One of the most serious cybersecurity threats organizations must deal with is phishing scams. Phishers are attackers who employ malicious social engineering tactics in their phishing schemes. The most common methods are phishing emails and website email scams.
One of the most serious cybersecurity threats that organisations must deal with is phishing scams.
Verizon has released some of the most eye-opening phishing attack statistics in recent history. According to the company’s 2018 Data Breach Investigations Report, phishing and pretexting account for 98 per cent of social incidents and 93 per cent of data breaches. Emails launch a whopping 96 per cent of attacks. Aside from hacks and insider threats (such as disgruntled employees), phishing attacks are responsible for many of the most well-known and largest data breaches.
Phishers are attackers who employ malicious social engineering tactics in their phishing schemes. The most common methods are phishing emails and website email scams. Scammers create emails that appear to have come from well-known organisations or individuals whom the target recipients are familiar with. Malicious code may be embedded in these emails. These can spread to recipients’ computers without their knowledge. Users may also be directed to fraudulent websites that mimic legitimate ones. This is possible through the clever use of ‘typo squatting’ and Unicode domains.
Here we will take a look at four of the biggest phishing scams that happened in the world. These attacks have been on some of the biggest software and infrastructure companies and caused service outages and economic damages in the process.
Hackers gained access to Sony Pictures Entertainment in the fall of 2014.
In November 2014, a hacker group, backed by the North Korean government, launched a devastating attack on Sony Pictures Entertainment in retaliation for the production of The Interview, a film about the killing of North Korea’s President. The attackers gained entry to Sony’s network and conducted months of covert reconnaissance using phishing and spear-phishing emails that contained malware.
System engineers and network administrators, initially suspected of being the victims of phishing attacks, were asked to verify their Apple accounts. The attackers may have attempted to gain access by exploiting the fact that many employees use the same password for both their personal and work accounts (which is not unusual). However, it was later discovered that the attackers gained access to the system through spear-phishing, which was then followed by the use of forged Apple emails. The perpetrators took over 100 terabytes of data and then infected Sony’s PCs with malware, wiping out the hard drives. According to current estimates, the damage exceeds $100 million.
Hackers from the Russian government gained access to the United States’ power grid infrastructure in 2016. In a joint report by the United States Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), the attacks targeted a wide range of organisations in the energy, nuclear, water, aviation, construction, and critical manufacturing industries.
Despite popular belief, the attackers did not carry out this attack by attacking high-value targets directly. The use of smaller companies, like an educational training website and a construction firm, as PhishBots, helped the hackers. The attack was of each other as well as the larger power grid organisations with which they had working relationships, rather than larger corporations. They took advantage of the companies’ well-established networks of contacts — their trust graph — and exploited those connections to their benefit.
There was syphoning off of a total of at least $100 million from both companies between the years 2013 and 2015. Evaldas Rimasauskas, a Lithuanian man, orchestrated a scam to deceive these companies. He pretended to be a representative of a large Asian company, named Quanta. He took advantage of the fact that Quanta served as a client of both Facebook and Google. There was a forgery of invoices and contracts, signed by executives, by him. For two years, they got away with it. After his arrest in 2017, the Phisher was extradited to the United States and sentenced to five years in federal prison.
In January 2016, an employee at the Austrian aircraft components business, FACC, received an email. The email ask the company to transfer €42 million to another account as part of an ‘acquisition project’. Even though the message claimed to have originated from the organisation’s CEO, Walter Stephan, it turned out to be an elaborate phishing attempt.
As the employee was unable to discern the true nature of the email, he or she agreed to the request. There has been little publishing of what went wrong. There are, however, grounds to suspect that Stephan was largely to blame for what happened. In fact, he was sacked after an internal investigation found that he had ‘severely violated his obligations. The FACC cited this as the reason. In addition, the company sacked its chief financial officer as well. However, there was the dismissal of the complaint against the executives by the Austrian courts. They awarded the FACC €10 million in legal damages.
In the course of expanding their operations beyond the confines of pickpocketing and other physical crimes, thieves become acquainted with the digital realm. It was at this point that they began to take advantage of flaws in operating systems and other technological advancements.
These vulnerabilities, on the other hand, are becoming increasingly rare. They had to think outside the box and revert to their old methods of deceiving unsuspecting victims to gain access to their bounty. This is how the formation of the concept of phishing happened. The aforementioned phishing attacks are among the largest in the history of phishing attacks.
To prevent phishing attacks from happening, companies must increase the level of protection and firewall their network. Small businesses, as much as large corporations, must prioritise cybersecurity. There are a variety of approaches that one can use to avoid such incidents from occurring. The most effective is to train your co-workers. Phishing is a lot more common than you might believe, and it is much easier to fall victim to. So, to prevent scamming, inform your staff about the dangers of phishing and how to spot a phishing attempt.