe that the Cost of Cybercrime is greater than the TOTAL REVENUE of Volkswagen, Toyota, Daimler/Chrysler, Mitsubishi, Honda, BMW, and Nissan. 

Add Walmart and Amazon and Google and you STILL are not at $6 Trillion.  

It would take the total 2019 Annual Revenues of ALL of thirty-three of these global companies to make $6 Trillion.  Steve says that is how much the cost of cybercrime will be this year, and that it will be $10.5 Trillion by 2024!  Do you believe? I do not.

The Total Cost of Cybercrime? 

Ransomware Math 

Cybersecurity Ventures has expressed that Ransomware is a top concern.  On 21OCT2019, Steve Morgan's Cybercrime Magazine post was titled "Global Ransomware Damage Costs Predicted to Reach $20 Billion USD By 2021." And we've already seen that they say Cybercrime costs will be $6 Trillion by 2021. 

Here's a helpful pie chart to help illustrate that: 

Now if RANSOMWARE is the number one source of cybercrime damages, and ransomware is 0.33% of the total cost of cybercrime, what are the other 99.7% of the costs made of?  That's right.  Thin Air.

A Little Help?

Please do me a favor? If you see someone quote the $6 Trillion Cost of Cybercrime, please send them a link to this story.  The numbers just do not make any sense!

Have you seen a source quoting the $6 Trillion Cost of Cybercrime?  Please share it in the comments below!  And if you know the person who is spouting that nonsense, please send them a link to this article!

Thursday, June 03, 2021

PPP Fraud or How to Use the CARES Act to Go To Prison

 If you are one of the thousands of people who fraudulently filed for a Paycheck Protection Program or PPP Loan under the CARES Act, pay attention!  This blog post  is going to explain why you should return the money and turn yourself in.  The CARES Act provided $349 Billion in forgivable loans that a business could use to cover payroll, mortgage interest, rent, lease, or utilities during the trying times of the pandemic.  But many people are assuming they can just steal that money and never pay a penalty.

Let's use as our example the case of Zsa Zsa Bouvier Couch, whose case was just unsealed in the Middle District of Alabama.

Zsa Zsa Bouvier Couch

Zsa Zsa is an entrepreneur in the Montgomery area.  She operated seven businesses, according to the Alabama Secretary of State:

  • Trinity Christian Ministry, LLC, incorporated on 26MAR2008.
  • Kidz Academy Christian Child Care Center, Inc, incorporated as a non-profit on 12JUN2007.
  • Bouvier Hair Boutique LLC, incorporated 22JAN2008.
  • Slim Fit Weight Loss Medical Clinic & Spa I Inc, incorporated 07APR2020.
  • Zsa Zsa's Boutique, LLC, incorporated 02MAY2020.
  • ABC Christian Ministries, LLC, incorporated 22JAN2008.
  • Walters Academy Corporation, incorporated 26MAY1999.
Kidz Academy opened a new Regions Bank checking account on 25JUN2019.
Bouvier Hair opened a new Regions Bank checking account on 07MAY2020.
Slim Fit opened a new Trustmark checking account on 22APR2020.
Kidz Academy opened a new Trustmark checking account on 06MAY2020.

PPP Loan Time!

Then the PPP Loan Applications started.  To apply for a PPP Loan, the applicant has to tell the bank what their average monthly payroll was and how many employees they have on staff.  One of the checks that is used to compare the information on the application to the history of the bank account.  For example, if I regular issue payroll for $20k per month, and claim on the PPP Loan application that I have a $90k per month payroll, I'm going to quickly get caught.  Zsa Zsa perhaps believed that by opening new checking accounts, the bank would be unable to look at her previous payroll information.

On 22APR2020, Zsa Zsa asked Trustmark for $206,041.68, claiming that Slim Fit had 10 employees and an average payroll of $82,416.67.

To complete the application, she had to attest that the business existed on 15FEB2020 and that the received funds would only be used as allowed in the CARES Act.  She also had to state that this was the only PPP Loan she was applying for and that she did not own or manage any other businesses.

Since SlimFit was incorporated AFTER 15FEB2020, (on 22APR2020) that was a pretty easy one to detect.  Opening a new checking account and then applying for a PPP Loan the same day with your new bank is also a sort of risky move ... but ... she got the loan!  For more than she asked for!  $248,125.00!

