Phishing attacks have soared, with attackers taking advantage of the latest vulnerabilities and opportunities in the massive shift to remote work and cloud storage.
Phishing is a scam where attackers send people malicious email, messages, or phone calls to trick them into clicking on harmful links or attachments, visiting fraudulent websites, sharing sensitive data, or making them susceptible to cyberattacks.
Falling prey to phishing attacks now regularly leads to substantial financial losses for individuals and corporations. Here are some of the most financially damaging phishing attacks in history.
1. Facebook and Google
Between 2013 and 2015, Facebook and Google fell victim to a fake invoice scam, losing over $100 million. In the scam, Evaldas Rimasauskas, a Lithuanian hacker, set up a fake company that posed as Quanta Computer, a Taiwan-based computer manufacturer that works with Facebook and Google.
The assailant further opened bank accounts for money laundering in several countries, including Cyprus and Latvia, under the same name as the fake company.
Evaldas proceeded to send invoices to employees at Facebook and Google, leading them to wire him the requested funds. However, he was eventually arrested, formally charged with wired fraud, and compelled to forfeit $49.7 million.
2. Sony Pictures
Sony fell victim to a spear-phishing attack (one ofmany different types of phishing attacks) that stopped the company from releasing a comedy film worldwide. The attack was linked to “Guardians of Peace,” the hacking group that leaked huge amounts of confidential data about the company employees and its film portfolio in 2014.
To execute the attack, cybercriminals sent Sony employees email, including CEO Michael Lynton, urging them to verify their Apple ID due to “suspicious account behavior.” The email messages also included links to phishing sites created to steal the employees’ login credentials.
Months later, the hackers breached the company’s Microsoft’s System Center Configuration Manager (SCCM). This allowed them to install malware on all the employees’ devices, steal terabytes of private data, and delete the original copies from Sony computers.
The cybercriminals leaked four unreleased movies and numerous confidential material, including private communications among executives, social security numbers, and employee salaries, via file-sharing networks. To further their agenda, the hacktivist group demanded Sony cancel the planned release of “The Interview,” a comedy film.
Despite Sony not releasing an official cost estimate, early evaluations of the extent of corporate damage indicate losses exceeding over 100 million.
3. Crelan Bank
In 2016, Belgium-based bank Crelan wastargeted with a Business Email Compromise (BEC) scam, resulting in a $75.8 million loss. The perpetrator, posing as the bank’s CEO, asked the finance department to approve the transfer of the amount, which they did.
The attack was discovered during an internal audit and reported to the justice department, but the assailants were never identified. In response, the bank adopted stringent measures to reinforce its internal security procedures.
Fischer Advanced Composite Components (FACC) is an Austria-based company that specializes in manufacturing aerospace parts. Its customer base includes industry leaders like Boeing, Airbus, and Rolls-Royce.
2015/16 marked a fateful business year for the company as it fell prey to a BEC scam, losing an estimated $55 million. The incident unfoldedwhen a perpetrator, posing as the company’s CEOin an email, asked the accounting department to transfer the funds to a foreign bank as part of an “acquisition project.”
On realizing they were scammed, FACC implemented countermeasures that led to blocking the transfer of $12 million. Despite this, the company’s CEO, Walter Stephan, and CFO were fired after the incident. The firm also filed a lawsuit against them, citing their failure to implement security controls and oversight.
5. Upsher-Smith Laboratories
Upsher-Smith Laboratories, a drugs company in Minnesota, is another high-profile victim of a CEO fraud attack. The company succumbed to the scam in 2014 when fraudsters masquerading as the company’s CEO emailed the company’s Accounts Payable Coordinator.
This scam led to nine wire transfers within three weeks, resulting in a loss of over 50 million. The company, however, detected the attack in progress and successfully revoked one wire transfer, reducing the loss to $39 million.
6. Ubiquiti Networks
In 2015, Ubiquiti Networks, a San Jose-based networking technology manufacturer, lost $46.7 million to CEO fraud. In this case, the attacker posed as both company’s CEO and lawyer, informing the finance department that funds were needed to facilitate a confidential acquisition.
Using spear-phishing emails, the perpetrator convinced the company’s finance department to transfer funds from the company’s subsidiary in Hong Kong to the attacker’s overseas accounts.
Ubiquiti then made 14 wire transfers within 17 days to several countries, including China, Russia, Hungary, and Poland. Upon discovering the fraud, the company initiated legal proceedings in several foreign jurisdictions, recovering $8.1 million.
7. Leoni AG
Leoni AG, a leading wire and cable manufacturer headquartered in Germany suffered a loss of about $44 million after a phishing email attack. The 2016 incident involved scammers who, posing as the company’s senior German executives, deceived a finance employee in the company’s Romania office to transfer the funds to foreign accounts.
8. Toyota Boshoku Corporation
In 2019, Toyota Boshoku Corporation, a European subsidiary of the Toyota Group and a leading supplier of Toyota auto parts, was targeted by a BEC attack. The incident involved an attacker posing as a business partner of the subsidiary, requesting an immediate funds transfer to an unfamiliar bank account.
The perpetrator justified the urgency of the transaction by stating that any delay would hinder parts production. This led to the corporation’s finance and accounting department losing over $37 million.
9. Xoom Corporation
A phishing scam that targeted Xoom Corporation, a leading provider of electronic funds transfer services, resulted in a loss of $30.8 million. The company’s fourth-quarter 2014 report cited BEC as the cause of the loss.
The attack involved scammers impersonating Xoom employees and asking the finance department to deposit the funds to fraudulent overseas accounts. Following the occurrence, Xoom’s Chief Financial Officer (CFO), Matt Hibbard, resigned.
Protect Yourself and Your Company From Phishing Attacks
Despite large companies being the primary targets, phishing scams affecting millions of individual users are far too common. These attacks not only lead to direct monetary loss, but also productivity and data loss, reputational damage, and customer attrition.
The costs of phishing attacks are already reshaping how individuals and companies operate and manage risks. To defend against phishing attacks, it’s crucial to adopt protective measures, including using strong passwords, implementing two-factor authentication, and providing security awareness training to employees.
