Phishing is one of the most vicious and dangerous threats to\nyour businesses \u2014 regardless of whether you\u2019re a large corporation, a small\nbusiness, or something in-between. The most successful phishing attack<\/a> examples often involve a combination of different\nsocial engineering tactics and can involve the impersonation of CEOS or company\nexecutives, government organizations, charities, vendors, and business partners.\n<\/p>\n\n\n\n At some level, everyone is susceptible to phishing scams because they prey on an individual\u2019s\npersonal judgment, insecurities, or (in some cases) incompetence. Whether\nyou\u2019re a c-level executive, a celebrity, or an employee at a small business, these\nattacks are designed to use a variety of deceptive tactics to try to influence,\nmanipulate, or outright trick you into performing a particular task. The goal\ncould be to gain access to vital systems or to get you to make large wire transfers\nto fraudulent accounts. <\/p>\n\n\n\n Falling for business email\ncompromise schemes that involve phishing and email spoofing are among\nthe most costly mistakes companies around the globe make. How costly? We were\nwondering the same. That\u2019s why we\u2019ve taken the time to identify the top 12 phishing attack examples.<\/p>\n\n\n\n How did these scams occur? More importantly, what can we\nlearn from each of these notable phishing attack\nexamples?<\/p>\n\n\n\n Let\u2019s hash it out.<\/span><\/p>\n\n\n\n Facebook<\/strong> and Google<\/strong>, together, were scammed out\nof more than $100 million<\/a> between 2013 and 2015 through an elaborate fake\ninvoice scam. Yeah, that\u2019s an insane amount of money to lose due to what ultimately\nboils down to an avoidable mistake. A Lithuanian hacker was able to accomplish\nthis feat by sending each company a series of fake invoices while impersonating\na large Asian-based manufacturer they used as a vendor.<\/p>\n\n\n\n Crelan Bank<\/strong> in\nBelgium lost\n$75.8 million<\/a> (approximately \u20ac70 million) in a CEO fraud attack that\nwas reportedly discovered during an internal audit. The identities of the\nattackers are still unknown, but the bank has implemented new security measures\nto prevent the attack from happening again. <\/p>\n\n\n FACC<\/strong>, an Austrian\naerospace parts maker, lost\n$61 million<\/a> (approximately \u20ac54 million) in a CEO fraud scam. A\nhacker posed\nas the CEO and sent a phishing email to an entry-level accounting employee who\ntransferred funds to an account for a fake project. This kind of situation\nunderscores the importance of having comprehensive and regular cyber security\nawareness training for employees. This case is a landmark in another way \u2014 the\ncompany is suing their former CEO and CFO for not doing enough to protect the\ncompany from millions in losses. In the ongoing case, the company has alleged\nthat the two leaders \u201cfailed to set up adequate\ninternal controls and to meet their obligations of collegial cooperation and\nsupervision.\u201d<\/p>\n\n\n\n Upsher-Smith\nLaboratories<\/strong>, a U.S. drug company, was swindled\nout of more than $50 million<\/a> over the course of three weeks in 2014. The\nphishers, impersonating the company\u2019s CEO, sent phishing emails to the\ncompany\u2019s accounts payable coordinator that instructed them to make nine\nfraudulent wire transfers. Though they were able to recall one wire, which dropped\ntheir loss to $39 million (plus interest), they still initially transferred\nmore than $50 million, which is why they rank fourth on our list. <\/p>\n\n\n Ubiquiti Networks<\/strong>,\na U.S. computer networking company, faced an unusual situation: The company was\nunaware that it had been taken\nfor $46.7 million<\/a> \u2014 nearly 10% of the company\u2019s cash position \u2014 through CEO\nfraud emails and was notified\nof the activity by the FBI<\/a>, which had been watching the company\u2019s Hong Kong\nunit\u2019s bank account. <\/p>\n\n\n\n According to the company\u2019s quarterly\nfinancial report<\/a>:<\/p>\n\n\n\n \u201cThe incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company\u2019s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties.\u201d<\/em><\/p>\n<\/blockquote>\n\n\n\n Leoni AG<\/strong>, a\nleading manufacturer of wire and cables, was scammed out of \u20ac40\nmillion (approximately $44 million) when a finance employee in the company\u2019s\nRomania office was targeted by a phishing email claiming to be from the\ncompany\u2019s senior German executives. This situation is another one of those phishing attack examples that demonstrates the\nimportance of training employees to identify phishing emails. <\/p>\n\n\n\n Xoom Corporation<\/strong>,\na leading electronic funds transfer provider, found itself in the crosshairs of\na BEC scam that cost them nearly $31\nmillion. In Q4\n2014<\/a>, the company reported a \u201c$30.8 million business e-mail compromise\n(\u201cBEC\u201d) fraud loss\u201d when communications\ninvolving employee impersonation<\/a> and conveying fraudulent requests targeted\nthe company\u2019s finance department. <\/p>\n\n\n Path\u00e9<\/strong>, a European cinema chain, was scammed out of more than $21 million<\/a> (approximately \u20ac19 million) when two top-level executives were targeted in an email scam. Over nearly a month, the hacker got them to transfer multiple payments while impersonating the company\u2019s CEO. The company ultimately ended up terminating the CEO over the incident.