What is phishing or phishing attack?

Phishing is a form of a cybersecurity attack in which cybercriminals use fraudulent emails, messages, or websites to trick unsuspecting individuals into revealing sensitive information such as usernames, passwords, credit card numbers, or other personal data.

Phishing has become one of the most common forms of cyber security threat to private and public organizations, making them lose millions of dollars. According to the AAG report, Headline Phishing Statistics, the average cost of a data breach against an organization is more than $4 million.

According to Vade Q1 2013 Phishing and Malware Report, phishing attack volumes have increased by 102% quarter-over-quarter (QoQ), and 562.4 million phishing emails were detected. This accounted for the highest Q1 total since 2018.

Cybersecurity incident using a phishing attack

A cybersecurity incident using a phishing attack often begins with an email or message that appears to be from a trusted source, such as a bank, social media website, or online retailer. The email may ask the victim to click on a link, download a file, or enter their username and password on a fake website.

Once the victim falls for the phishing attack and provides their information, the attacker can use it to gain unauthorized access to the victim’s accounts or steal their identity. In some cases, the attacker may also use the victim’s information to launch further attacks against other individuals or organizations.

Biggest phishing attack incidents

There have been some notable cybersecurity breaches that involved phishing attacks.

Facebook & Cambridge Analytica, 2018 ($5.725 billion)

According to The New York Times, contractors and employees of Cambridge Analytica, a third-party app developer, acquired the private Facebook data of tens of millions of users – the larger known leak in Facebook history. The firm offered tools that could identify the personalities of American voters and influence their behavior. This unauthorized data collection occurred through deceptive tactics, including phishing techniques, compromising the data of millions of Facebook users.

According to Reuters, Facebook paid more than $5 billion in penalties to the U.S. authorities over Cambridge Analytica and agreed to pay $725 million to settle a lawsuit by the Facebook user in December 2023.

Equifax, 2017 ($425 million)

According to DFS, on July 29, 2017, Equifax discovered an unauthorized access. Information accessed by cybercriminals includes consumers’ names, birthdates, Social Security numbers, driver’s license numbers, credit card numbers, and “dispute documents” containing personal information. An SMS (Short Message Service) claiming to be from Equifax was sent to individuals requesting them to register via a fraudulent website that impersonates the company’s legitimate credit monitoring products. Once registered, the site presents fake credit monitoring reports and requests additional personal information such as credit card details, according to Equifax.

The personal information of approximately 147 million individuals was exposed. Equifax agreed to a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories. The settlement includes up to $425 million to help people affected by the data breach according to FTC

Marriott International, 2022 ( $123 million)

Earlier in 2020, the hotel suffered a breach that exposed the personal information of 5.2 million guests. On Wednesday, July 6^th, 2022, Mariott International Inc, confirmed a second data breach, according to IT Security Guru. According to Databreaches, the attackers breaches Marriot Hotel a month ago and were able to exfiltrate a total of 20GB worth of data including some sensitive information such as credit card information and confidential business documents. The breach occurred because social engineering successfully tricked one associate at a single Marriott hotel into giving the cybercriminal(s) access to that associate’s computer. UK authorities fined Marriott $123 million last year, according to The Verge.

Twitter, 2020 ($100,000)

According to Twitter’s update on their security incident, on July 15, 2020, a phone spear phishing attack targeted a small number of employees. The attacker successfully manipulated the employees and used their credentials to access the organization’s internal systems, including getting through the implemented two-factor authentication. The internal tool is meant to provide an account owner with a summary of their Twitter account details and activity.

Based on BCC News Report, high-profile accounts were compromised and perpetrated a Bitcoin Scan, this includes Microsoft founder, Bill Gates and reality star Kim Noel Kardashian (formerly West). It is reported that the attackers netted the scammers more than $100,00 (£80,000)

Wannacry Ransomware,2017

On May 12, 2017, the Wannacry ransomware worm spread to more than 200,000 computers in over 150 countries according to Cloudflare. Although not exclusively a phishing attack, Wannacry ransomware spread by using a vulnerability exploit called “EternalBlue.” It looked for vulnerable systems on a corporate network and enter, then copied and executed the program. A single vulnerable system on a company’s network can put the entire organization at risk. Wannacry encrypts files on the hard drives of Windows devices so users cannot access them.

This global attack impacted hundreds of thousands of computers, encrypting data and demanding ransom payments. According to TechTarget “The attacker demanded a ransom payment of between $300 to #600 in bitcoin within three days to decrypt the files. However, even after paying, only a handful of victims received decryption keys”.

Google Docs, 2017

“In May 2017, a phishing attack now known as “the Google Docs worm” spread across the internet” according to WIRED. Based on The Verge report, the attack target Gmail users by an sending emailed invitation from someone they may know, requesting access to a shared Google Docs document. Clicking the link led users to a malicious page, giving attackers access to email and contacts. The key difference in the email phishing attack was that it does not redirect the victims to a bogus Google page and collect their passwords.

Sony Pictures Entertainment, 2014

According to VOX, in late November 2014, Sony Pictures Entertainment was hacked by a group calling itself the Guardians of Peace (GOP). The attack led to a series of leaked sensitive data of the company’s employees, including Social Security numbers, financial records, salary information, as well as embarrassing emails among top executives according to PBS and Trendmicro. The hackers sent spear-phishing emails to Sony employees, executives and several U.S. defense contractors.

In conclusion, as these cybersecurity incidents demonstrate the effectiveness and impact of phishing attacks across various industries and organizations. It is essential to remain vigilant and employ security measures to mitigate the risk of falling victim to such attacks.