A word that perhaps until only recently was unknown to most people or businesses but is now firmly embedded in their minds – as the most likely way a cyber-attack will harm their organisation.
Phishing works by disguising malicious activities as if they were coming from a trusted source.
For example, the attacker may send an email that appears to be from a bank or other legitimate business, asking the recipient to provide login credentials or other sensitive information. In some cases, the email may also contain malicious attachments or links that download malware onto the victim’s computer system.
Phishing in Numbers
- Of the 39% of UK businesses who identified an attack, the most common threat vector was phishing attempts (83%) Source: NCSC Survey 2022
- Those aged 25 to 44 years are most likely to be targeted by phishing (Source TCSEW)
- Of those who reply to or click on a link in a phishing message, more than a third (35%) do so for financial or material gain, and 30% to pay an invoice or bill Source: TCSEW
- More than half (54%) of those who receive phishing messages say the sender had been posing as a delivery company, based on the trend for fraudsters to take advantage of the rise of online shopping and homeworking Source: TCSEW
- A third (32%) received messages apparently from their bank or building society, and a quarter (25%) from government services Source: TCSEW
- LinkedIn was the most impersonated brand, in phishing attacks recorded in 2022 (52%) Source: USecure
- Following LinkedIn were DHL (14%), Google (7%), Microsoft (6%), FedEx (6%), WhatsApp (4%), Amazon (2%), Maersk (1%), AliExpress (0.8%) and Apple (0.8%) Source: USecure
While every organisation will, at some stage, be impacted by Phishing – some attacks are on such a hugely significant scale that they make the (media) headlines for all the wrong reasons.
Here, we highlight 10 of the most impactful (global) phishing attacks in recent years – in no particular order.
Facebook and Google
Facebook and Google were defrauded of approximately $100 million between 2013 and 2015, as a result of an ongoing and prolonged phishing campaign. The attack benefited from both companies using Quanta, a Taiwan-based company, as a third-party vendor.
A series of fake invoices were sent (impersonating Quanta), which both Facebook and Google paid. Once the attack was discovered, Facebook and Google took action through the US legal system and were able to recover $49.7 million of the $100 million.
In 2016, Belgian bank Crelan was hit by a phishing email that convinced an employee to send over €70 million to unknown bank accounts.
In January 2016, an employee at Austrian aerospace parts manufacturer FACC received an email (impersonating the CEO) requesting a transfer of €42 million to a bank account as part of an “acquisition project”.
FACC dismissed the CEO following an internal investigation, claiming he had “severely violated his duties” along with the CFO.
The company sought €10 million from the two former employees in legal damages, but the Austrian legal system dismissed the lawsuit.
In 2014, a known cybercriminal group released confidential information from Sony Pictures. The data included personal information relating to employees and their families, emails between employees, information about executive salaries at the company, copies of then-unreleased Sony films, plans for future Sony films and scripts.
In May 2021, Colonial Pipeline announced that a cyber-attack had forced the company to cease operations and freeze its IT systems.
This measure “temporarily halted all pipeline operations”, with the main target of the attack being the finance and billing infrastructure of the organisation. However, the view remains that negating the inability to bill customers was the reason for halting the pipeline operations.
The impact was almost immediate, with fuel shortages occurring at filling stations amid panic buying as the pipeline shutdown entered its fourth day. As a result, average fuel prices quickly rose to their highest levels in almost 10 years.
Historically significant, because the very first phishing attacks were likely to have been individuals people posing as AOL employees, requesting users to confirm their billing address with the company.
As this occurred circa 1994 (before phishing became well known), companies didn’t then adhere to the same strictness as they did in 2023. As a result, AOL became the first company to warn users/customers that they would never ask for that kind of info via email.
A 2016 power cut in western Ukraine was reportedly caused by a phishing attack and attributed to nation-state-backed Russian cybercriminals.
The attack caused a blackout for 80,000 customers of western Ukraine’s Prykarpattyaoblenergo region. At the time, it was reported as the world’s first known power outage caused by a cyber-attack.
In August 2022, networking provider Ubiquity Networks disclosed that a successful phishing attack had stolen $46.7 million. The attack deployed a method of email impersonation/compromise to authorise fraudulent international wire transfers.
Business email compromise (BEC) is a common phishing technique. In 2023 many more businesses will be alert to its threat than in 2014. Sadly for Upsher-Smith Laboratories, that year saw hackers successfully impersonate its CEO.
The cybercriminals instructed an employee to follow directions from the “CEO” – and over three weeks, the employee asked the company’s bank to process nine wire transfers, amounting to more than $50 million in losses.
Network security experts contracted by the US Defence Department to provide security solutions fell for a phishing email themselves.
While little is known about what information was revealed in the RSA breach, for understandable reasons, the company and the US Defence Department have limited the sharing of details about this attack.
However, it gained some attention (notoriety) as a hack that penetrated the experts themselves. As a result, the RSA breach has become one of the most famous phishing scams to date.
Phishing emails can hit an organisation of any size and type. It`s a simple and unavoidable fact of running a business in the modern age.
Whether caught up in a mass campaign, or a targeted attack against your company, or as part of a supply chain attack – you are going to (at some point in time) be affected by Phishing.
And, as the case studies above prove, it can happen to the biggest and most well-known names in the world.
Because they all employ people, and people represent the cyber attackers most likely means of a successful attack.
Moore ClearComm has a proven and experienced approach to Phishing defence – whether through employee awareness training, bespoke or scheduled Phishing simulation campaigns, or guidance in respect of your technical defences – we are here to help.
Contact our team today: email@example.com
About us: https://mooreclear.com/about-us/