<\/p>\n\n\n\n Tecnimont SpA<\/strong>, an\nItalian engineering, construction and procurement company, was defrauded\n$18.6 million<\/a> through an elaborate BEC scheme. This phishing attack example involved cybercriminals sending emails to\nthe company\u2019s India executives and the scheduling of fake conference calls to\ndiscuss a confidential acquisition in China. <\/p>\n\n\n\n The Scoular Company<\/strong>,\na commodities trading firm, was scammed\nout of more than $17 million<\/a> in an elaborate spearphishing scam. Phishers,\npretending to be the company\u2019s CEO, sent emails to the company\u2019s controller,\ninstructing them to wire funds while referencing the company\u2019s real accounting\nfirm (though the contact information they provided was fake \u2014 the email address\nwas from a Russian server and the Skype phone number was registered using an IP\naddress in Israel). <\/p>\n\n\n MacEwan University<\/strong>,\nan educational institution in Canada, was bilked out of nearly $11.8 million in\n2017 when phishers\nimitated Edmonton construction companies<\/a> and sent out fake invoices as part of\na massive scam. The cybercriminals went as far as to create multiple websites\nfor more than 12 construction companies in the area to collect from the real\nbusinesses\u2019 business partners. The good news for MacEwan is that they were able\nto recover 92% ($10.9 million) of their stolen funds in the end. <\/p>\n\n\n\n Mattel<\/strong>, the\nmanufacturer that sells Barbie and other kids toys, was scammed\nout of $3 million<\/a> through CEO fraud in 2015. However, luck was on Barbie\u2019s\nside in that the phishers performed their attack the day before a bank holiday.\nThis gave Mattel executives time to get international police and the FBI\ninvolved and, ultimately, recover their stolen funds within days of the transfer.\nUnlike some of the other companies on our list of phishing\nattack examples, Mattel enjoyed a happy ending to what could have been a\nvery ugly cyber security story. <\/p>\n\n\n\n Business email compromise and phishing scams are on the\nrise. The Internet Crime\nComplaint Center (IC3)<\/a> reports \u201ca 136% increase in identified global\nexposed losses\u201d relating to BEC\/email account compromise scams between December\n2016 and May 2018. <\/p>\n\n\n What makes phishing scams\nso successful? They aren\u2019t technology focused. Hackers are targeting people<\/em> \u2014 they\u2019re counting on employees\nresponding in a frenzy to urgent emails that appear to come from their\nexecutives or vendors. \u201cI need you to\ntransfer $X to X account as soon as possible to avoid an important deal falling\nthrough!\u201d<\/em> <\/p>\n\n\n\n These attacks act on the idea that the employees they target\naren\u2019t likely to question an email that comes from their boss\u2019s boss (or boss\u2019s\nboss\u2019s boss, and so on) or to double-check and verify information when they\u2019re being\ntold to rush. It\u2019s not about targeting vulnerabilities in networks or security\ndefenses; it\u2019s about targeting you and your colleagues as people who make mistakes.\n<\/p>\n\n\n<\/span><\/span>\n\n\n There is a common trait among these 12 corporate phishing attack examples: Many of the employees\nwho received the messages simply complied with the fraudulent email requests\nwithout first verifying that the requests were valid. In the cases where the\nemployees did<\/em> try to verify whether\nthey should perform the task, most simply responded to the fraudulent email or\ncalled the attacker(s) using the fake contact information provided in the\nemail. <\/p>\n\n\n\n If the employees in any of these situations had reached out\nthrough other official channels or methods \u2014 such as using known phone numbers\nfrom their company\u2019s phone directory to call the person directly, contacting\ntheir assistant, or even just walk down the hall to speak with the alleged\nrequester face to face \u2014 they could have avoided losing millions of dollars in\nfraud. Unfortunately, the true cost of phishing\nattacks often does not end with the money that was stolen \u2014 other costs\ninclude loss of revenue due to damage to the company\u2019s image and reputation.<\/p>\n\n\n\n This concept goes hand-in-hand with our next recommendation,\nwhich would make it mandatory to follow set processes before making any\nfinancial transfers.<\/p>\n\n\n\n Another way these companies could have avoided falling prey\nto phishing attacks is if they had account\nverification and safeguard processes in place. This could entail requiring\nemployees to follow set processes (such as performing account verification,\nrequiring secondary and\/or tertiary signatures by other personnel, and\nrequiring phone verification, etc.) before making any transfers over a set\namount \u2014 for example, $10,000. Sure, this may seem a bit inconvenient for your\naccounting and finance department initially, but a little inconvenience sure\nbeats losing millions of dollars to cybercriminals. <\/p>\n\n\n\n In addition to having the appropriate policies in place,\noffering comprehensive cyber\nsecurity awareness training<\/a> for employees likely would have prevented many\nof these phishing attack examples from\noccurring. This form of education regularly trains employees to identify and\nappropriately respond to phishing emails (which, in most cases, means not engaging\nwith the email itself, informing the IT administrator, and deleting or\nquarantining the email). It also contributes to strengthening your\norganization\u2019s \u201chuman firewall.