These are the five most costly phishing attacks of the last few years. Despite a glut of new ESG’s and anti-phishing applications, simulations, and training, phishing continues to be an expensive and ubiquitous problem. Phishing scams target individuals and companies big and small. As we’ll see on today’s breakdown, not even the biggest tech giants are immune to being hooked by a phish.
Phishing scams are prolific, the attacks we’ll profile today can be counted in the tens of millions of dollars and impacted massive multinational companies who had robust – if ineffective -- phishing prevention mechanism in place.
- Up first Facebook and Google, taken together the two internet giants were scammed out of more than $100 million. This criminality took place over several years and began with the same phishing email. Essentially an Eastern European hacker sourced publicly available information and discovered a shared vendor between the two companies. Posing as the vendor, the phisherman began sending fake invoices to both companies, and incredibly they both paid, over and over again. It took several years for the story to become public, and, shockingly, two internet pioneers were left unprotected against phishing attacks. Amazingly, a single person with a clever premise can steal so much money, particularly from two companies who are pioneers in the tech space. This example delicately highlights the disastrous consequences of relying on legacy ESG’s to combat the current phishing landscape. 100 Million would kill most businesses.
- When I think of Belgium I think of beer, poke frites and chocolate, not massive phishing scams, however coming in at number two on today’s chart is Belgian megabank Crelan. Crelan Bank in Belgium lost $75.8 million in a CEO fraud attack. The phishing scam started with a directed phishing attack at the organization’s finance department. The criminals posed as the CEO and directed the finance department to wire $10’s of millions of dollars overseas. The bank became aware of the fraud after an internal audit flagged the large transfers, initially suspecting internal fraud the company was able to piece together the email phishing scam that started the whole thing. Incredibly the phishing scammers, in this case, were never brought to justice and remain anonymous and unknown.
- CEO fraud also struck the number three phishing victim on today’s hit-list. Austrian aerospace company FACC. FACC is an Austrian/Chinese aerospace parts maker, lost $61 million in a CEO phishing scam. A phishing email purporting to be from the CEO Walter Stephan was sent to a fairly low-level associate within the accounting team. The email explained that funding was required for a new project, and the employee was acting on what they thought was their CEO’s instructions duly transferred the equivalent of $61 million. Pretty bad, if they had only called INKY. To add insult to injury Reuter’s is reporting that “FACC is suing its former chief executive and ex-finance chief who allegedly failed to do enough to protect it from a cyber fraud costing tens of millions of euros, an Austrian court said. The company was tricked into transferring some 54 million euros ($61 million) to foreign accounts in a so-called "fake-president fraud", a statement outlining the lawsuit issued by a court in Ried in Innkreis, where FACC is based” FACC felt that their executives had “failed to set up adequate internal controls and to meet their obligations of collegial cooperation and supervision.” Incredible!
- As I said earlier phishing scammers don’t much care who they are stealing from as long as they are successful. The fourth victim on our list is a US pharmaceutical company who specializes generic drugs, as well as there, own branded products. Upsher-Smith lost a stunning $50m over the course of a few weeks, it would have been more but for an eagle-eyed employee who questioned the transfers. As without other examples, all of it started with an email to accounting. In this case the company is not suing its CEO or CFO but according to Fox 9 News in Minneapolis the company is going after its bank which facilitated the scam, the “drug company’s lawsuit says the bank missed “multiple red flags” including the “rushed nature” of the requests, the scammers’ “insistence on confidentiality,” the departure from “ordinary procedures,” failure to include a second person on the requests,” the “amounts and frequency of the transfers,” and “suspicious beneficiaries” — including one named “Sunny Billion Limited.” Sunny Billion a name we can all trust….”
- Last but not least of our roll of shame is another tech company. Ubiquiti Networks, specializing in computer networking, Ubiquiti has close to $500m in the bank, a healthy cash position. What they hadn’t realized though was that almost 10% of that that $46.7m had been stolen. Once again phishing was the root cause, a scammer made contact with one of the companies foreign subs and was able to impersonate C-suite executives, so well in fact that known one noticed…. Per the company’s quarterly financial report: “The incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.” What they didn’t mention was that they only found out when the FBI altered them; at the time of the phishing scam, they were completely unaware that it was occurring.
So there you have it folks, one phishing email in each case caused 10’s of millions of dollars worth of damage. How much can your company absorb? $10m? $15m? $50m? Those amounts would kill most companies. If none of those sounds acceptable, it is time to take the INKY Phishing Phitness test to determine your risk level. Had INKY been in place at any of the companies highlighted the net loss would have almost certainly been zero.
INKY – Phight Phish