COVID-19 Cybercrime Reminder: 5 Examples of Phishing Emails That Killed Companies

The Coronavirus pandemic has put the whole world on alert. And unfortunately, as a business owner or manager, you have more to worry about than most. The virus is spreading, the economy is in a tough spot, supply chains have been disrupted, and you are more at risk than ever of a cyberattack. While many would put a potential cyber attack toward the bottom of the list, the truth is that with employees working remotely and all of us distracted by the pandemic, your company is at its most vulnerable point for a very costly phishing attack. Before you make another decision regarding your business, you need to seriously consider that the consequences of cybercrime. In 2019 the FBI’s Internet Crime Complaint Center (IC3) received 467,361 complaints and recorded more than $3.5 billion in losses to cybercrime.¹ Those numbers are predicted to climb dramatically, especially in light of the Coronavirus.

Organizations can fall victim to a number of different phishing scams, but one of the costliest is Business Email Compromise (BEC). In 2019, the IC3 received 23,775 such complaints with an average cost $71,504.¹ Can your business afford to lose that much money? As a further reminder of what email phishing can cost your business, we’d like to remind you of a few very damaging examples.

These are the five most costly phishing attacks of the last few years. Despite a glut of new ESG’s and anti-phishing applications, simulations, and training, phishing continues to be an expensive and ubiquitous problem. Phishing scams target individuals and companies big and small. As we’ll see on today’s breakdown, not even the biggest tech giants are immune to being hooked by a phish.

Phishing scams are prolific, the attacks we’ll profile today can be counted in the tens of millions of dollars and impacted massive multinational companies who had robust – if ineffective -- phishing prevention mechanism in place.

1. Up first Facebook and Google, taken together the two internet giants were scammed out of more than $100 million. This criminality took place over several years and began with the same phishing email. Essentially an Eastern European hacker sourced publicly available information and discovered a shared vendor between the two companies. Posing as the vendor, the phisherman began sending fake invoices to both companies, and incredibly they both paid, over and over again. It took several years for the story to become public, and, shockingly, two internet pioneers were left unprotected against phishing attacks. Amazingly, a single person with a clever premise can steal so much money, particularly from two companies who are pioneers in the tech space. This example delicately highlights the disastrous consequences of relying on legacy ESG’s to combat the current phishing landscape. 100 Million would kill most businesses.
2. When I think of Belgium I think of beer, poke frites and chocolate, not massive phishing scams, however coming in at number two on today’s chart is Belgian megabank Crelan. Crelan Bank in Belgium lost $75.8 million in a CEO fraud attack. The phishing scam started with a directed phishing attack at the organization’s finance department. The criminals posed as the CEO and directed the finance department to wire $10’s of millions of dollars overseas. The bank became aware of the fraud after an internal audit flagged the large transfers, initially suspecting internal fraud the company was able to piece together the email phishing scam that started the whole thing. Incredibly the phishing scammers, in this case, were never brought to justice and remain anonymous and unknown.
3. CEO fraud also struck the number three phishing victim on today’s hit-list. Austrian aerospace company FACC. FACC is an Austrian/Chinese aerospace parts maker, lost $61 million in a CEO phishing scam. A phishing email purporting to be from the CEO Walter Stephan was sent to a fairly low-level associate within the accounting team. The email explained that funding was required for a new project, and the employee was acting on what they thought was their CEO’s instructions duly transferred the equivalent of $61 million. Pretty bad, if they had only called INKY. To add insult to injury Reuter’s is reporting that “FACC is suing its former chief executive and ex-finance chief who allegedly failed to do enough to protect it from a cyber fraud costing tens of millions of euros, an Austrian court said. The company was tricked into transferring some 54 million euros ($61 million) to foreign accounts in a so-called "fake-president fraud", a statement outlining the lawsuit issued by a court in Ried in Innkreis, where FACC is based” FACC felt that their executives had “failed to set up adequate internal controls and to meet their obligations of collegial cooperation and supervision.” Incredible!
4. As I said earlier phishing scammers don’t much care who they are stealing from as long as they are successful. The fourth victim on our list is a US pharmaceutical company who specializes generic drugs, as well as there, own branded products. Upsher-Smith lost a stunning $50m over the course of a few weeks, it would have been more but for an eagle-eyed employee who questioned the transfers. As without other examples, all of it started with an email to accounting. In this case the company is not suing its CEO or CFO but according to Fox 9 News in Minneapolis the company is going after its bank which facilitated the scam, the “drug company’s lawsuit says the bank missed “multiple red flags” including the “rushed nature” of the requests, the scammers’ “insistence on confidentiality,” the departure from “ordinary procedures,” failure to include a second person on the requests,” the “amounts and frequency of the transfers,” and “suspicious beneficiaries” — including one named “Sunny Billion Limited.” Sunny Billion a name we can all trust….”
5. Last but not least of our roll of shame is another tech company. Ubiquiti Networks, specializing in computer networking, Ubiquiti has close to $500m in the bank, a healthy cash position. What they hadn’t realized though was that almost 10% of that that $46.7m had been stolen. Once again phishing was the root cause, a scammer made contact with one of the companies foreign subs and was able to impersonate C-suite executives, so well in fact that known one noticed…. Per the company’s quarterly financial report: “The incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.” What they didn’t mention was that they only found out when the FBI altered them; at the time of the phishing scam, they were completely unaware that it was occurring.

So, there you have it folks, one phishing email in each case caused 10s of millions of dollars worth of damage. How much can your company absorb? $10m? $15m? $50m? Those amounts would sink most companies. If INKY was in the line of defense at any of the companies highlighted above the net loss would have almost certainly been zero.

Ready to take a look at how INKY works and see why it's so effective where other solutions fail? Schedule a demo today.

INKY® is the emerging hero in the war against phishing. An award-winning cloud-based email security solution, INKY® prevents the most complex phishing threats from disrupting or even immobilizing your company’s day-to-day business operations. Using computer vision, artificial intelligence, and machine learning, INKY® is the smartest investment you can make in the security of your organization. INKY® is a proud winner of the NYCx Cybersecurity Moonshot Challenge and finalist in the 2020 RSAC Innovation Sandbox Competition. Learn more about INKY® or request an online demonstration today.

¹Source: https://www.fbi.gov/news/stories/2019-internet-crime-report-released-021120