Lessons from 5 Notorious Phishing Scams
Multimillion-dollar phishing exploits can teach us all how to build better defenses.
- The top phishing attacks in recent cyber history offer lessons to avoid scams, especially to guard against business email compromise and CEO impersonation exploits.
- Employee awareness training might have stopped these five phishing scams.
- With technology available today, like artificial intelligence and machine learning, they might never have happened.
Phishing is so prevalent today that in the past year, 92% of security professionals confronted the particularly destructive breed of phishing known as email impersonation or business email compromise (BEC), according to Mimecast’s State of Email Security 2022 survey. Yet organizations have not been lulled into complacency by so much “white noise” because they know phishing works.
Another survey, one by the Foundry publishing company, shows how well phishing works, pinpointing the leading cause of cyber incidents in 2021 as “employees falling victim to phishing attacks”. Specifically, 44% of security incidents last year were attributed to phishing, up from 36% in 2020.[i]
BEC, in which phishing emails are made to seem like they come from executives and business partners, can cause significant damage. The FBI received BEC complaints totaling nearly $2.4 billion in 2021.[ii] And the biggest phishing scams ever reported (not all of them are[iii]) show just how much damage phishing can do to a single organization.
Why Are Phishing Scams So Successful?
Phishing is a cheap and easy way for criminals to steal money, thanks to brokers on the Dark Web who sell all the tools for a successful phishing attack. No great coding skills are required.
And attackers are constantly evolving their tactics, challenging defenders’ ability to keep up. During the COVID-19 outbreak, phishing attacks surged using the pandemic as a hook. When the Russian army invaded Ukraine, defenders upgraded their security posture to thwart a spike in phishing attacks built around Ukrainian relief efforts.
Protecting against phishing attacks is also difficult, in part, due to employees’ lack of security awareness or half-hearted buy-in to security policies they consider barriers to their efficiency. While 81% of remote workers said data security is important, 44% told Forrester that data protections make them less productive.[iv]
Famous Phishing Scams
A review of some of the most famous phishing scams in recent memory (with the names omitted to spare the victims) can help build defenses against the next exploit:
- Supply chain poser nets over $100 million: A single fraudster pleaded guilty to conspiring to steal over $100 million from two tech giants, in a complicated fraud with phishing attacks at its core. The scammer impersonated a computer hardware vendor and sent invoices to employees of the victim companies from 2013 to 2015, requesting payments to be wired to illegitimate offshore bank accounts.[v]
- ID ploy rocks Hollywood: In 2018, the U.S. government charged a North Korean citizen with multiple counts for a 2014 attack against a movie studio in which reams of data, including film producers’ personal emails, were dumped online. The FBI says North Korean government-sponsored hackers gained access to the studio’s network by emailing malware to employees. They also sent spear-phishing messages to others in the entertainment industry, including a movie theater chain. The phishing attack cost the studio an estimated $100 million in disruptions to its film release schedule, remediation costs, and loss of intellectual property (new movies were posted online). The attack also dented the studio’s reputation with the film industry. Investigators eventually tracked down the source of the attack to a phishing scam involving emails claiming to be from Apple, asking users to confirm their online IDs.[vi]
- Bank CEO imposter makes big withdrawal: A Belgian financial institution suffered an instance of “whale phishing”, a variant of phishing attacks that impersonates a big fish in the company in order to get an employee to do the fraudster’s bidding. The attackers spoofed the bank CEO’s email address and instructed other employees to transfer money to a bogus account. The 2016 incident cost the bank an estimated $75 million. Later that year, the CEO was replaced by the institution’s chief risk officer.[vii]
- Aerospace CEO spoofer takes off with millions: An aerospace company was targeted in a similar phishing scam in 2016. An email claiming to be from the company CEO requested transfers in the millions of dollars to fund an acquisition project. The company acknowledged it lost $47.1 million but managed to stop another $12.2 million from being transferred. The CEO and CFO lost their jobs after the incident.[viii] The company tried to sue both of them, claiming they failed to set up controls to prevent the phishing attack, but the suits were dismissed.[ix]
- Cyber thief leverages M&A: A technology company disclosed in 2015 that it had suffered a loss of $46.7 million when fraudsters impersonated a company lawyer completing an acquisition and got funds transferred to an offshore account in Hong Kong. The company found out months later when the FBI notified officials of the wire fraud. The company managed to stop some of the transfers and recover $16.7 million.[x]
Lessons from Top Phishing Scams
Spending on security training and tools is on the rise among all sorts of organizations, the Foundry report said. Some 44% of enterprises plan to spend more and, on average, small businesses are doubling their investment. Assimilating these lessons from the top phishing attacks can help set priorities:
- Business email compromise (BEC) is stealthy: Nearly all the top phishing attacks were initiated by compromised emails between employees, clients, and vendors. While more typical spam phishing scams of the “click here for a prize” variety are easier to spot and filter, BEC is stealthier. Awareness training should focus strongly on spotting spoofed addresses, impersonation attempts, and other kinds of BEC.
- Everyone in the organization can be affected by phishing scams: Some of the largest phishing attacks in this list started with email compromise at the highest levels of the organization. “CEO fraud” is among the top phishing scams and the most lucrative, so fraudsters follow the money in that direction. Top management needs to be made aware and included in all cybersecurity training, even if they feel it is not a good use of their time. As the CEOs of some companies have found out, their jobs can be on the line.
- Awareness is the first line of defense: Security awareness training can teach staff how to spot and avoid phishing emails, suspicious links, attachments that carry malware, and fraudulent requests to share sensitive information or transfer funds. But training needs to keep up with the evolving tactics of fraudsters; phishing drills and other real-time training that simulates an actual attack can help keep users sharp.
- Technology can speed response: Some of the top phishing scams in our list took months to spot and stop, so real-time response is crucial to avoid lasting damage. Newer phishing filters on email applications and web browsers reduce more phishing attempts. Automation tools like Mimecast’s, powered by artificial intelligence and machine learning, can screen suspicious emails in real time to speed up fraud detection and response before damage is done.
The Bottom Line
Phishing scams are a fact of life in business today. As long as scammers see a profit, phishing attacks will continue. Learning from the top phishing attacks can help set a few priorities: continuous awareness training, a focus on business email compromise at the highest levels of the organization, and targeted investment in technology tools to automate protection and speed response. Delve deeper into security professionals’ exposure and responses to email-borne threats in Mimecast’s State of Email Security 2022 report.
[iii] “SEC Proposes Requiring Firms to Report Cyberattacks Within Four Days,” Wall Street Journal
[vi] “Hackers targeted employees with fake Apple ID emails” ComputerWorld
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!