COLLEGE OF BUSINESS EDUCATION

DEPARTMENT OF MATHEMATICS AND IT

BACHELOR IN INFORMATION TECHNOLOGY
NAME OF GROUP MEMBERS REG. NUMBER

What is Phishing?
 Refers to the practise of sending fraudument communications that appear to come from a
legitimate and reputable sources, usually through email and text messaging. The attacker’s goal
is to steal money, gain access to sensitive data and login information or to install malware on the
victim’s device.

Types of Phishing Attacks

Spear Phishing; Attack occurs when a phishing attempt is crafted to trick a specific
person rather than a group of people. The attackers either already know some information about
the target, or they aim to gather that information to advance their objectives. Once personal
details are obtained, such as a birthday, the phishing attempt is tailored to incorporate that
personal detail(s) in order to appear more legitimate. These attacks are typically more successful
because they are more believable.
Whaling; Is a sub-type of Spear Phishing and is typically even more targeted. The
difference is that Whaling is targeted to specific individuals such as business executives,
celebrities, and high-net-worth individuals. The account credentials of these high-value targets
typically provide a gateway to more information and potentially money.
Smishing; Is a type of phishing attack deployed via SMS message. This type of phishing
attack gets more visibility because of the notification the individual receives and because more
people are likely to read a text message than an email. With the rising popularity of SMS
messaging between consumers and businesses, Smishing has been increasingly popular. There
was also an increase in this type of phishing during the 2020 presidential election.
Vishing; Is a type of attack carried out via phone call. The attackers call the victim,
usually with a pre-recorded message or a script. In a recent Twitter breach, a group of hackers
pretending to be “IT Staff” were able to convince Twitter employees to hand over credentials all
through phone conversations.

The 5 Most Expensive Phishing Scams of all Time

Phishing attacks are a popular attack vector for cybercriminals because they are simple and
effective. A well-crafted phishing email is much easier to develop than a zero-day exploit, yet
can have the same negative impact. These attacks are designed to prey upon human nature.
People want to be helpful, obey authority, and are more likely to be less careful when in a hurry
or experiencing stress.
Phishers take advantage of these factors and more in their attacks, and phishing emails can come
in a number of forms. While some phishing attacks cast a wide net, others (like spear phishing
attacks) are very tailored to their target. In some cases, an attacker will impersonate an authority
figure or other trusted party to achieve their objective.
Phishing schemes are also not limited to email. Attackers can take advantage of corporate
collaboration platforms, and communications applications on mobile devices to perform their
attacks.

The Five Most Costly Phishing Attacks to Date

The five attacks described here required little sophistication on behalf of the attackers but
enabled them to steal tens of millions of dollars from an organization.

1. Facebook and Google

Between 2013 and 2015, Facebook and Google were tricked out of $100 million due to an
extended phishing campaign. The phisher took advantage of the fact that both companies used
Quanta, a Taiwan-based company, as a vendor. The attacker sent a series of fake invoices to the
company that impersonated Quanta, which both Facebook and Google paid.
Eventually, the scam was discovered, and Facebook and Google took action through the US legal
system. The attacker was arrested and extradited from Lithuania, and, as a result of the legal
proceedings, Facebook and Google were able to recover $49.7 million of the $100 million stolen
from them.

2. Crelan Bank
Crelan Bank, in Belgium, was the victim of a business email compromise (BEC) scam that cost
the company approximately $75.8 million. This type of attack involves the phisher
compromising the account of a high-level executive within a company and instructing their
employees to transfer money to an account controlled by the attacker. The Crelan Bank phishing
attack was discovered during an internal audit, and the organization was able to absorb the loss
since it had sufficient internal reserves.

3. FACC
FACC, an Austrian manufacturer of aerospace parts, also lost a significant amount of money to a
BEC scam. In 2016, the organization announced the attack and revealed that a phisher posing as
the company’s CEO instructed an employee in the accounting department to send $61 million to
an attacker-controlled bank account.
This case was unusual in that the organization chose to fire and take legal action against its CEO
and CFO. The company sought $11 million in damages from the two executives due to their
failure to properly implement security controls and internal supervision that could have
prevented the attack. This lawsuit demonstrated the personal risk to organization’s executives of
not performing “due diligence” with regard to cybersecurity.

4. Upsher-Smith Laboratories
In 2014, a BEC attack against a Minnesotan drug company resulted in the loss of over $39
million to the attackers. The phisher impersonated the CEO of Upsher-Smith Laboratories and
sent emails to the organization’s accounts payable coordinator with instructions to send certain
wire transfers and to follow the instructions of a “lawyer” working with the attackers.
The attack was discovered midway through, enabling the company to recall one of the nine wire
transfers sent. This decreased the cost to the company from $50 million to $39 million. The
company decided to sue its bank for making the transfers despite numerous missed “red flags”.

5. Ubiquiti Networks
In 2015, Ubiquiti Networks, a computer networking company based in the US, was the victim of
a BEC attack that cost the company $46.7 million (of which they expected to recover at least $15
million). The attacker impersonated the company’s CEO and lawyer and instructed the
company’s Chief Accounting Officer to make a series of transfers to close a secret acquisition.
Over the course of 17 days, the company made 14 wire transfers to accounts in Russia, Hungary,
China, and Poland.
The incident only came to Ubiquiti’s attention when it was notified by the FBI that the
company’s Hong Kong bank account may have been the victim of fraud. This enabled the
company to stop any future transfers and attempt to recover as much of the $46.7 million stolen
as possible (which represented roughly 10% of the company’s cash position).
The Importance of Robust Anti-Phishing Protection
The costly phishing attacks described here did not require a great deal of sophistication on behalf
of the attacker. A little research into a company revealed the identity of key individuals (CEO,
CFO, etc.) and vendors. The attackers used this information to craft believable emails that
tricked their targets into sending money to attacker-controlled bank accounts.

While some phishing attacks are designed to deliver malware, making an endpoint security
solution essential, this is not always the case. All of the attacks outlined here contained no
malicious content that would be caught by an antivirus.

To protect against these attacks, an organization needs an anti-phishing solution capable of

detecting BEC attacks via analysis of an email’s body text.
Ways to prevent Phishing Attacks
Superior Prevention:
Block even the most sophisticated phishing attacks such as Business Email Compromise and
impersonation .
Protect All Your Weak Links :
Prevent phishing attacks across email, mobile and endpoint devices
Leverage ThreatCloud AI :
Anti-phishing is powered by the world’s most powerful threat intelligence database