Phishing scams are one of the most successful methods cybercriminals use to cause a data breach. According to the 2020 Phishing Attack Landscape Report, 53% of respondents revealed that their organisation has seen an increase in email phishing attacks during the pandemic. Almost a third (30%) said that email phishing attacks have become more successful during this period.
Compared to other cyberattacks, organisations tend to be more susceptible to phishing attacks as phishing scams can easily target any employee. The report found that over a third of respondents (36%) were not confident that employees at their organisations could spot and avoid an email phishing attack in real-time. In addition, 38% of respondents highlighted that over the past year, someone within their organisation has fallen victim to a phishing attack.
With phishing attacks so prevalent in current times, let's check out five of the biggest phishing scams in history (so far).
1. Facebook & Google – $100 million
The costliest phishing scam in history was with two of the biggest tech giants in the world, Facebook and Google.
The Lithuanian hacker, who targeted them both between 2013 and 2015, impersonated a Taiwan-based company, Quanta Computer, to send an elaborate fake invoice that cost them $100 million. Quanta Computer is an electronics supplier they both use, which is why the scam wasn't obvious. Google and Facebook both worked with the authorities to recuperate some of the funds. This is a clear example of the importance of analysing all aspects of an email to check its authenticity.
2. Crelan Bank – $75.8 million
In 2016, Belgium-based Crelan Bank lost $75.8 million (approximately €70 million) to fraudsters who compromised the CEO's email account, tricking an employee into wiring the transfer. The phishing attack was discovered during an internal audit.
This type of spoofing is also known as business email compromise (BEC), which impersonates a company by hacking into a corporate email address and tricking customers, partners or employees to send money or share confidential data. This is a clear reminder for all employees, regardless of seniority, to understand the importance of creating strong passwords that are not used for multiple sites and using other security measures such as multi-factor authentication to improve the company's security defences.
3. FACC – $55.8 million
Also in 2016, FACC, an Austrian aircraft manufacturer, suffered a similar business email compromise attack, spoofing the CEO's email account. The cybercriminal instructed an entry-level accounting employee to transfer funds to an account as part of an "acquisition project". The staff member wired the funds without doing due diligence.
Although FACC recouped around one-fifth of the loss, the company fired and sued the CEO and the CFO for failure to establish internal policies to prevent this from happening.
4. Upsher-Smith Laboratories – $50 million / $39 million
In 2014, a US drug company, Upsher-Smith Laboratories, lost more than $50 million over three weeks. Yet another result of a successful business email compromise attack on the CEO's email account, which sent emails to an employee in accounts payable to transfer funds.
Luckily, the company recalled one of the wire costs, dropping their loss from $50 million to $39 million (+interest). The drugs firm also sued its bank for making the transfers despite multiple missed "red flags".
5. Ubiquiti Networks – $46.7 million
Ubiquiti Networks, a US-based computer networking organisation, was swindled out of $46.7 million due to a BEC attack in 2015. The fraudster impersonated the company's CEO and its lawyer asking the company's finance department to transfer funds. The FBI (Federal Bureau of Investigation) alerted the company about the attack.
So, what can we learn from these phishing attacks?
A business email compromise is a phenomenally successful type of phishing attack, so employees and organisations must always do their due diligence when a particular email, even if it's from the CEO, looks 'phishy'.
Educate employees at all levels on how to spot a phishing email and provide further cybersecurity awareness training. Test your employees by using a Phishing Simulation Tool to launch a fake phishing campaign to your employees. This is a great way to find cybersecurity skills gaps in the organisation, allowing both security & L&D teams to provide focused phishing and security awareness training to those that need refreshing on it.