The tried-and-trusted method that has earned hackers millions, is still very much in vogue – being used to steal personal data. To date, companies are under the serious threat of phishing scheme even though one has to be naive to become a victim to a phishing attack, especially those asking for sensitive information like bank details or requesting a transfer of money.
One of the main reasons why phishing is such a common type of cybersecurity violation is because it is an email scam and everyone these days uses email. The original sin of email is that one can send anything to anyone and it does not automatically detect if the link or the attached items are malicious. Even internet giants like Facebook and Google couldn't save themselves from becoming a victim and lost $100 million as a result of email phishing. In fact, according to an FBI report, cybercriminals managed to earn above $675 million in 2017 by pretending to be vendors and tricking accounting departments and company executives into forwarding money into their accounts.
Major Phishing Scams You Should Know About
Phishing attempts have targeted some of the major companies in the US and around the world. Here's the list of the top cases:
Dyre Phishing Scam
One of the major phishing scams in the history is the Dyre (also called Dyreza) a scam that impacted more than 20,000 through the campaign. The banking malware managed to successfully steal $1 million from all the organizations it targeted. As far as the exploits, payloads, themes, and attachments are concerned the phishing campaigns varied depending on the target. Most emails were masked and represented the criminals as tax consultants and required the user to download the .exe file, which was malicious.
The threat was identified by the IBM Security, mentioning that it was difficult for a common man to identify the attack as the tactics used for the campaign was so sophisticated. The malware captured login details, including bank details and other important data.
Operating Phish Phry
This one had an impact on the citizens of the US and Egypt both. The top phishing scam for 2009 charged more than a hundred people and the criminals got away with $1.5 million by targeting US banks. The scam is believed to be started in 2007, affecting more than 500 people in both the countries. The Egypt-based attackers targeted Wells Fargo and Bank of America by sending fake e-mails disguising as the bank themselves and urging users to update their online banking information. The link directed to a fake bank website, which required the login details – including username and password – to proceed.
Fake President Scam
In 2016, Walter Stephen, the CEO of FACC (an Austrian aerospace parts company) was fired after the company suffered a loss of $47 million to a cyber-attack. The CEO transferred the money by falling victim to a fake email, which impersonated the CFO of the company. Not only the business email was copied by the attackers, but the domain name was also spoofed as well. Since FACC didn't have proper protocols to adhere to such requests at the time, the transfer was granted. However, at detection, the company was still able to save $11 million. The money was transferred to several banks in Asia and Slovakia.
Snapchat Data Leak
A phishing email was sent to the payroll department of Snapchat in 2016, where the attacker impersonated the Chief Executive Officer of the company and asked for payroll information of all the employees on board. Falling victim to the scam, the email with information about both former and current employees was sent to the attacker, which affected more than 700 people as a result.
In 2014, the third-party vulnerabilities caused a leak of around 200,000 photos from Snapchat. However, the powerful social app claims that no data or user was affected. Also, in 2013, phone numbers and usernames of around 5 million users were also leaked and put up on a website temporarily.
How Can You Avoid One: Strengthen Information Security
Of course, no one wants to be a victim of a phishing scam. But unfortunately, it is not a choice. However, there are ways that organizations can use to protect themselves from falling prey. Data is the most sensitive and valuable asset for an organization. A stronger information security system or strategy can ultimately guarantee better protection for data. This does not only require staying up to date with the security concerns and tools, but also offer data security training to employees to understand the value of data protection and for maximum awareness when it comes to identifying, reporting, and responding to a security threat.
As far as a phishing scam is concerned, an employee must be trained to differentiate between fake and legit emails and websites. Instead of opening emails or clicking on links right away, they need to scrutinize it before it is labeled as trusted. A phishing email - regardless of how legit it appears - always demands information that could be used against the organization or for stealing money. Employees should never give out such access to attackers through such scams.
Also, they should be able to use the tools that could help warn against such emails and websites. Last but not the least, proper information security training also helps an employee learn in reporting and responding to such situations. Having your team prepared beforehand can save you from becoming one of the phishing scams of history.
Bottom Line
As far as the idea of phishing is concerned, it is as simple as getting someone to click or open a bogus link and provide access to sensitive information or the system. So if you educate your team and provide training and certifications such as Certified Information Systems Security Professional and Federal Risk Management Framework; to beware and cautious of such malicious and fraudulent practices, you can definitely implement reliable and strong security measures that keep your data protected.
