Phishing attacks are a popular attack vector for cybercriminals because they are simple and effective. A well-crafted phishing email is much easier to develop than a zero-day exploit, yet can have the same negative impact. These attacks are designed to prey upon human nature. People want to be helpful, obey authority, and are more likely to be less careful when in a hurry or experiencing stress.
Phishers take advantage of these factors and more in their attacks, and phishing emails can come in a number of forms. While some phishing attacks cast a wide net, others (like spear phishing attacks) are very tailored to their target. In some cases, an attacker will impersonate an authority figure or other trusted party to achieve their objective.
Phishing schemes are also not limited to email. Attackers can take advantage of corporate collaboration platforms, and communications applications on mobile devices to perform their attacks.
The five attacks described here required little sophistication on behalf of the attackers but enabled them to steal tens of millions of dollars from an organization.
Between 2013 and 2015, Facebook and Google were tricked out of $100 million due to an extended phishing campaign. The phisher took advantage of the fact that both companies used Quanta, a Taiwan-based company, as a vendor. The attacker sent a series of fake invoices to the company that impersonated Quanta, which both Facebook and Google paid.
Eventually, the scam was discovered, and Facebook and Google took action through the US legal system. The attacker was arrested and extradited from Lithuania, and, as a result of the legal proceedings, Facebook and Google were able to recover $49.7 million of the $100 million stolen from them.
Crelan Bank, in Belgium, was the victim of a business email compromise (BEC) scam that cost the company approximately $75.8 million. This type of attack involves the phisher compromising the account of a high-level executive within a company and instructing their employees to transfer money to an account controlled by the attacker. The Crelan Bank phishing attack was discovered during an internal audit, and the organization was able to absorb the loss since it had sufficient internal reserves.
FACC, an Austrian manufacturer of aerospace parts, also lost a significant amount of money to a BEC scam. In 2016, the organization announced the attack and revealed that a phisher posing as the company’s CEO instructed an employee in the accounting department to send $61 million to an attacker-controlled bank account.
This case was unusual in that the organization chose to fire and take legal action against its CEO and CFO. The company sought $11 million in damages from the two executives due to their failure to properly implement security controls and internal supervision that could have prevented the attack. This lawsuit demonstrated the personal risk to organization’s executives of not performing “due diligence” with regard to cybersecurity.
In 2014, a BEC attack against a Minnesotan drug company resulted in the loss of over $39 million to the attackers. The phisher impersonated the CEO of Upsher-Smith Laboratories and sent emails to the organization’s accounts payable coordinator with instructions to send certain wire transfers and to follow the instructions of a “lawyer” working with the attackers.
The attack was discovered midway through, enabling the company to recall one of the nine wire transfers sent. This decreased the cost to the company from $50 million to $39 million. The company decided to sue its bank for making the transfers despite numerous missed “red flags”.
In 2015, Ubiquiti Networks, a computer networking company based in the US, was the victim of a BEC attack that cost the company $46.7 million (of which they expected to recover at least $15 million). The attacker impersonated the company’s CEO and lawyer and instructed the company’s Chief Accounting Officer to make a series of transfers to close a secret acquisition. Over the course of 17 days, the company made 14 wire transfers to accounts in Russia, Hungary, China, and Poland.
The incident only came to Ubiquiti’s attention when it was notified by the FBI that the company’s Hong Kong bank account may have been the victim of fraud. This enabled the company to stop any future transfers and attempt to recover as much of the $46.7 million stolen as possible (which represented roughly 10% of the company’s cash position).
The costly phishing attacks described here did not require a great deal of sophistication on behalf of the attacker. A little research into a company revealed the identity of key individuals (CEO, CFO, etc.) and vendors. The attackers used this information to craft believable emails that tricked their targets into sending money to attacker-controlled bank accounts.
While some phishing attacks are designed to deliver malware, making an endpoint security solution essential, this is not always the case. All of the attacks outlined here contained no malicious content that would be caught by an antivirus.
To protect against these attacks, an organization needs an anti-phishing solution capable of detecting BEC attacks via analysis of an email’s body text. To learn more about Check Point’s email security solutions and how they can protect your organization against the phishing threat, contact us. Then, request a demonstration to see the solution in action.