October is Cybersecurity Awareness Month, so it’s almost mandatory to explore one of the biggest cyber threats known to date. Phishing scams are amongst the greatest cyber security threats that businesses and organizations face today. 75% of organizations around the world experienced some kind of Phishing scam in 2020. According to the FBI, there were nearly 11 times more phishing complaints in 2020 than in 2016. Phishing attacks are only rising with the increase in remote work. The attacks are becoming popular because they are easy for hackers to conduct and can potentially lead to large payouts. Phishing scams can lead to devastating costs for many parties involved. Below we will examine some of the biggest and most costly phishing scams that have happened in the last decade.

1. FACC

In January of 2016, FACC, an Austrian Aerospace and Defense company lost around €50 million from an email phishing scam. The scam was believed to be a Business Email compromise scheme, in which the attackers impersonate a finance official in the company and attempt to trick the email receiver into transferring a large amount of money into the attackers’ account. After the loss, FACC decided to vote off their CEO as a consequence, and also fire their Chief Financial Officer. It is unclear what their roles were exactly in this scam, but it is evident that the consequences of falling for such a phishing scam can be very severe and detrimental – not only financially.

2. Sony Pictures

In November of 2014, Sony Pictures was hacked by a group called “The Guardians of Peace”. Numerous consequences occurred; one of them being that 100 Terabytes of unreleased data and pictures were leaked. CEO of Cylance, a large computer security firm, stated that the hacking group was able to infiltrate Sony’s system through phishing scams they planted months earlier. Employees of Sony Pictures, including the CEO, received ID Verification emails that appeared to be from Apple. Once Sony was hacked, the attackers also demanded Sony to withdraw their movie “The Interview” which was a comedy about a planned assassination of Kim Jong-un, the North Korean leader at the time. Many cinemas refused to screen the film as the group also threatened terrorist attacks at the openings. It is difficult to calculate the full scope of damages of this phishing attack, but the estimated costs to the company were over $100 million.

3. Facebook and Google

Between 2013 and 2015, over $100 million was stolen from Facebook and Google through another clever phishing scam. The hackers created fake email accounts which looked like they were sent by employees of Quanta, an infrastructure supplier in Taiwan that both Facebook and Google worked with. The hackers then sent phishing emails with fake invoices to financial officers at Facebook and Google who were used to conducting such large transactions. Once the scam was eventually discovered, both companies took legal action and the hacker was identified as Evaldas Rimasauskas, a Lithuanian man who was then sentenced to 5 years in prison.

4. Colonial Pipeline

The most recent and largest phishing scam occurred earlier this year, in May 2021 to Colonial Pipeline in the U.S. Although Colonia Pipeline was hit with ransomware, the attackers only gained access through an employee’s email which was most likely accessed through a phishing attack, as the U.S. government believes. The exact source of the attack is still being investigated. It is impossible to determine how costly the cyber-attack really was, as effects have been felt in many countries that dealt with Colonial Pipeline and are still being uncovered. The company has already paid $4.4 million to the hackers. As the organization provided half of the oil supply to the U.S.’ east coast, the effects were felt publicly when gas prices soared after Colonial Pipeline was shut down for two weeks.

Phishing scams are not going anywhere, and the best way to stop and detect them is through your front-line employees. Regular phishing training should be conducted to help employees become aware of the severity of the attacks, as well as to know what to look for in everyday emails.

By: Joanna Ambros, MBA