In light of the recent HAFNIUM hack, cyber security has become a major focus for many businesses over the past few weeks; although the hack itself was not the result of human error, it was a wakeup call for organisations to make sure they were fully protected.
According to the SANS Institute, 95% of all attacks on enterprise networks in 2020 were the result of successful spear phishing. In another survey, 97% of the people surveyed could not identify a sophisticated phishing email.
Understanding these statistics is vital, as it demonstrates a crucial gap in cyber security knowledge affecting a large proportion of today’s workforce. The financial loss that a phishing attack can have on your business can be devastating and, not only that, you could also face losing both your reputation as a trusted organisation, and valued customers.
Below are three of the most expensive phishing attacks in recent history: what happened, who was responsible and how these attacks could have been prevented.
Facebook and Google: $100 million
Between 2013 and 2015, Facebook and Google were subject to an elaborate fake invoice scam that cost them $100 million.
A Lithuanian hacker sent both companies a series of fake invoices. They posed as Quanta, a Taiwan-based company that both Facebook and Google used as a vendor.
When the scam was finally discovered, the attacker was arrested, and both Facebook and Google were able to recover $49.7 million of the $100 million stolen from them. Either way, a large chunk of money was still lost due to an avoidable error.
Crelan Bank: $75 million
The Belgian bank was victim to a business email compromise (BEC) scam that cost the company $75.8 million in 2016.
A high-level executive’s email account was compromised by an attacker. They managed to spoof the email account of the CEO by masking the sender as the CEO. The attacker then instructed the company’s employees to transfer money into a bank account the attacker controlled, all while posing as the high-level executive.
The attack was eventually discovered during an internal audit, however, the identities of the attackers remain unknown.
FACC: $61 million
In 2016, the Austrian aerospace parts maker was also subject to a BEC scam.
In similar fashion to Crelan Bank, the cybercriminals compromised the CEO’s account and instructed the accounting department to send $61 million to a foreign bank account. Unfortunately, it was an entry-level accounting employee who ended up transferring the funds to the account, under the impression that it was part of an “acquisition project” without doing their due diligence.
The company eventually fired and sued their CEO and CFO due to their failure to set up “adequate internal controls and to meet their obligations of collegial cooperation and supervision”.
What could have prevented these attacks?
The biggest flaw exposed here is the lack of cyber security knowledge from the users – even those whose accounts were compromised in the first place. According to Cofense, human intelligence and comprehension is the best defence against phishing attacks. In fact, your employees having a great grasp on cyber literacy can be what protects your business from some of the most common cyber attacks that occur.
Although hackers can use a variety of different methods to hack into email accounts, it can be through the fault of the user in the first place – for example, giving their account information out by accident to suspicious websites, having a password that’s easy to guess, or not using two-factor authentication.
Protecting your business from phishing attacks
Something you’ll notice about these scams is the way they assume the identity of a known figure within the organisation or a known vendor that they often communicate with. This is a sophisticated attack that can be difficult for users to spot; after all, we would naturally trust an email coming directly from the CEO of the company.
To mitigate the risk of sensitive data being stolen in the first place, here’s some of the methods you can use to tighten your cyber security defence position:
- Have regular password changes every 30, 60 or 90 days and use strong passwords
- Install Two-Factor Authentication (2FA) for all employees
- Ensure all employees have taken cyber security awareness training
- Have regular security health checks, including testing for weaknesses in both the systems and employee knowledge gaps
Of course, the best way to verify emails like this is to ask the person directly – especially if it’s concerning large amounts of money. Verify the email directly from their mouths before doing anything about it – no matter how urgent the email sounds. Ensure you do this by alternative communication methods to the email, such as picking up the phone or video calling.
Employees may feel it quite daunting to wait to speak to the CEO or the senior management if they’re uncontactable for a large period of time after the email is received, however it’s important to help them understand that no matter how urgent the email claims it is, it’s better to be safe than sorry.