5 of the most expensive phishing scams in history

5 of the most expensive phishing scams in history

Related Courses

Phishing scams are one of the most successful methods cybercriminals use to cause a data breach. According to the 2020 Phishing Attack Landscape Report, 53% of respondents revealed that their organisation has seen an increase in email phishing attacks during the pandemic. Almost a third (30%) said that email phishing attacks have become more successful during this period.
Compared to other cyberattacks, organisations tend to be more susceptible to phishing attacks as phishing scams can easily target any employee. The report found that over a third of respondents (36%) were not confident that employees at their organisations could spot and avoid an email phishing attack in real-time. In addition, 38% of respondents highlighted that over the past year, someone within their organisation has fallen victim to a phishing attack.
With phishing attacks so prevalent in current times, let’s check out five of the biggest phishing scams in history (so far).
1. Facebook & Google – $100 million
The costliest phishing scam in history was with two of the biggest tech giants in the world, Facebook and Google.
The Lithuanian hacker, who targeted them both between 2013 and 2015, impersonated a Taiwan-based company, Quanta Computer, to send an elaborate fake invoice that cost them $100 million. Quanta Computer is an electronics supplier they both use, which is why the scam wasn’t obvious. Google and Facebook both worked with the authorities to recuperate some of the funds. This is a clear example of the importance of analysing all aspects of an email to check its authenticity.
2. Crelan Bank – $75.8 million
In 2016, Belgium-based Crelan Bank lost $75.8 million (approximately €70 million) to fraudsters who compromised the CEO’s email account, tricking an employee into wiring the transfer. The phishing attack was discovered during an internal audit.
This type of spoofing is also known as business email compromise (BEC), which impersonates a company by hacking into a corporate email address and tricking customers, partners or employees to send money or share confidential data. This is a clear reminder for all employees, regardless of seniority, to understand the importance of creating strong passwords that are not used for multiple sites and using other security measures such as multi-factor authentication to improve the company’s security defences.
Image
3. FACC – $55.8 million
Also in 2016, FACC, an Austrian aircraft manufacturer, suffered a similar business email compromise attack, spoofing the CEO’s email account. The cybercriminal instructed an entry-level accounting employee to transfer funds to an account as part of an “acquisition project”. The staff member wired the funds without doing due diligence.
Although FACC recouped around one-fifth of the loss, the company fired and sued the CEO and the CFO for failure to establish internal policies to prevent this from happening.
4. Upsher-Smith Laboratories – $50 million / $39 million
In 2014, a US drug company, Upsher-Smith Laboratories, lost more than $50 million over three weeks. Yet another result of a successful business email compromise attack on the CEO’s email account, which sent emails to an employee in accounts payable to transfer funds.
Luckily, the company recalled one of the wire costs, dropping their loss from $50 million to $39 million (+interest). The drugs firm also sued its bank for making the transfers despite multiple missed “red flags”.
5. Ubiquiti Networks – $46.7 million
Ubiquiti Networks, a US-based computer networking organisation, was swindled out of $46.7 million due to a BEC attack in 2015. The fraudster impersonated the company’s CEO and its lawyer asking the company’s finance department to transfer funds. The FBI (Federal Bureau of Investigation) alerted the company about the attack.
So, what can we learn from these phishing attacks?
A business email compromise is a phenomenally successful type of phishing attack, so employees and organisations must always do their due diligence when a particular email, even if it’s from the CEO, looks ‘phishy’.
Educate employees at all levels on how to spot a phishing email and provide further cybersecurity awareness training. Test your employees by using a Phishing Simulation Tool to launch a fake phishing campaign to your employees. This is a great way to find cybersecurity skills gaps in the organisation, allowing both security & L&D teams to provide focused phishing and security awareness training to those that need refreshing on it.

Related Courses

DeltaNet International Launches Phishing Simulation Tool

DeltaNet International, a global eLearning provider of compliance training solutions, has today announced the availability of its Phishing Simulator, to help organisations strengthen their cybersecurity awareness training against phishing attacks.

This solution enables organisations to assess the effectiveness of their cybersecurity education, diagnosing vulnerabilities and identifying urgent skills gaps through realistic phishing simulations.

How likely is your organisation to become the next phishing victim?

The phishing simulation tool can be used simply to test the susceptibility of an organisation to falling victim to a phishing attack, but when combined with follow-up training to close knowledge and risk gaps, users can experience true added value.

The simulator allows users to choose from thousands of phishing email templates, or create new templates specifically for their campaign and fully customise the software based on their brand and requirements. Available direct or through resellers, users can simulate targeted spear-phishing attacks, such as clicking on malicious URLs, and requests for personal information and passwords.

Automatically deploy training to users who ‘fail’ the test

The tool is delivered through the intelligent learning experience platform, Astute, which also makes it easy for businesses to deploy refresher eLearning to employees who ‘fail’ the phishing simulation through its cloud-based platform.

“Regardless of size, every organisation is under threat of phishing attacks and with the headlines constantly announcing the latest breach, it’s high time cybersecurity awareness training became a priority for all employees. All it takes is one click on a malicious link, and it could open your organisation to a cyberattack,” said Darren Hockley, Managing Director at DeltaNet International.

Organisational Resilience

“By simulating an attack, you can test the resilience of the employees within your organisation and then quickly deploy focused training to those employees that need it. This builds organisational resilience to cybersecurity risks and can continually be assessed and measured through multiple campaigns.”

Industry leading online learning content

Benefiting from high-quality eLearning and 20+ Information Security awareness training courses, users of DeltaNet International’s Phishing Simulator can automatically enrol participants who failed the phishing test onto any courses via Astute, or access other company policy documents and eLearning.

Business leaders can measure the effectiveness of the testing by tracking in real-time how employees have reacted to the fake phishing email, allowing security, compliance and HR teams to understand where to provide additional support to mitigate risk and reduce susceptibility to phishing attacks.

Impersonation phishing attacks

“With impersonation phishing attacks becoming increasingly common, we will additionally be working closely with our users to create highly personalised templates designed to test the vulnerability of their employees.

By impersonating considerable levels of familiarity, these emails will test even the most highly aware and vigilant employees, so organisations understand where to prioritise training,” added Jason Stirland, CTO at DeltaNet International.

Image