The Most Costly Phishing Scams Ever
Phishing scams are the biggest threat to your business. Used to attack via email, only a single click on the wrong link and you’re potentially delivering hackers with access to your valuable data.
Phishing isn’t specifically targeted at businesses either. It can happen to anyone who owns an email address. If cyber criminals want to steal your data, they will seek for any vulnerabilities in your cyber security.
Cyber criminals typically take the path of least resistance – through you.
Coordinating phishing scams are simple. They also have a 1/10 chance of success; not bad odds for a simple email that could grant access to an entire business’s sensitive data.
With this in mind, we’ve compiled a collection of the most costly high-profile phishing scams:
5) MacEwan University – £9 million
MacEwan University fell victim to phishing scams in 2018 due to staff failing to verify an email requesting a change in payment information. The university had some building work that had been completed on campus and the vendor needed paying for their work.
Emails appeared in MacEwan University inboxes from a construction company requested a change in payment arrangements. Three separate payments were paid to the ‘construction company’ accounts which turned out to be separate accounts in Montreal and Hong Kong.
The university only realised their mistakes when the legitimate construction company questioned why they hadn’t received a payment. They later admitted they were completely at fault and that it was human error.
It is believed that the university, unlike most, did manage to get the stolen money back. After spending around £160,000 on legal and banking fees.
4) Pathé – £16 million
One of the smaller costs on this list, the attack against Pathé was nonetheless prolonged and lasted for around about a month back in 2018! Hackers asked the company to send money to an account in Dubai for an upcoming company takeover bid. This was not a legitimate account.
This was a case of business email compromise where the attacker impersonated a senior figure in a business. This is known as an email impersonation attack.
The money transfers were conducted via wire transfers which made the transactions very difficult to trace.
It is believed that hackers will sometimes buy domain names to make the attack look more convincing, which is what happened in the case of the phishing scams conducted against Pathé.
Both the CEO and Chief Financial Operator lost their jobs over the phishing scandal.
3) FACC – £48 million
FACC is an Austrian company that designs parts for aircrafts. They lost around £48 million in 2016 when they fell victim to a phishing attack.
This was a CEO phishing attack where the attackers impersonate a member of the business who is an executive or has access to important financial data.
The attackers then ask the victim to transfer money to the hackers account
The attack was confirmed to come from a source from outside the company. Despite this, the CEO of FACC was sacked because of the damage caused by this phishing attack.
2) Crelan Bank – £59 million
With a substantial loss of £59m in 2016, the Belgian bank lost the money through a phishing email that appeared to come from the CEO of the bank which had been sent to employees – much like the campaigns against FACC and Pathé.
These phishing scams will typically be marked urgent and sent to someone with financial influence at an organisation.
An email was sent out demanding payment into a fraudulent account posing as the CEO of the bank. Employees were fooled by the email and the phishing attempt was successful by the hackers, relieving Crelan Bank of a huge £59m.
But this wasn’t the most costly phishing scam.
1) Facebook and Google – £78 million (Each!)
Ironically, Facebook and Google, two of the biggest and well-known tech companies in the world suffered the biggest phishing scams in terms of cost. Both firms ended up paying out for their errors!
The scam consisted of an elaborate invoice which proved to be fake. The hacker, a Lithuanian man who simply asked the two companies for the money, received the money upon request. Simple, but effective. However, Google and Facebook recognised the phishing scam very quickly and recovered the bulk of the transferred funds.
These types of phishing scams are easily avoidable if the right procedures and training are put in place. Instead, it cost Facebook and Google an enormous sum of money. They can afford it, but could you?
As you’ve seen here, impersonation attacks are proving to be one of the more lucrative methods of phishing scams. Our email security solution actually offers protection against impersonation attempts – not all do this.
Another crucial step to take towards minimising risk is to enrol your staff on to IT Awareness Training courses. It’s a simple step to take to prevent a costly mistake.
To discuss email security or IT awareness training for your staff, contact us at firstname.lastname@example.org or on 01283753333.