Spear phishing has emerged as the most expensive type of cyberattack in recent years. Attacks can range from tens of thousands to millions of dollars in wire fraud or lost customer and employee credentials and devastate any business. Indeed, the FBI estimates that organizations have lost $5 billion in fraudulent wire transfers due to these types of attacks so far.
What is spear phishing?
Spear phishing is a more complex and sophisticated form of phishing. It aims to gain illegal access to confidential data by targeting certain organizations or individuals. Spear phishing attacks, like regular phishing, impersonate trusted sources. Furthermore, the attacks are tailored to the individual, and methods such as sender impersonation are used.
Attackers may personalize or impersonate users using public information collected on social media sites such as LinkedIn or Facebook so that the spear-phishing email appears legitimate and the targeted users feel obligated to respond.
In the following, we’ve put up a few examples of successful spear phishing attacks to demonstrate the severity of these attacks!
Top 5 biggest spear phishing attacks
1. Google and Facebook spear phishing scam
Evaldas Rimasauskas, a Lithuanian national, carried out the world’s largest social engineering attack (as far as we know) against two of the world’s largest companies: Google and Facebook.
Rimasauskas and his team created a fake firm that pretended to be a computer manufacturer collaborating with Google and Facebook. Rimsauskas also opened bank accounts in the name of the company.
The scammers then sent phishing emails to particular Google and Facebook employees, billing them for items and services that the manufacturer had legitimately given — but instructing them to pay money into their fake accounts.
Rimasauskas and his associates scammed the two tech giants of approximately $100 million between 2013 and 2015.
2. Ubiquiti Networks
On June 5, 2015, it was discovered that Ubiquiti Networks had been the victim of a $46.7 million spear-phishing attack. In addition, they could collect roughly $15 million since they alerted their bank as soon as they realized they had been deceived. According to Ubiquity, the criminal fraud resulted from “employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department.”
3. Crelan Bank
In 2016, the Belgian bank was a $75.8 million business email compromise (BEC) scam. An attacker gained access to the email account of a high-ranking executive. They were able to spoof the CEO’s email account by impersonating the CEO as the sender. While acting like a high-level executive, the attacker then told the company’s employees to deposit money into a bank account he controlled. Although the attack was eventually identified through an internal audit, the attackers’ names remain unknown.
A BEC scam was also conducted against the Austrian aerospace components manufacturer in 2016. Cybercriminals hacked the CEO’s account and commanded the accounting department to wire $61 million to a foreign bank account, similar to Crelan Bank. Unfortunately, an entry-level accounting employee transferred the funds to the account without analyzing the issue, believing it was part of an “acquisition project.”
Due to their inability to build up “adequate internal controls and meet their obligations of collegial cooperation and supervision,” the firm eventually fired and sued their CEO and CFO.
5. Microsoft 365 phishing scam
Security experts discovered a Business Email Compromise (BEC) fraud in April 2021 that persuade the receiver to install malicious code on their device. Here’s how the attack works:
- the target receives a blank email with the subject line “price revision.” The email includes an attachment that appears to be an Excel spreadsheet file (.xlsx). The “spreadsheet” is, however, a.html file disguised as a spreadsheet.
- the target is redirected to a website containing malicious malware after opening the (disguised).html file. The code causes a pop-up notification to appear on the user’s screen, informing them that they’ve been logged out of Microsoft 365 and asking them to re-enter their login credentials.
- you can probably predict what happens next: the fake online form transfers the user’s credentials to the scammers.
6. Google Drive collaboration scam
In late 2020, a unique yet straightforward social engineering scheme exploited Google Drive’s notification system. The phishing scam starts with the creation of a document with malicious links to a malicious website. The fraudster then tags their intended victim in a document comment, inviting them to participate.
After being tagged, the target receives a legitimate email from Google with the comment’s text and a link to the relevant document. If the scam is successful, the victim will look over the document, read the comments, and be flattered to be asked to cooperate.
The victim then clicks on one of the infected links, goes to the phishing site, and enters their login credentials or other sensitive information. This scam is especially clever because it takes advantage of Google’s email notification system to add credibility. In addition, such messages are sent directly from Google and are unlikely to be flagged as spam.
The Google Drive collaboration scam, like many social engineering attacks, relies on the victim’s emotions: in this case, pride and charity when asked for help.
How to prevent spear phishing attacks?
Security teams must first train users to recognize, avoid, and report questionable emails to prevent spear-phishing attacks. Every employee must understand that their responsibilities give them access to different types of data, which is the currency of the information economy.
Second, security teams must develop, manage, and upgrade security technology and practices to prevent, identify, and respond to ever-evolving spear-phishing threats.
Finally, security teams must aim to keep one step ahead of attackers by investing in continuously updated threat intelligence and expertise.