Alexa Top 5 Phishing Attacks and Their Business Impact
Company Logo



Top 5 Phishing Attacks and Their Business Impact


Others

Top 5 Phishing Attacks and Their Business Impact

Bank robbers used to have to risk their lives, run into a building, wave guns, and tell people to get on the floor. But now they can grab the loot and scoot from the comfort of their living room—thanks to email phishing. 

This was the attack vector used to steal over $70 million from a Belgian bank in 2016. Instead of donning masks and body armor, the robbers used a business email compromise (BEC) attack to get their hands on the bank’s stash. The bank, Crelan, shrugged off the impact of the attack, saying, “Thanks to ample reserves, Crelan can comfortably sustain this loss without it affecting any of our clients or partners in any way,” Luc Versele, the bank’s CEO, stated. “The intrinsic profitability of the bank remains unchanged.”

Their internal cybersecurity personnel might have been singing a slightly less confident tune, however. BEC involves someone taking the email login credentials of a manager or high-level executive and then contacting someone with access to sensitive information or financial accounts. They then convince them to provide data, send funds, or execute some other kind of fraud on their behalf.

The Crelan heist was only one example. Attackers performed a similar maneuver on a drug company in Minnesota, where they pretended to be the CEO and sent an email asking employees to make nine wire transfers to an account. In the end, they got away with over $50 million.

Introduction to Phishing Attacks

These kinds of heists grab headlines and even inspire awe, but they’re not rare. A phishing attack involves a relatively simple premise—lying to someone over email to steal money or sensitive information. With the anonymity inherent to the email system, no one knows: 

  • What the attacker looks like
  • Any of the attacker's personal details, such as their name
  • Where the attacker is launching the assault from, especially if they use a virtual private network (VPN) that makes it look like their computer is located in another country 

Another element of most phishing attacks is social engineering, which is manipulating people to do something they wouldn’t otherwise do. In the attacks described above, there was some social engineering at play because the victims, in the end, opted to trust the email sender. 

In many cases, a phishing attack comes with a sense of urgency—either because something bad may happen if the target doesn’t comply or the victim stands to gain compelling benefits if they fall in line. All told, the combination of anonymity and social manipulation often allows an attacker to get away with millions.

5 Common Types of Phishing Attacks That Impact Businesses

Five of the most common kinds of phishing attacks include email phishing, spear phishing, whaling, vishing, and smishing. All of these attack methods use a similar methodology, but they differ in the people and technologies used to make the assault successful.

Email Phishing

When someone executes a successful email phishing attack, they can gain access to a wide range of sensitive data, as well as systems they wouldn’t otherwise have access to.

A phishing attack may involve the hacker asking an employee to address an issue with a financial account that purportedly has been hacked. The attacker, hidden behind a digital veil, could claim to have received a report regarding user accounts that may have been compromised. For the employee to protect the organization’s financial account, they would need to log in and change the password.

The employee, thinking the email is from IT, someone with access rights to the company’s financial information, or even a third-party cybersecurity provider, readily complies. After clicking a link, they’re brought to a fake website that looks authentic. They enter their username and password, then “change” the password. The attacker stores the username and password and uses them to access the business’s financial account.

Losses from these types of phishing attacks are generally: 

  • Monetary: The business can lose thousands or millions of dollars 
  • Reputational: Investors, customers, and shareholders may wonder whether the organization’s defenses are strong enough to protect their interests

Spear Phishing

Spear phishing involves a hacker targeting a specific person or group within an organization to execute a phishing attack. This kind of attack leverages more intimate knowledge of the person or group the attacker is after, often including details that seem too specific to be faked.

How Spear Phishers Bait Their Targets

An attacker may spend weeks or months studying the people their target interacts with on social media, such as friends, coworkers, and connections on LinkedIn. They will gather specific details about the person’s personal and business life, or even what they do on a day-to-day basis.

The attacker may also dig into their target’s job responsibilities, who they report to, and what kinds of projects they're working on. They then leverage this info, often from a fake email address so it looks like the message is from a trusted source. Because the attacker took the time to research and craft emails that sound authentic, it’s difficult for the target to see the attacker for who they are, and they often readily comply with their requests.

While it's easy to pin the blame on the victim, this often isn’t how it pans out in the press and on social media. It’s typically the reputation of the organization that’s at stake, rather than the individuals.

Whaling

Whaling is a kind of spear-phishing in which the attacker goes after someone high up in the organization, perhaps an executive or high-level manager. The primary difference between whaling and spear phishing is that whaling always victimizes individuals who are high up in the organization's hierarchy. The strategy is simple: Target someone with high-level access to penetrate the most sensitive and lucrative systems possible.

A whaling attack can also be the first step in a series of other assaults, which may have been the case in the two hacks outlined in the beginning. Phase 1 may involve getting the login credentials of an executive, which enables the hacker to use their email. In phase 2, the attacker sends emails to people from the executive’s account. Because the victims trust the source, they comply, revealing information or data the attacker wants.

Vishing

Vishing uses many of the same tactics as regular phishing, but it’s performed over the phone. The attacker pretends to be someone from a reputable company and either asks the victim for information or compels them to perform financial transactions.

A common vishing technique is to request credit card information over the phone. Often, with just a credit card’s number, expiration date, and three-digit code, a hacker can quickly process payments, getting away with thousands in a few minutes. The same can be accomplished if they’re able to grab company bank account information.

Smishing

Smishing is phishing over text messages. It uses the same general approach as vishing and other phishing attacks and involves the hacker pretending to be a trusted individual or company. The user, likely busy with daily tasks, may not think twice as they respond to what looks like a legitimate series of text messages. When they provide sensitive data, however, the organization can lose thousands or millions of dollars.

To protect yourself and your organization, there are several products and services on the market specifically designed to combat phishing attacks, including:

Real-Life Examples of Phishing Attacks

Several examples of phishing attacks have garnered varying levels of media attention, such as the following:

1. The DOJ Files Charges Against Hackers Targeting Universities

The Department of Justice (DOJ) filed charges against a cybercriminal group for a single phishing campaign that helped them get away with 31TB of academic data that cost the universities $3.4 billion to develop. The DOJ’s actions are representative of their intense focus on tightening cybersecurity across multiple industries, including education. 

2. Whaling Attack Leads to Firing of FACC Boss

A whaling attack resulted in the firing of the CEO of FACC, an Austrian aerospace company, for his role in enabling the attack, most likely accidentally.

3. Facebook and Google Fall for an Invoice Scam

A hacker pretended to be someone from Quanta Computer, a company both Facebook and Google do business with and got away with over $100 million. He used a series of faked invoices, letters, contracts, and corporate stamps in the scam.

4. Attackers Target Apple Users with Smishing

Hackers have been known to send fake text messages to Apple users claiming their “Apple ID account has been locked due to unauthorized login attempts.” Users are then asked to log in and verify their information. After doing so, they end up providing the attacker with their login info, which is then used to steal from them.

The Multi-Layered Impacts of Phishing on Businesses

In addition to financial loss and reputational damage, phishing can lead to intellectual property theft and the disruption of an organization's daily activities. The first step to safeguarding an organization's data and people is helping employees understand what email phishing, spear phishing, whaling, vishing, and smishing look like, as well as the types of people attackers are likely to target. Employee and executive awareness, along with trustworthy email security tools, can help companies mount an effective defense—and avoid negative headlines.


Business News


Recommended News


© 2022 CIO Bulletin Inc. All rights reserved.