Learn how to protect yourself by studying the biggest phishing scams in history
If we draw an analogy between phishing and fishing, some scam artists are industrial-sized trawling operations that scrape the sea clean.
Automated software and sophisticated tools make it possible for enterprising cybercriminals to scale their fraudulent emails in ways never imagined. Processes that used to be laborious and time-consuming can now be coded into automatic routines that cast a wider net than the previous generations of cybercriminals were ever able to.
The same chatbot technology that allows you to waste scammers’ time as a fun practical joke is being used on the other end by the scammers themselves. When it comes down to it, wasting a chatbot’s time with another chatbot time doesn’t sound all that appealing.
The history of cybersecurity can show us some key developments in the size and sophistication of email phishing scams that illustrate how we arrived here today. Some of the world’s largest scams were perpetrated with technology that may seem simple today, by using an underlying method and structure that is just as dangerous now as it was then. Only advanced phishing protection can keep users safe from these scams.
The 5 most famous phishing scams in history
There’s nothing new about confidence tricks being communicated through mail. The 419 scam also known as the Nigerian Prince scam, is attested to (in various forms) as far back as 200 years ago. But the technology that enables con artists to obtain and use the victim’s information for malicious purposes en masse is very new.
Some of the most ambitious and enterprising criminals in the history of the Internet have tried using these strategies to make quick millions. Some even succeeded, at least temporarily, until the long arm of the law caught up with them.
1. Operation Phish Phry
In 2009, the FBI called Operation Phish Phry the largest international phishing case ever conducted. Hundreds of bank and credit card customers received official-looking emails directing them towards fake financial websites. Victims entered their account numbers and passwords into fraudulent forms, giving the attackers easy access to their private data.
The team behind the scam was highly organized. Then-director Robert Mueller used it as an example of how large organized crime syndicates are indiscernible from nation-state actors when it comes to ambitious, large-scale cyberattacks. There is just no way to know who the perpetrator really is until after the investigation.
From the start, it was evident that Operation Phish Phry was a large-scale project. The FBI ultimately charged more than 100 individuals, relying on cooperation from Egyptian national security agents to capture nearly half of them outside United States’ territory.
The operation was relatively simple by today’s standards, but managed to pilfer about $1.5 million from hundreds or even thousands of bank accounts.
2. Walter Stephan
While Operation Phish Phry gives us the largest criminal organization dedicated exclusively to email phishing, the story of Austrian aerospace executive Walter Stephan holds the record for being the individual to lose the most money in history from a single scam – around $47 million.
During his tenure as CEO of FACC, which manufactures aircraft components for Boeing and Airbus, cybercriminals faked Stephan’s email and demanded a lower-level employee to transfer the enormous sum to an unknown bank account as part of an “acquisition project”.
FACC’s systems were not hacked. The attacker seems to have simply guessed Stephan’s email correctly, created a look-alike spoof email address, and then targeted an entry-level accountant.
The employee immediately trusted the email and sent the wire. In the aftermath of the loss, Stephan lost his position as CEO, FACC fired its chief financial officer, and the company scrambled to retrieve the money – eventually recouping around one-fifth of the loss.
To avoid the fate of FACC, businesses need to empower employees to verify email communication that appears to come from senior board members. That 30-second phone call may be annoying, but it can save millions.
3. The Target/FMS Scam
One of the major news stories of 2013 was the Target data breach that affected 110 million users, including 41 million retail card accounts. At that time, few news outlets covered how the breach took place, but now the results of the full-scale investigation are public.
It turns out that cybercriminals did not attack Target directly. They targeted a third-party HVAC vendor named Fazio Mechanical Services (FMS), which enjoyed trusted access to Target’s servers. Upon compromising FMS’s servers, gaining complete access to Target’s was simple.
The lesson here is clear – trusted connections need an independent expert review. Someone in your company needs to ask whether maintaining a trusted connection is really worth the potential security risk it may possess.
4. The Ukranian Power Grid Attack
The December 2015 Ukrainian power grid attack was a history-making event for a number of reasons. It was the second time that malicious firmware was developed specifically for the purpose of destroying physical machinery – the first being Stuxnet, used by the U.S. and Israel to shut down Iranian nuclear centrifuges in 2009.
But unlike Stuxnet, the Ukrainian malicious firmware attack used email phishing as its originating attack vector. It was also the first to use automated, scalable malicious firmware updates so that a small team could disable multiple sites at the same time.
Russian cyberintelligence operatives had access to the power plant’s data and facilities for months prior to the attack and carefully planned every stage of the attack for maximum effect.
The ability to write custom-coded malicious firmware for electrical power station nodes means that once cybercriminals have access to a network, they can potentially override anything on it – from printers and refrigerators to airplanes and airport comm towers.
This history-making cyberattack originated with a single mistake made by a power plant employee. Comprehensive phishing protection and training could have prevented it entirely.
5. The Moscow World Cup Vacation Rental Scam
The most recent entry on this list is notable due to its size and complexity. The Federal Trade Commission had to intervene in order to guide World Cup fans to FIFA.com – the only official source for tickets. Email phishing scammers sent innumerable emails promising vacation rentals, free tickets, and more to World Cup fans.
In this case, it looks like rather than being a single organization perpetrating the scam, opportunists around the world jumped in and tried to pilfer money out of sports fans’ pockets. In one particular high-profile case, hackers targeted Booking.com users through WhatsApp and SMS. The messages contained legitimate customer data – names, phone numbers, addresses, booking dates, reference numbers – taken from compromised hotel systems.
Booking.com’s servers were not compromised in this attack – but they did not need to be. Since hackers targeted the agency’s hotel partners, they could craft very convincing phishing messages using real data. This event underscores the need to establish protocols for sending secure data, such as telling customers never to trust SMS requests for sensitive information or password resets.
What We Can Learn From Phishing Scams
All of the above phishing scams use various attack methods and strategies to achieve very different goals. The primary underlying pattern is the fraudulent misuse of sensitive data to steal and to extort.
Defending yourself against the broad variety of phishing scams in the wild requires a comprehensive, multi-layered approach. Advanced Threat Protection is a critically important element of this approach – but it has to be combined with the establishment of strict communication protocols for sensitive data.
With the right security framework in place, organizations can protect themselves from multiple threat vectors with equal robustness. Technologies like DMARC can protect your executives from becoming the next Walter Stephan, and clear customer-oriented security policies can prevent your users from suffering at the hands of opportunistic WhatsApp scammers. Advanced Threat Protection is the bedrock of successful, comprehensive security solutions for businesses.