Despite the common knowledge around phishing, even the most tech-savvy are still falling prey to the tactic. In fact, millennials are more likely to become a phishing victim than their grandparents are. Why is that?
Few outside of the IT and security sectors would even know about Collection Number One, a huge batch of information thought to be one of the biggest data leaks in history, which left more than 1 billion email addresses and password combinations unprotected.
Maybe the threat of phishing does not yet hold the weight it should have because data breaches have become so commonplace, and for businesses of all sizes internationally—and in the U.S. in particular.
To get an idea of just how dire this situation still is, look at Verizon’s eye-opening phishing attack statistics: According to the company’s “2018 Data Breach Investigations Report,” “Phishing and pretexting represent 98% of social incidents and 93% of breaches. Email continues to be the most common vector (96%).”
When news of a hack breaks, people tend to care more about the results of a hack versus what caused it in the first place. The logistics may be less appealing to the everyday consumer, but if we can show just how many of these real-life, disastrous hacks were due to phishing, things could change.
Here are five headline-making hacks from the past few years that were a result of successful phishing:
John Podesta’s Email
There was a lot of cybersecurity controversy surrounding the November 2016 election on both sides of the political spectrum, but few more notable than the hack of John Podesta’s Gmail account. Podesta, chairman of Democratic presidential candidate Hillary Clinton’s election campaign, became the country’s top phishing attack example when his account was compromised by a Russian hacker group known as Fancy Bear. The phishers, pretending to be Google, sent an email (which linked to a malicious website) saying that he needed to change his password after an attempted hack. When a junior staffer with access to Podesta’s email clicked on the compromised link, it gave hackers access to Podesta’s account. The resulting fallout? The release of thousands of Podesta’s emails via WikiLeaks, just in time for the November election.
What we should have learned: Examine the email sender’s address, even if they use a name or company domain you’re familiar with. And educate employees—across tiers and departments—to do the same.
The U.S. Power Grid
According to a joint report by the U.S. Department of Homeland Security (DHS) and the FBI, state-sponsored Russian hacker attacks have “affected multiple organizations in the energy, nuclear, water, aviation, construction, and critical manufacturing sectors.”
Contrary to popular belief, the attackers didn’t accomplish this through some brazen, direct attack of high-value targets. Instead, they targeted smaller companies, including an educational training website, excavation companies and a construction firm. They used these targets as PhishBots against one another, targeting firms that had relationships with larger power grid organizations.
This was a coordinated spear phishing attack—taking advantage of the companies’ known contacts and using those connections to their advantage.
Although there is no known damage or sabotage to any of the power equipment (their mission appeared to be one of surveillance and observation), it serves as a stark warning that if the hackers did it once, they likely could do it again. With one email.
What we should have learned: No business is too small or obscure to stay under hackers’ radar. Ensure business partners share a set of cybersecurity standards.
JPMorgan Chase holds the undesirable title of being a company associated with one of the most significant phishing breaches in history. In 2014, the company announced that the contact information for 76 million households and 7 million businesses were compromised in the massive attack. Hackers utilized a combination of phishing tactics to get login credentials and exploited an OpenSSL vulnerability to steal information that is typically encrypted.
According to The New York Times, the hackers had access to virtually everything on 90 of the bank’s servers. They could have initiated mass transfers or account closures that would have had long-lasting economic consequences.
What we should have learned: Encryption is not enough. Businesses should consider hiring certified ethical hackers to find system vulnerabilities before the bad guys do.
In retaliation for producing the movie “The Interview,” a film about the plot to kill North Korea’s head of state, a North Korean government-backed hacker group launched a devastating attack on the entertainment giant in November 2014.
Using phishing and spear-phishing emails full of malware, the attackers gained access to Sony’s network and performed months of covert reconnaissance.
Once inside, they also threatened company employees and executives, stole confidential data and disabled thousands of the company’s computers. The attack is thought to have cost the company upwards of $100 million.
What we should have learned: If a business is undergoing media scrutiny or is caught in a political upset, it becomes a more appealing target. DevOps should remind employees of precautions they should be taking daily.
Between June and October 2018, the company’s website was accessed via employee email login credentials that were exposed during an email phishing attack, according to a press release.
The consumer information exposed in the affected mailboxes make it easy to steal identities—names, bank account information, insurance information and birth dates were among the data.
The full extent of the attack wasn’t immediately known, BenefitMall works with “a network of more than 20,000 Trusted Advisors” to serve more than “200,000 small and medium-sized businesses.” This leaves a potentially enormous group of employees and businesses at risk.
What we should have learned: Falling victim to hacks can hurt a business—not just in cost, but in reputation. Fearful of having their data stolen, businesses will think twice before partnering with a firm that has a history with hacks.
Phishing Attack Honorable Mention: Facebook and Google
Although these technically aren’t phishing-related data breaches, they still are worth mentioning. Facebook and Google each lost $100 million to sophisticated phishing and wire fraud schemes that were allegedly perpetrated by a Lithuanian hacker named Evaldas Rimasauskas.
Rimasauskas posed as Quanta Computer, an electronics manufacturer and vendor for major companies that include Facebook and Google. He sent phishing emails in the form of fraudulent invoices to con the companies out of the money.