Three of the world's most expensive phishing attacks... and how they could have been prevented
A number of high-profile cyber-attacks in recent years have thrust cybersecurity back into the spotlight. In light of the HAFNIUM hack, cybersecurity has become a major focus for many businesses. Although the hack itself was not the result of human error, it was a wake-up call for organizations to make sure they were fully protected.
The UK's Department for DCMS’ Cyber Security Breaches Survey 2021 revealed that phishing is still the most common cause of cybersecurity breaches, accounting for 83 percent of all successful attacks.
Phishing can result in dramatic financial losses for your business, as well as reputational damage; Aon identified damage to reputation as one of the three biggest effects of a cyber-attack. Cyber-attacks can cost your business eye-watering sums of money in many ways. Here, we detail the most expensive cyber-attacks in recent years.
Fake invoice emails cost Google and Facebook £75 million
Many people think digital businesses are savvy when it comes to avoiding scams, but Google and Facebook proved this isn’t the case. The two behemoths fell victim to a fake invoice scam that amounted to losses of over £75.5 million.
Hacker Evaldas Rimasauska posed as Quanta, a Taiwan-based company that both Facebook and Google used as a vendor. He successfully fooled the companies by sending fake invoices that resulted in them wiring money to him. He was eventually convicted of wire fraud, but not before he swindled the businesses out of millions.
Both organizations were able to recover nearly half of the stolen money, but that still leaves over £35 million of lost cash.
Crelan Bank falls victim to CEO fraud and loses £57 million
In 2016, Crelan Bank lost over £57 million when employees fell victim to a sophisticated social engineering email scam known as CEO fraud.
The hacker was able to successfully gain access to the email account of a high-level executive. They managed to spoof the email account of the CEO by masking the sender as the CEO. The attacker then instructed the company’s employees to transfer money into a bank account controlled by them, all while posing as a high-level executive.
To this day, the identity of the hackers remains unknown despite the fact that an internal audit revealed the attack.
£46 million loss for FACC after successful social engineering scam
Another email-based social engineering scam saw global aerospace company FACC lose £46 million.
Here, the CEO’s email address was infiltrated and used to dupe employees into transferring huge sums of money to a suspicious bank account. Unfortunately, an entry-level accounting employee ended up transferring the funds to the account, under the impression that it was part of an "acquisition project" without doing their due diligence.
The CEO and CFO were fired as a result of this hack. The company also sued them due to their failure to set up "adequate internal controls and to meet their obligations of collegial cooperation and supervision".
Were these attacks preventable?
There’s one thing all of these attacks have in common: a lack of cybersecurity awareness amongst employees. Human intelligence and comprehension is the best defense against phishing attacks. In fact, if your employees have a great grasp of cyber literacy, your business can be protected from some of the most common cyber-attacks that occur.
Human error is a huge factor in cyber-attacks -- in fact, 90 percent of successful breaches are the result of human error. Hackers have a range of tactics to infiltrate your systems, but quite often, your employees can unwittingly give them the key to the front door. This could be through accidentally entering account information into suspicious websites, having a password that’s easy to guess, or not using two-factor authentication.
How can I prevent phishing attacks?
Most of the time, hackers using phishing attacks will pose either as a person known to the business, or a company known to you -- like a partner, customer, or supplier. These sophisticated attacks can be difficult for users to spot; after all, we would naturally trust an email coming directly from the CEO of the company.
Here are a few quick tips to help you prevent these types of attacks:
- Have regular password changes every 30, 60, or 90 days and use strong passwords.
- Install two-factor authentication (2FA) for all employees.
- Enlist the help of a managed IT services business, which will hire the best and brightest minds in cybersecurity.
- Ensure all employees have taken cybersecurity awareness training.
- Have regular security health checks, including testing for weaknesses in both the systems and employee knowledge gaps.
If you receive a suspicious email purporting to be from someone you know, the best course of action is to speak to them directly. Verify the email from their mouths before doing anything about it -- no matter how urgent the email sounds. Ensure you do this by alternative communication methods to the email, such as picking up the phone, speaking to them in person, or video calling.
Cyber-attacks can be costly, as proven by these examples. Even smaller businesses can fall victim to these attacks, so don’t assume you’re safe because your business isn’t as big as Facebook. In fact, 60 percent of small businesses that fall victim to a cyber-attack will go bust within six months. By taking this advice into consideration, you can prevent your business from falling victim to these increasingly sophisticated attacks.
Barry O’Donnell is Chief Technology Officer at TSG.