In recent years spear phishing has become the most costly form of cyberattack. Attacks range from tens of thousands to millions of dollars in wire fraud, or lost customer and employee credentials, and which devastate a business of any size. In fact, the FBI estimates that organizations have lost $5 billion so far in fraudulent wire transfers to these types of attacks. To illustrate the severity of these attacks, we’ve put together a few examples of successful spear phishing attacks.
4. Ubiquiti Networks lost $46.7M to scammers
On June 5, 2015, it was discovered that Ubiquiti Networks had been hit by a spear phishing attack that cost the company $46.7 million. They were able to recover about $15 million as they contacted their bank as soon as it was clear they had fallen victim to a scam. Ubiquity disclosed that the criminal fraud was a result of “employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department.” Take a look at our June Threat Spotlight for an example and breakdown of this type of attack.
3. FACC forfeited $55M
FACC manufactures engine and interior parts for Airbus, Boeing, and other aerospace manufacturers. The company lost $55 million when they were struck by attackers on January 19, 2016. Following the accident, the company’s stock dropped 17%.
The supervisory board came to the conclusion that Mr. Walter Stephan has severely violated his duties, in particular in relation to the “Fake President Incident”
Details of the attack and the role of the CEO in that attack have not been made public.
2. Crelan Bank was taken for $75.8M
On January 19, 2016, this Dutch Bank released a statement (pdf, in Dutch) stating it had lost about $75.8 million to fraud. Crelan assured the public that the bank reserves would protect its clients and partners from the loss and that additional security had been deployed to prevent this type of fraud in the future. In paraphrasing from the Dutch statement, Luc Versele, Crelan’s CEO, stated that “The intrinsic profitability of the bank remains unchanged.”
1. Facebook & Google were tricked for 100M
On March 21 of this year, the Department of Justice released a statement about a Lithuanian email scam that had taken roughly 100 million from two tech giants. While they have refused to comment, major tech news sources such as CNET and Fortune believe that these two companies are Google and Facebook. This demonstrates that even the most sophisticated corporations can fall victim to highly targeted social engineering attacks.
Most companies don’t have sufficient reserves to take such a severe financial hit and stay in business. As with all cyber attacks, the best defense is a good offense. Here are some tips to avoid falling victim to this type of attack:
- Deploy sufficient security to protect the business and the people from this kind of attack. Take a look at Barracuda’s email security solutions here and our dedicated spear phishing and cyber fraud defense solution, Barracuda Sentinel, here.
- Train employees to recognize the signs of an impersonated message
- Build internal controls that help reduce payments to unauthorized parties
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology and project management credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.
Connect with Christine on LinkedIn here.