Phishing is one of the greatest cyber security threats that organisations face. According to Proofpoint’s 2022 State of the Phish Report, 83% of organisations fell victim to a phishing attack last year.
Meanwhile, Verizon’s 2021 Data Breach Investigations Report found that 25% of all data breaches involve phishing.
Such attacks are increasingly popular because they’re easy to conduct and can potentially net the crooks a huge payout. All that’s required is a well-crafted email, the contact details of someone in your organisation and the very high likelihood that someone will take the bait.
With October marking Cyber Security Month, a campaign designed to promote awareness of online threats, we thought we’d look at the five biggest phishing scams of all time.
5. FACC (€42 million)
In January 2016, an employee at the Austrian aerospace parts manufacturer FACC received an email asking the organisation to transfer €42 million to another account as part of an “acquisition project”.
The message appeared to come from the organisation’s CEO, Walter Stephan, but was in fact a scam.
Unable to spot the true nature of the email, the employee complied with the request. Few details were revealed about exactly what went wrong, but there is reason to believe that Stephan was at least partially at fault.
That’s because FACC fired him following an internal investigation, claiming that he had “severely violated his duties”. It also fired its chief financial officer.
FACC sought €10 million in legal damages from the executives, but the lawsuit was dismissed by the Austrian courts.
4. Crelan Bank (€75.6 million)
A month after the FACC incident, the Belgian firm Crelan Bank fell victim to a similar scam.
Again, an attacker spoofed the email account of the organisation’s CEO and emailed an employee asking them to transfer funds into an account controlled by the attacker.
What the transfer supposedly related to and the full amount that was paid were never revealed.
However, Crelan Bank confirmed that the incident resulted in damages of €75.6 million – although that may include remediation costs.
3. Sony Pictures (€80 million)
In November 2014, the criminal hacking group ‘Guardians of Peace’ leaked a reported 100 terabytes of data from the film studio Sony Pictures.
The attackers laid their trap months earlier, according to Stuart McClure, the CEO of computer security firm Cylance, who analysed the leaked data.
McClure found that many top Sony executives, including CEO Michael Lynton, received phishing emails that appeared to be from Apple.
The messages asked them to provide ID verification emails, and promptly redirected them to a bogus site that captured their login credentials.
With this information, the attackers accessed a trove of data, including details about Sony Pictures employees and their families, private correspondences and information regarding then-unreleased films.
To compound the damage, the attackers employed a variant of the Shamoon wiper malware to erase Sony’s computer infrastructure.
But all that appeared to be the opening salvo that preceded the fraudsters’ true motive.
The attackers, who were later tied to a state-sponsored North Korean group, demanded that Sony withdraw its film The Interview, a comedy about a plot to assassinate the North Korean leader, Kim Jong-un.
They also threatened terrorist attacks at cinemas that screened the film, which resulted in many cinema chains opting not to show it.
Given the unusual nature of the incident, it’s hard to calculate the exact damages, but Jim Lewis, senior fellow at the Center for Strategic and International Studies, estimated that it cost Sony Pictures more than $100 million (about €80 million at the time).
2. Facebook and Google (€90 million)
Between 2013 and 2015, two of the world’s biggest tech firms were duped out of $100 million (about €90 million at the time) after falling victim to a fake invoice scam.
A Lithuanian man, Evaldas Rimasauskas, noticed that both organisations use the Taiwanese infrastructure supplier Quanta Computer.
He sent a series of bogus multimillion-dollar invoices replicating the supplier over two years, complete with contracts and letters that appeared to have been signed by executives and agents of Facebook and Google.
The scam was eventually discovered, and Facebook and Google took legal action. They recovered just under half of the stolen money, while Rimasauskas was arrested and extradited from Lithuania.
In December 2019, he was sentenced to five years in prison.
1. Colonial Pipeline (up to €3.4 billion)
In May 2021, millions of Americans experienced first-hand the damage that cyber attacks can cause, after fuel supplier Colonial Pipeline was crippled by a ransomware attack.
The organisation was forced to halt operations after its business network and billing system were compromised.
Although ransomware was responsible for much of the damage, the attackers were only able to plant the malicious software after gaining access to an employee’s password.
The most likely way of doing that is through a phishing email. As the US government noted, the DarkSide gang responsible for the attack has used such methods.
As for how costly the breach was, it’s impossible to determine. Colonial Pipeline paid the attackers $4.4 million (about €3.75 million) for the decryption key, but that was just the tip of the iceberg.
The organisation, which provides almost half of the oil supplies to the east coast of the US, was shut down for a week, which resulted in the non-delivery of about 20 billion gallons of oil, which was worth approximately €3.4 billion at the time.
As you’d expect, petrol prices soared, meaning some of the costs were passed to hit the public.
Meanwhile, more than 10,000 petrol stations were left without oil even a week after Colonial Pipeline’s systems returned to normal.
CEO Joseph Blount acknowledged the costs to the wider US economy in an interview with The Wall Street Journal, in which he explained his decision to pay the ransomware.
“I know that’s a highly controversial decision,” he said. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this.
“But it was the right thing to do for the country.”
The combined damage to Colonial Pipeline and the US economy makes this by far the most expensive phishing attack ever seen.
Your employees are your last line of defence
As these incidents demonstrate, the biggest danger you face when it comes to phishing is whether your employees can spot the signs of a scam.
Millions of phishing emails are sent every day, and a large proportion slip through spam filters. When that happens, you must be able to rely on your employees to stay vigilant and act responsibly.
To help them do this, organisations should provide regular staff awareness training. Do employees know what to look for? Who do they contact if they spot a suspicious email?
Our Phishing Staff Awareness Training Programme helps employees answer these questions, ensuring that your last line of defence is as strong as possible.
A version of this article was originally published on 26 August 2021.