Are your employees trained to recognize phishing emails? What about you? Phishing scams aren’t something to be ignored. In 2018 alone, 71% of targeted cyber attacks involved the use of spear phishing emails (Symantec). In order to avoid the consequences of such attacks, it’s important to recognize these emails and know how to stop them.
To better understand the dangers of phishing, let’s take a look at history’s top 5 phishing scams, which have all taken place in the last 15 years.
1. Operation Phish Phry
Have you ever received an urgent email from your bank, asking you to take immediate action? If so, you may have encountered a phishing scam.
In 2009, the FBI conducted its largest phishing case ever, Operation Phish Phry. This phishing attack was especially alarming—partly because of its size—but also because of how many people were affected.
While targeting Bank of America and Wells Fargo members, Egyptian hackers used phishing emails to trick users into giving away their credentials. They then passed on the credentials to the three ring leaders living in California. The ring leaders recruited “runners” to open bank accounts, then transferred money from the victim’s account to the runner’s account.
After receiving the money, the runners would empty the accounts, take their share of the money, and pay back the ring leaders and the Egyptians. Over the course of the attack, the criminals targeted 5,000 Americans and stole roughly $1.5 million.
What We Learn
When we consider how many people were affected by this attack, the numbers are startling. 5,000 Americans neglected to recognize the phishing emails, and they suffered financial consequences as a result.
Yet perhaps even more alarming is how easily the hackers were able to access the accounts. The lack of additional security features gave the hackers immediate access to thousands of users’ financial information—with only a username and password.
How secure is your network? Are your programs and devices protected with encrypted passwords? Do you utilize two-factor authentication? Could a hacker easily infiltrate your network if they gained access to a single piece of information?
It’s never too early to secure your network. Our team can help you review your infrastructure right now so that you can identify weaknesses and insecurities.
Training your team is also essential when it comes to phishing attacks. Cyber criminals are becoming more and more sophisticated, and phishing emails aren’t always easy to recognize.
Train your employees on learning to recognize phishing scams. Never transfer sensitive information over phone calls or emails. You should also verify the validity of emails before following links or downloading attachments.
2. Walter Stephan
Few things are worse than losing millions of dollars to a phishing attack. Yet that’s exactly what happened to Austrian aerospace company FAAC.
In 2016, FAAC fell prey to a Business Email Compromise attack (BEC). BEC scams trick employees into transferring large amounts of money, often by posing as the CEO or a higher-level executive.
In this particular phishing scam, outside attackers faked CEO Walter Stephan’s email and convinced a low-level employee to transfer money into an account. As a result, the company lost around $47 million, and Stephan was fired.
What We Learn
According to Pin Drop, CEO phishing scams cost US businesses $246 million in 2015. Walter Stephan may have lost a lot more money than other companies, but his was not an isolated incident. And it can happen so quickly that it’s sometimes impossible for companies to fully recover.
Employees should learn to be a lot more skeptical about incoming emails, especially ones that ask for money. In the case of Walter Stephan, the attacker used a convincing email address, making the employee believe that the email was actually from Walter Stephan.
Verify emails before taking action. It might be a hassle and take precious time out of your day, but it can save you extra heartache in the long run. No matter how urgent an email may seem, it’s never worth losing hundreds (and sometimes millions) of dollars.
3. Target/FMS Scam
Imagine getting a notification that your credit card information—and possibly your social security number—were stolen in a recent security breach. In 2013, millions of Target customers had their information compromised. The breach affected 110 million users, which equates to almost a third of the US population.
Interestingly enough, however, the criminals never targeted Target itself. Instead, the credentials were stolen from a third-party HVAC vendor, Fazio Mechanical Services (FMS).
Target had previously provided FMS with external network access. The criminals targeted FMS in order to compromise Target’s servers and gain access to Target customers’ information.
According to Krebson Security, the criminals utilized additional resources to implement the attack. After obtaining customer data, they accessed a number of compromised computers to store the stolen information.
Target suffered a number of consequences as a result of this breach. They faced around $220 million in losses, including:
- The cost to reimburse banks for the reissue of millions of credit and debit cards
- Fines from credit card brands for non-compliance
- Customer service costs
- Legal fees
- Credit monitoring for the millions of customers affected by the breach
What We Learn
So what can we learn from this incident?
First, use caution when sharing sensitive information with third-party connections. Having airtight security won’t matter if the third party is vulnerable.
