5 Costly phishing attacks in recent history

Phishing scams have been around for quite a while now, but they continue to be among the most successful cyberattack methods. Verizon’s 2019 Data Breach Investigations Report reveals that phishing is the “threat action variety” most likely to cause a breach. In fact, 22% of all successful data breaches in 2019 involved phishing.

Over time, phishing has become even more sophisticated and targeted, causing greater harm to individuals and companies. CSO reports that $17,700 is lost every minute because of phishing attacks and that phishing accounts for more than 80% of reported security incidents.

In this blog, we’ll take a look back at some of the most expensive phishing attacks to date.

Further reading: 10 Common phishing emails to watch out for

1. Facebook and Google payment scam – more than $100 million

Between 2013 and 2015, Lithuanian hacker Evaldas Rimasauskas posed as Taiwan-based Quanta Computer, a manufacturer that actually does business with Facebook and Google. Using fake email accounts, he sent emails with fake invoices to employees of these two tech companies who regularly conducted multimillion-dollar transactions with Quanta Computer. The employees ended up wiring more than $100 million to the fake company’s bank accounts.

Facebook’s and Google’s banks did not flag these transactions as suspicious since Rimasauskas also falsified supporting documents. These included forged invoices, contracts, and letters with fake signatures of company executives and fake corporate seals.

2. Crelan Bank CEO fraud attack – $75.8 million

During an internal audit, the Belgian Crelan Bank discovered that they fell victim to a CEO fraud attack in 2016. The fraudsters — suspected to be foreigners — spoofed the CEO’s corporate email account and tricked an employee into executing wire transfers.

The bank didn’t release any other information regarding the incident, but they announced that they are taking “additional, exceptional measures” to fortify their internal security measures and prevent similar attacks from happening.

3. FACC acquisition scam – $61 million

Cybercriminals spoofed the corporate email of Walter Stephan, former CEO of FACC, which manufactures aircraft components for Boeing and Airbus. They used it to instruct an entry-level accounting staff member to transfer funds to a foreign bank account as part of an “acquisition project.” The employee wired the money immediately without first confirming the request.

FACC was able to recoup only one-fifth of the loss. The company eventually fired and sued Stephan and its CFO since they “failed to set up adequate internal controls and to meet their obligations of collegial cooperation and supervision.”

4. Upsher-Smith Laboratories CEO spoof – initially more than $50 million

In 2014, US drug company Upsher-Smith Laboratories transferred more than $50 million to a fake bank account. Fraudsters impersonating the company’s CEO sent emails to an employee handling accounts payables with instructions to conduct nine wire transfers over the course of three weeks.

Fortunately, the company was able to recall one wire, dropping their loss to $39 million (plus interest). They also sued their bank, Fifth Third Bank, for missing these “multiple red flags”:

• “Rushed nature” of the requests
• Recipients’ “insistence on confidentiality”
• Departure from “ordinary procedures”
• Failure to include a second person on the requests
• Amounts and frequency of the transfers
• Suspicious beneficiaries

5. Ubiquiti Networks CEO impersonation – almost $47 million

In 2015, Ubiquiti Networks, a Silicon Valley computer networking company, lost $46.7 million — nearly 10% of the company’s cash position — through CEO fraud emails. After monitoring Ubiquiti Networks’ Hong Kong subsidiary’s bank account, the Federal Bureau of Investigation notified the company of the unusual fund transfers to overseas accounts.

The company’s quarterly financial report disclosed that an outside entity impersonated the CEO, then targeted the company’s finance department to conduct fraudulent wire transfers.

Further reading: How to identify and mitigate phishing attacks

Don’t let your business fall victim to phishing attacks. Safeguard it with a simple, powerful, and automated solution by Graphus. Request a demo today.