Phishing has become a booming and lucrative business. According to the FBI’s Internet Crime Complaint Center (IC3) 2020 Internet Crime Report, phishing scams targeted more than 240,000 victims in 2020 and reported losses from phishing attacks exceeded $50 million.
Cyber threat intelligence firm PhishLabs reports that phishing remains the dominant attack vector for hackers, with a 31.5 percent increase in attacks over 2020. According to the firm’s latest Quarterly Threat Trends and Intelligence Report, social media has emerged as one of the fastest-growing attack vectors.
With phishing attacks growing in scale and sophistication, they are becoming more difficult to detect and even harder to evade. The most dangerous mindset is thinking that it can’t happen to you or that you would recognize one of these attacks. Today’s sophisticated attackers craft legitimate-looking targeted phishing campaigns designed to hook even the most seasoned user.
10 real-world phishing attacks that could have been prevented:
Facebook and Google Payment Scam:
Tech giants Facebook and Google fell victim to an elaborate payment scam that went undetected for nearly two years. Impersonating a Taiwan-based computer hardware manufacturer the companies used as a vendor, a Lithuanian hacker used spoofed email addresses and forged invoices and contracts to scam the companies out of more than$100 million between 2013 and 2015. This incident highlights how even the most sophisticated, tech-savvy corporation can fall prey to phishing scams.
A phishing attack in 2014 cost Sony Pictures more than $100 million when more than 100 terabytes of company data were stolen, including newly released files, financial records, and customer data. The hackers researched employee names and titles on LinkedIn then posed as company colleagues in malicious emails containing malware sent to unwitting employees.
FACC Phishing Attack
Australian aerospace parks manufacturer FACC, whose customers include Airbus and Boeing, lost $61 million in a phishing scam in 2016. Posing as the firm’s CEO, the hacker sent a phishing email to an accounting employee requesting the transfer of a large sum of money to an account for what turned out to be a fake acquisition. This case illustrates the need for adequate internal controls and underscores the importance of ongoing security awareness training.
In 2015, U.S. computer networking firm Ubiquiti Networks lost $46.7 million when an attacker impersonated the company’s CEO and lawyer in emails. The emails directed the firm’s Chief Accounting Officer to make 14 wire transfers to bank accounts in Russia, Hungary, China, and Poland to close a bogus secret acquisition.
Crelan Bank BEC Scam
One of the most popular email attacks is business email compromise (BEC) scams, in which the attacker impersonates a company by hacking into a corporate email address and tricking employees or vendors to send money. In 2016, Belgian bank Crelan lost $75.8 million in a BEC scam. Discovered during an internal audit, the fraudsters had compromised the CEO's email account and tricked an employee into wiring the transfer.
Xoom Corporation BEC Scam
Xoom Corporation was also the victim of a BEC attack in late 2014 that cost the electronic funds transfer provider nearly $31 million. The incident involved spoofed emails that were sent to the company’s finance department. The fraudulent requests resulted in the transfer of $30.8m in corporate cash to overseas accounts.
U.S. Power Grid Phishing Attack
Attackers often use indirect methods to gain access to a larger, more high-value target. In 2018, state-sponsored Russian hackers gained access to the U.S. power grid after targeting smaller, less secure companies that had working relationships with the larger power grid organizations. They used phishing emails from a compromised account that the recipient trusted and had previous interactions with to get the person receiving the email to reveal confidential information.
Twitter Social Engineering Attack
Popular social media platform Twitter was hit by a social engineering attack in July 2020 that led to the hijacking of forty-five Twitter accounts. Dozens of high-profile accounts were compromised in the attack, including those of former President Barack Obama, Amazon CEO Jeff Bezos, and Tesla CEO Elon Musk. Deploying a successful phone phishing attack, the attackers stole employees' credentials and gained access to the company's internal management systems. The attackers used the hijacked accounts to tweet out bitcoin scams that netted them over $100,000.
In May 2021, major U.S. fuel supplier Colonial Pipeline was crippled by a cyberattack when attackers planted ransomware on the organization’s network after gaining access to an employee’s password, most likely through a phishing email. The attack forced the company to halt operations for about a week, resulting in the non-delivery of about 20 billion gallons of oil. Colonial Pipeline paid $4.4 million for the decryption key to unlock the ransomed data.
Microsoft Phishing Attack
In early 2021, 10,000 Microsoft users were targeted in a package delivery phishing campaign designed to extract victims’ work email account credentials. Emails were sent out to recipients purporting to be from FedEx or DHL Express, containing links to phishing pages hosted on legitimate domains, enabling the emails to evade security filters.
How To Prevent Getting Hooked by Phishing Scams
There is an old Russian proverb that was popularized by President Ronald Reagan and is a good rule of thumb to avoid falling victim to phishing attacks: Trust, But Verify. In incidents like those highlighted above, employees who received these phishing emails complied with the fraudulent requests without first verifying that they were valid.
Phishing is a booming business that targets individuals and businesses of all sizes. Below, we've highlighted some steps you can take to prevent getting hooked by phishing scams:
- Never respond to potentially fraudulent emails or call the number provided in the email. If the employees in the above situations had verified the requests through other official channels or methods — such as calling the person directly using a known company phone number – they could have mitigated the fraud.
- Have two-step account verification and safeguards in place, particularly for transactions involving money and sensitive data.
- Create strong passwords and don’t reuse them for multiple sites. Using a password manager to store, generate, and update secure passwords that can’t be easily guessed makes the hacker’s job much harder.
- Keep company and personal devices secured and updated. Configure devices to automatically update or to notify you when an update is available.
- Provide regular and ongoing security awareness training for employees at all levels. Ongoing training can equip employees with the proper knowledge needed to keep data secure and decrease the risk of a phishing attack.
Here at Hook Security, we like to say that your employees are your strongest defense. So taking proactive steps to increase security awareness can turn your employees into confident defenders against cyber attacks.
Get a free preview of our training here!