Instead, utilize increased security measures to protect your data. Restrict the amount of information third parties have access to and use multiple factor authentication to add an additional layer of security.
Despite the best preparation and security measures, it’s still possible for you to fall prey to a phishing scam. An incident response plan can reduce the amount of downtime you experience, as well as cut your losses.
75% of IT executives admit they don’t have a formal incident response plan (Buildings). Don’t be one of them. Protect yourself and your business by developing an incident response plan.
4. The Ukrainian Power Grid Attack
On December 23, 2015, workers at the Prykarpattya Oblenergo control center were preparing for the end of the workday when one of the operators noticed something strange. The cursor on his computer began to move on its own, when, to his horror, it confirmed a request to shut off the circuit breakers at a nearby substation. Within minutes, an entire region was left without power.
The worker tried desperately to regain control of his computer, but he was immediately logged out. The attackers then changed his password, so he had no chance of re-entry. The attackers continued to take substations offline, until 230,000 people had been affected.
This phishing scam had been premeditated for months, beginning with research, and then moving to spear phishing in order to steal credentials. By the time the criminals actually executed the synchronized attack, it was almost impossible for the power grid to respond.
The criminals utilized a variety of techniques to coordinate the attack, including the following:
- Spear phishing to gain access to the network
- Virtual private networks to enter the ICS network
- Malware to infect company computers
- Automated firmware updates to disable multiple sites at once
- Remote access controls to issue commands directly from a remote station
- Uninterruptible power supply (UPS) systems to create a scheduled service outage
- Denial-of-service (DOS) attacks on the call center
How did this happen?
For starters, there was a significant amount of open-source information that was easily accessible to the public.
Additionally, Oblenergo lacked two-factor authentication and network monitoring, making it possible for the criminals to infiltrate the network months before they even executed the attack. By the time the power outage occurred, the company was overpowered and unprepared to respond.
What We Learn
This wasn’t just a run-of-the-mill attack. The criminals didn’t happen upon the network. They were skilled strategists that had been planning this attack for months. However, there are still some important lessons we can take away from this incident.
Like the Ukranian power grid, hundreds of companies believe their security is sufficient, but they still fall prey to phishing attacks. And according to Wired, the control systems in Ukraine that suffered this attack were more secure than many of the systems in the US.
This incident proves that a security breach can happen to anyone. And once criminals have access to a system, they can potentially override anything on the network.
Develop comprehensive protection, with encryption, monitoring, and multi-factor authentication. Cultivating an atmosphere of security means consistently working to strengthen your network.
5. The Moscow World Cup and Vacation Rental Scam
As award-winning soccer players around the world gathered in Russia to face off in the world cup, fans were scrambling to get tickets. So naturally, scammers took this as an opportunity to make some money.
Hackers obtained legitimate information from websites like booking.com. They then contacted customers, asking for bank information in order to confirm the booking.
Other scams promised free tickets in exchange for answering a survey. They enticed customers with phrases of urgency, like: “Only 100 tickets left! Claim yours today!”
In addition to free tickets, vacation rental scams are on the rise. Criminals will target a legitimate listing, hijack the email, and then replace the contact information with their own. Unsuspecting customers believe they are genuine and send them money.
What We Learn
This should go without saying, but if it seems too good to be true, it probably is. Always be wary of sites that promise free tickets, vacations, or other prizes.
When you receive an email that looks like it could be a phishing scam, verify the web address. If it doesn’t match, don’t respond to the email. Even emails that appear legitimate could be fraudulent, so be cautious when sending personal information via email.
Establish protocols for sending secure data. You should never send bank information over email, but it can sometimes be difficult for employees to know when it’s okay to send sensitive information and when it’s not. Training your employees will enable them to follow smart security practices.
Keep Yourself Protected
It’s impossible to prevent every threat that may come your way, but you can limit your vulnerability by following best practices. Train your employees to recognize phishing scams, and have security policies in place to deal with these threats. Otherwise, it could cost you.
Here at CR-T, we take pride in providing enterprise-level IT services at prices that work for small businesses. Our team of experts can become your IT support department, responding to issues quickly, often before you even know about them. Covering everything from your servers and network infrastructure, to your computers, workstations and mobile devices, we provide end-to-end solutions for all your technology needs.
Time and experience have helped us develop best practices and workflow procedures designed to keep your focus on your business, not your technology.
Blog & Media
Managed IT Support
Amazon Web Services
As a business owner, you’re always looking to simplify operations and lower expenses. If you like the idea of consolidating your hardware into a single,