The 2021 FBI Internet Crime Report reveals that spear phishing scams snagged more victims than any other type of internet scam last year. Phishing and related tactics are attempts to trick victims into disclosing their credentials and other sensitive information. Phishing represents 38.2 percent of all cybercrimes reported to the FBI in 2021 and has been the most reported cyberattack since 2018.
Spear phishing isn’t a new tactic, though it has become more sophisticated over the years. Criminals will continue to use it because it is so successful as a pathway into otherwise secured networks. Some of the largest cyberattacks in the last decade began with spear phishing attacks. Here are a few examples:
Ubiquiti Networks lost $46.7M to scammers
On June 5, 2015, it was discovered that Ubiquiti Networks had been hit by a spear phishing attack that cost the company $46.7 million. They were able to recover about $15 million as they contacted their bank as soon as it was clear they had fallen victim to a scam. Ubiquity disclosed that the criminal fraud resulted from “employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department.” Take a look at our June 2017 Threat Spotlight for an example and breakdown of this type of attack.
FACC forfeited $55M
FACC manufactures engine and interior parts for Airbus, Boeing, and other aerospace manufacturers. The company lost $55 million when they were struck by attackers on January 19, 2016. Following the accident, the company’s stock dropped 17%.
FACC removed Walter Stephan from his role as CEO in May of that year:
The supervisory board came to the conclusion that Mr. Walter Stephan has severely violated his duties, in particular in relation to the “Fake President Incident”
Details of the attack and the role of the CEO in that attack have not been made public.
Crelan Bank was taken for $75.8M
On January 19, 2016, this Dutch Bank released a statement stating it had lost about $75.8 million to fraud. Crelan assured the public that the bank reserves would protect its clients and partners from the loss and that additional security had been deployed to prevent this type of fraud in the future. Luc Versele, Crelan’s CEO, stated that “The intrinsic profitability of the bank remains unchanged.”
Facebook & Google were tricked for 100M
On March 21, 2017, the Department of Justice released a statement about a Lithuanian email scam that had taken roughly $100 million from two tech giants. While they have refused to comment, major tech news sources such as CNET and Fortune believe that these two companies are Google and Facebook. This demonstrates that even the most sophisticated corporations can fall victim to highly targeted social engineering attacks.
These numbers do not capture the full damage to the companies. There are costs related to downtime, investigations, and data leaks. The attack on Sony Pictures Entertainment was estimated to cost $35 million for the fiscal year ending March 31, 2015. The Sony attackers destroyed data and leaked private and sensitive information of Sony employees. Seven months later Sony agreed to pay up to $8 million to those employees claiming to be damaged by Sony’s negligence. The Sony attack was “probably” made possible by a series of phishing emails asking targeted employees to verify their Apple IDs.
Most companies cannot take such a severe financial hit and stay in business. Barracuda Email Protection is a comprehensive security suite engineered to prevent threats, detect and respond to security incidents, secure data, and ensure compliance. Visit our website to see how Barracuda can help protect your company from spear phishing and other email threats.