\u201d<\/p>\n\n\n\n Cyber security awareness training can be offered face to\nface or online, and periodic phishing testing should be performed to determine\nthe success of the training or to identify areas to focus on in future\ntrainings. <\/p>\n\n\n\n The final method of protection we\u2019ll mention that could have\nprevented any (or all) of these phishing attack\nexamples is the use of email signing certificates. Email\nsigning certificates<\/a> enable executives and other employees to digitally\n\u201csign\u201d their emails so their recipients can easily verify that they are who\nthey say they are. These certificates, which are issued by industry-trusted\ncertificate authorities (CA), use an S\/MIME\nprotocol<\/a> (secure\/multipurpose internet mail extension) to digitally sign\nemails. By making the use of email signing certificates mandatory across the\nboard, it means that if someone in the finance or accounting department\nreceives an email that appears to come from the CEO, they can easily verify the\nidentity of the email sender. <\/p>\n\n\n\n An added bonus is that these certificates can also be used\nto send secure emails using asymmetric encryption. This enables you to send an encrypted\nemail to a recipient who has the matching private key, which protects the\nintegrity of your data while it\u2019s at rest and sitting in your recipient\u2019s inbox\nby ensuring that no one but the intended recipient can open it. Since many\nemail service providers use SSL\/TLS to protect emails while they\u2019re in transit,\nthis means that you\u2019ll be able to enjoy both data in transit and data at rest\nprotection. <\/p>\n\n\n\n There are new business email compromise and phishing attack examples taking place at companies\naround the world. What this list shows is that no company is too big to fall\nprey to tried-and-true phishing scams. While it\u2019s important to secure your\ndevices and IT infrastructure to eliminate vulnerabilities, it\u2019s just as\nimportant to also strengthen your \u201chuman firewall\u201d through training and\nidentity verification methods. <\/p>\n\n\n\n If you know of any noteworthy attacks that should be included on our top phishing attack examples list in the future, be sure to mention them in the comments below. <\/p>\n\n\n\n Updated on April 29, 2021<\/em><\/p>\n\n\n\n <\/p>\n","protected":false},"excerpt":{"rendered":" The list of the top phishing attacks and BEC scams and what made them so successful Note: This article, which was originally published in 2019, has been updated to include…<\/p>\n","protected":false},"author":17,"featured_media":10943,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16,13114],"tags":[166],"class_list":["post-10941","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","category-updated","tag-phishing","post-with-tags"],"views":69051,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/Dirty-dozen-feature.png","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/10941","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=10941"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/10941\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/10943"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=10941"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=10941"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=10941"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}The 12 Most Costly Phishing Attack Examples\nto Date (Ranked from Highest to Lowest Cost)<\/h2>\n\n\n<\/span><\/span>\n\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/Dirty-Dozenv1-395x1024.png\")
<\/figure>\n<\/div>\n\n\n\n
Breaking Down the Top 12 Most Costly Phishing\nAttack Examples<\/h2>\n\n\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/Bad-Facebook-300x273.png\")
<\/figure>\n<\/div>\n\n\n1. Facebook and Google<\/h3>\n\n\n\n
2. Crelan Bank<\/h3>\n\n\n\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/FACC-1-300x241.png\")
<\/figure>\n<\/div>\n\n\n3. FACC<\/h3>\n\n\n\n
4. Upsher-Smith Laboratories<\/h3>\n\n\n\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/FBI-phish-300x245.png\")
<\/figure>\n<\/div>\n\n\n5. Ubiquiti Networks<\/h3>\n\n\n\n
\n
6. Leoni AG<\/h3>\n\n\n\n
7. Xoom Corporation<\/h3>\n\n\n\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/Pathe-300x226.png\")
<\/figure>\n<\/div>\n\n\n8. Path\u00e9<\/h3>\n\n\n\n
9. Tecnimont SpA<\/h3>\n\n\n\n
10. The Scoular Company<\/h3>\n\n\n\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/Construction-Phish-300x193.png\")
<\/figure>\n<\/div>\n\n\n11. MacEwan University<\/h3>\n\n\n\n
12. Mattel<\/h3>\n\n\n\n
What Makes BEC Phishing Scams So\nSuccessful<\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/urgent-phish-300x195.png\")
<\/figure>\n<\/div>\n\n\nWhat We Can Learn from These Companies\u2019 Phishing\nScam Experiences<\/h2>\n\n\n\n
Require Verification Through Other Official Channels<\/h3>\n\n\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/Confirm-again-300x237.png\")
<\/figure>\n<\/div>\n\n\nImplement New Processes to Increase Cyber Defenses<\/h3>\n\n\n\n
Implement Employee Cyber Awareness Training <\/h3>\n\n\n
![\"\"](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2019\/06\/Education-about-phishing-300x300.png\")
<\/figure>\n<\/div>\n\n\nUse Email Signing Certificates<\/h3>\n\n\n\n
Final Thoughts<\/h2>\n\n\n\n
Recent Related News<\/h2>\n\n\n\n
\n