The tried-and-trusted method that has earned hackers millions, is still very much in vogue – being used to steal personal data. To date, companies are under the serious threat of phishing scheme even though one has to be naive to become a victim to a phishing attack, especially those asking for sensitive information like bank details or requesting a transfer of money.
One of the main reasons why phishing is such a common type of cybersecurity violation is because it is an email scam and everyone these days uses email. The original sin of email is that one can send anything to anyone and it does not automatically detect if the link or the attached items are malicious. Even internet giants like Facebook and Google couldn't save themselves from becoming a victim and lost $100 million as a result of email phishing. In fact, according to an FBI report, cybercriminals managed to earn above $675 million in 2017 by pretending to be vendors and tricking accounting departments and company executives into forwarding money into their accounts.
Major Phishing Scams You Should Know About
Phishing attempts have targeted some of the major companies in the US and around the world. Here's the list of the top cases:
Dyre Phishing Scam
One of the major phishing scams in the history is the Dyre (also called Dyreza) a scam that impacted more than 20,000 through the campaign. The banking malware managed to successfully steal $1 million from all the organizations it targeted. As far as the exploits, payloads, themes, and attachments are concerned the phishing campaigns varied depending on the target. Most emails were masked and represented the criminals as tax consultants and required the user to download the .exe file, which was malicious.
The threat was identified by the IBM Security, mentioning that it was difficult for a common man to identify the attack as the tactics used for the campaign was so sophisticated. The malware captured login details, including bank details and other important data.
Operating Phish Phry
This one had an impact on the citizens of the US and Egypt both. The top phishing scam for 2009 charged more than a hundred people and the criminals got away with $1.5 million by targeting US banks. The scam is believed to be started in 2007, affecting more than 500 people in both the countries. The Egypt-based attackers targeted Wells Fargo and Bank of America by sending fake e-mails disguising as the bank themselves and urging users to update their online banking information. The link directed to a fake bank website, which required the login details – including username and password – to proceed.
Fake President Scam
In 2016, Walter Stephen, the CEO of FACC (an Austrian aerospace parts company) was fired after the company suffered a loss of $47 million to a cyber-attack. The CEO transferred the money by falling victim to a fake email, which impersonated the CFO of the company. Not only the business email was copied by the attackers, but the domain name was also spoofed as well. Since FACC didn't have proper protocols to adhere to such requests at the time, the transfer was granted. However, at detection, the company was still able to save $11 million. The money was transferred to several banks in Asia and Slovakia.
Snapchat Data Leak
A phishing email was sent to the payroll department of Snapchat in 2016, where the attacker impersonated the Chief Executive Officer of the company and asked for payroll information of all the employees on board. Falling victim to the scam, the email with information about both former and current employees was sent to the attacker, which affected more than 700 people as a result.
In 2014, the third-party vulnerabilities caused a leak of around 200,000 photos from Snapchat. However, the powerful social app claims that no data or user was affected. Also, in 2013, phone numbers and usernames of around 5 million users were also leaked and put up on a website temporarily.
How Can You Avoid One: Strengthen Information Security
Of course, no one wants to be a victim of a phishing scam. But unfortunately, it is not a choice. However, there are ways that organizations can use to protect themselves from falling prey. Data is the most sensitive and valuable asset for an organization. A stronger information security system or strategy can ultimately guarantee better protection for data. This does not only require staying up to date with the security concerns and tools, but also offer data security training to employees to understand the value of data protection and for maximum awareness when it comes to identifying, reporting, and responding to a security threat.
As far as a phishing scam is concerned, an employee must be trained to differentiate between fake and legit emails and websites. Instead of opening emails or clicking on links right away, they need to scrutinize it before it is labeled as trusted. A phishing email - regardless of how legit it appears - always demands information that could be used against the organization or for stealing money. Employees should never give out such access to attackers through such scams.
Also, they should be able to use the tools that could help warn against such emails and websites. Last but not the least, proper information security training also helps an employee learn in reporting and responding to such situations. Having your team prepared beforehand can save you from becoming one of the phishing scams of history.
Bottom Line
As far as the idea of phishing is concerned, it is as simple as getting someone to click or open a bogus link and provide access to sensitive information or the system. So if you educate your team and provide training and certifications such as Certified Information Systems Security Professional and Federal Risk Management Framework; to beware and cautious of such malicious and fraudulent practices, you can definitely implement reliable and strong security measures that keep your data protected.