First two-word explanation: Zeus Trojan.
For US-based small business (and local government) there is no protective cap on money stolen via identity fraud – and this is the standard use of Zeus. Once the credentials are acquired the thieves can empty a bank account in a matter of hours – and there is no legal recourse against the bank. The money is gone; the victim is not going to get it back.
A part of my professional practice deals with security – no, I’m not going to enter a forum with all the scripts executing. I only look foolish.
Second two-word answer: Existing Investment.