On 23APR2020, Zsa Zsa asked Trustmark for $122,479.18, claiming that Trinity also had 10 employees, but had an average monthly payroll of $48,991.67.  Winner move attesting TO THE SAME BANK that you don't have any other businesses, when you just filed THE DAY BEFORE for another business.  But ... she got the loan (though only for $95,625.00).

On 23APR2020, Zsa Zsa also asked Trustmark for $186,664.38 for a third business, Kidz Academy.  She claimed they had 10 employees and a monthly payroll of $74,665.75. And ... she got the loan (for $83,437.47.)

Since things were going so well, Zsa Zsa decided to ask Trustmark for $964,371.88 for Zsa Zsa's Boutique.  She claimed she had 30 employees and an average monthly payroll of $385,748.75.  This time, the Alabama Department of Labor notified Trustmark that ZZB had ZERO employees.  When Trustmark informed Zsa Zsa of this, she responded "Just withdraw the application." 

That application was withdrawn on 04MAY2020, but her Kidz Academy PPP loan was approved on 11MAY2020, her Trinity application was approved on 04MAY2020, and her Slim Fit application was approved on 03JUN2020.

So, after stealing $427,187.47 from the US Taxpayers via Trinity Bank, she realized the gig was up at Trinity and decided to start stealing via Regions Bank.

On 05MAY2020, just one day after learning that the Alabama Department of Labor was on to her and having her most audacious PPP Loan request denied, Zsa Zsa switched to Regions Bank and filed a PPP Loan for Kidz Academy.  This time she claimed to have 15 employees with a monthly payroll of $120,000 and asked for $66,700.00.  Regions approved the loan for the full amount.

On 03JUN2020, Zsa Zsa asked Regions for a PPP Loan for Bouvier Hair, claiming that she had 10 employees and $183,600 average monthly payroll.  She asked Regions for $115,800.  Regions approved the loan for the full amount.  

Zsa Zsa's total theft from the US Taxpayers then was $182,500 from Regions + $427,187.47 from Trustmark for a total of $609,687.47.

Time to Go Shopping!

After claiming that she only had one business, Zsa Zsa had two of her PPP Loans deposited into the same bank account at Trustmark.  Then our criminal mastermind paid for an Audi Q3 by sending a wire transfer from the account which was only funded via PPP Loans to the Rusnak Westlake Audi dealership.  She then wrote checks from the account to family members totaling $150,000.00.  She also wrote another $49,200 in checks to family members from one of her other PPP Loan accounts at Trustmark. 

The story in her Regions account was about the same.  She wrote out a $26,997.00 Cashier's Check and used it to pay cash for a Mercedes-Benz A-220 (VIN# WDD3G4EBCKW017692) which she registered to another family member.

Time to Go To Prison!

There were several other interesting purchases made with all of that money, as the Forfeiture requested by the court includes: 
  • a 2019 BMW 330 
  • a 2007 GMC Pickup truck 
  • a 2019 Mercedes Benz A220 
  • a 2017 Audi Q3 SUV 
  • a 2008 Ford Mustang GT 
  • and all the contents of eight bank accounts, $2400 seized when her house was searched and $1180 seized from her purse.

Let's Review . . . 

1. The banks have been encouraged -- HELP BUSINESSES SURVIVE -- if there is fraud, we will figure that out on the back end.  GET THE MONEY OUT THE DOOR and SAVE JOBS.

2. But they WILL FIND YOU.  If the number of employees you claim to have does not match the IRS tax records or the Alabama (or your state's) Department of Labor numbers, YOU WILL GET CAUGHT.

3. When your bank realizes your PPP Loan doesn't match your Payroll expenditures, YOU WILL GET CAUGHT.

4. If you attest (as required) that this is your ONLY PPP LOAN and then you file multiple applications, YOU WILL GET CAUGHT.

5. If you open new bank accounts to avoid payroll matching, the bank will eventually get around to checking that and YOU WILL GET CAUGHT.

6. And lastly, if you take your PPP Loan account and wire money to a car dealer, YOU WILL GET CAUGHT.

Don't be a Zsa Zsa.  If you committed fraud, return the funds and throw yourself on the mercy of the courts.