Phishing remains one of the oldest and the most commonly used modus operandi by cyber adversaries to access network systems globally. Though phishing attacks can be of many types, BEC or Business Email Compromise causes the most significant threat to businesses. Verizon’s 2020 DBIR (Data Breach Investigations Report) states that 22% of data breaches in 2019 involved phishing. ESET’s Threat Report highlights that malicious email detections rose by 9% between the second and third quarters in 2020.
Here are some critical statistics related to the above points.
- As malicious actors rely more on phishing to access network systems, there is a decrease of 40% on breaches involving malware, further shifting the cybersecurity focus from anti-malware solutions to anti-phishing solutions.
- Nearly 65% of the active phishing attacks relied on spear-phishing in 2019.
- A whopping 96% of phishing attacks arrive by email.
Despite organizations employing the most effective anti-phishing solutions in their network systems, phishing attacks are growing relentlessly worldwide due to employee negligence. Employee training is one way to deal with such problems. Learning from the mistakes of others is also an effective remedial measure. Here are some phishing case examples caused by employee negligence that cost their organizations heavily.
Case No 1: Upsher-Smith Laboratories – Loss Of Nearly $39 Million
Though this incident happened sometime in 2014, it has tremendous significance because it is one of the classic email examples of the CEO Fraud category. CEO fraud is a cyber-attack carried out by malicious actors wherein they send phishing emails to the organization’s employees by posing as the organization’s CEO.
In this case, cyber adversaries pretending to be the organization’s CEO emailed the Accounts Payable Coordinator at Upsher-Smith Laboratories, a Maple Grove-based drug establishment, to follow the instructions from the CEO and the organization’s lawyer. The instructions were to make nine wire transfers to the fraudster’s accounts for amounts exceeding $50 million. Though the organization managed to stop one of the bank transfers, its loss was upwards of $39 million.
Employee Negligence Factor
In this case, the employee was negligent in taking the emails at face value. He/she could have contacted the CEO’s office to confirm the origin of such emails, especially if they were not following the standard procedures. The bank handling the transfer is also negligent of missing the multiple red flags, especially the amounts and the frequency of transfers, suspicious beneficiaries, and the failure to include a second signatory to the requests.
Lessons Learned From The Case
Here are some lessons one can learn from this case.
- Generally, CEOs do not directly ask employees to make urgent transfers. Even if they do, the employee could have dropped an email to confirm the request. A precautionary phone call could have stopped this crime from happening.
- Such phishing emails come with an urgency factor. They also insist on confidentiality. Generally, such requests are departures from the organization’s regular procedures.
- The primary lesson one can learn from this attack is not to take any email at face value. It does not cost much to confirm.
Case No 2: Twitter Phishing Case – 2020
The Twitter Phishing case of July 2020 should be fresh on everyone’s mind. It is a classic case of threat actors compromising the employees’ passwords to gain unauthorized access.
In July 2020, several Twitter employees became victims of spear phishing attacks enabling the malicious actors to access the administrator’s tools. Malicious actors posed as Twitter IT administrators and emailed/phoned Twitter employees working from home, asking them to share user credentials. Using these compromised accounts, the cyber adversaries gained access to the administrator’s tools. It enabled them to reset the Twitter accounts of celebrities like Elon Musk, Barack Obama, Jeff Bezos, Apple, Uber, and many more to tweet scam messages asking for Bitcoin contributions.
As these celebrity accounts have a massive following, many Twitter users transferred at least $180,000 in Bitcoins to scam accounts. Luckily, the scam messages were published and noticed by the press. It forced Twitter to take immediate action.
Lessons Learned From The Case
Twitter did not follow proper cybersecurity strategies as the compromised employees did not have appropriate email phishing protection solutions installed on their devices. Privileged access management solutions and monitoring user and entity behavior could have prevented this scam from happening.
Twitter experienced a 4% fall in its share price due to its failure in detecting and mitigating the scam in time. Twitter also had to stop its release of the new API to update security protocols. Educating employees on social engineering attacks is crucial to prevent such frauds from occurring. Though the financial loss was insignificant, Twitter lost its reputation of being one of the most secure social media platforms.
How To Manage Such Phishing Attacks?
Though employee negligence is one of the primary reasons for such phishing attacks, organizations can take remedial steps to thwart such crimes in the future.
- Educating employees on how a phishing attack looks and emphasizing aspects like not clicking on suspicious email links or downloading malicious attachment files can help prevent many phishing attacks right at the initial stage.
- Investing in efficient anti-phishing and anti-ransomware solutions and ensuring the best phishing protection should be the first things an organization should do to manage phishing scams.
- Other remedial measures include changing passwords regularly, installing security updates on time, not sharing information on unsecured sites, and investing in a robust data security platform to help organizations deal with such issues.
Phishing attacks will continue to happen in the future. It is up to the organization and its employees to learn from past mistakes and not repeat them. Employees can educate themselves on how to stop phishing emails. Organizations can deploy the best phishing protection solutions to deal with such situations effectively. Furthermore, organizations must include case studies related to past incidents in the employee education and training programs.