Cybercriminals use malicious social engineering techniques to extract information from unsuspecting users, to launch phishing breaches. Website email scams and phishing email scams are the two most common methods used by attackers. A 2020 phishing attack survey by Greathorn reveals that IT leaders were remediating 1,185 phishing attacks each month, that’s an average of 40 each day! To help business leaders get a peek into the havoc these phishing attacks can cause, we have compiled a list of the five deadliest phishing attacks of the 21st century.
JPMorgan Chase (2014)
Impact: Compromised contact information of seven million businesses and 76 million households.
JPMorgan Chase, one of the largest US banks, holds an undesirable title – a bank that was a victim of one of the most significant data breaches in history. It announced in 2014 that attackers stole the contact information of seven million businesses and 76 million households in the attack. They exploited an OpenSSL vulnerability and utilized various phishing tactics to access login credentials and steal information. The cybercriminals first obtained a list of programs and applications running on JPMorgan’s computers. Then, they cross checked with known vulnerabilities for every web application and program to look for an entry point into the bank’s systems.
The malicious actors operated overseas and gained access to names, phone numbers, email, and JPMorgan account holders’ addresses. In its regulatory filing, JPMorgan denied receiving any evidence that links the use of customer information to fraud. Additionally, it rejected the loss of any account information, including Social Security numbers and passwords.
Impact: Exposed personal data of 111,589 consumers.
Centerstone Insurance and Financial Services, which operates as BenefitMall, notified in 2018 that it was the victim of a months-long phishing attack that potentially breached the personal data of 111,589 consumers. It further added that between June and October 2018, unknown identities used the exposed employee email login credentials to access the organization’s website. The following customer information got exposed in the breach:
- Birth dates
- Email addresses
- Bank account details
- Insurance premium payment details
We can ascertain the severity of the risk from the fact that BlackMall works with more than 20,000 Trusted Advisors’ network and serves over 200,000 small and medium-sized businesses (SMEs). Thus, the attack left a substantial group of people and businesses at risk.
Impact: Over 3 billion user accounts
The IT giant Yahoo was amidst negotiations with Verizon for its core internet business when it revealed that it became the target of a massive data breach. The investigations into the attack showed that the breach led to a compromise of certain user account information from the organization’s network. The account information included names, telephone numbers, hashed passwords, email addresses, dates of birth, etc. Additionally, it may have included the unencrypted and encrypted security questions, including their answers! The breach caused a massive revenue loss to Yahoo because it had to knock-off over $350 million from its sales price to Verizon. Furthermore, as a consequence of the perceived reputational damage, Verizon changed its name to Altaba Inc.
Impact: The personal information of 600,000 drivers and 57 million Uber users.
Uber became aware of a potential data breach in 2016 in which cybercriminals obtained names, phone numbers, and email addresses of the Uber app’s 57 million users and 600,000 Uber drivers’ license numbers. The severity of the attack escalated because Uber waited almost a year before revealing that its customers’ and drivers’ personal information were compromised. Additionally, it paid $100,000 to the malicious actors to destroy the stolen data so that it cannot get verified. Uber called the ransom payment as the bug bounty fee and fired its CSO later. Besides monetary losses ( drop in market cap to $48 billion from $68 billion), Uber witnessed enormous reputational damage.
Impact: 145 million users
The auction giant acknowledged that it was the victim of a massive data breach back in May 2014. After being criticized for the poor implementation of the password-renewal process and lack of communication, eBay confirmed that the breach exposed names, dates of birth, addresses, and encrypted passwords of all its 145 million users. Threat actors gained unauthorized access to the organizational network and carried out the phishing attack. After this incident, eBay suffered immense reputational damage, and its CEO confirmed a decline in user activity after the breach.
An Honourable Mention – Facebook and Google
Evaldas Rimašauskas, a Lithuanian citizen, targeted Facebook and Google recently in what can be called both phishing scams and a forgery. His thorough knowledge and understanding of the corporate invoicing process and social engineering abilities allowed him to target the world’s two biggest tech giants using a single email account.
He posed as a Taiwan-based technology and computer hardware manufacturer, Quanta Computer, which transacted with big tech enterprises globally. Rimasauskas used forged paperwork and email spoofing to convince Google and Facebook to pay fraudulent invoices amounting to $100 million.
While there were several unnamed co-conspirators in the phishing attack, Rimasauskas was the ring-leader. He got arrested in Lithuania, and the tech giants demanded his extradition to the United States. He pleaded guilty to all charges.
As evident from the above examples, the successful phishing attacks had a detrimental impact on the targeted organizations’ profitability and productivity. Thus, it has become necessary for enterprises today to equip their employees with the latest phishing protection service and knowledge necessary to detect and mitigate such phishing attacks.