Cybercriminals and online scammers are becoming increasingly sophisticated, helped by technologies like generative AI. That means the threat from phishing is more serious than ever. An attack can be disastrous for your organization, causing massive disruption, distress, and financial and reputational damage.
In this article, we look at some notorious phishing attacks, and how better awareness and simple best practices could have prevented them.
The Sony Pictures hack
In 2014, the Hollywood film studio Sony Pictures was hacked by an organized group of cybercriminals calling themselves the Guardians of Peace. They stole a vast quantity of data, including unreleased movies, sensitive emails, and 47,000 social security numbers. They also wiped the company’s servers, deployed malware, and paralyzed IT systems for several days.
Investigators concluded that the attack was probably instigated by North Korea. The goal was to sabotage the release of The Interview, a comedy movie about an attempt to assassinate the North Korean leader, King Jong-un.
How the attack happened
The attackers sent phishing emails that tricked Sony employees into handing over their Apple passwords.
The hackers then used the stolen passwords to access the employees’ work accounts. Finally, they obtained the credentials of a senior IT officer and infiltrated the company’s entire corporate network.
How it could have been prevented
The attack was possible because Sony employees used the same passwords for their Apple and work accounts. When their Apple passwords fell into the wrong hands, Sony’s systems were left vulnerable.
The attackers could have been thwarted by some basic best practices:
-
Always be alert to the risk of phishing and never hand over confidential information unless you’re sure it’s safe.
-
Use a unique password for each account.
-
Never reuse passwords across systems, share them between users, or recycle old passwords you’ve used before.
The Target data breach
In 2013, the U.S. retail chain Target suffered a data breach that compromised the credit and debit card details of 40 million customers. It was an expensive incident. Target agreed to an $18.5 million multi-state settlement and said the breach cost them more than $200 million.
How the attack happened
An employee at one of Target’s third-party vendors fell for a phishing email and gave the attackers their access credentials. This allowed the attackers to infect Target’s point-of-sale systems with malware that harvested customer data for about two weeks.
How it could have been prevented
The Target attack demonstrates how your organization’s safety can depend on other organizations you work with. It’s vital to ensure that they take cyber security seriously. For example:
-
Add cyber security standards to your selection criteria for partners, resellers, and suppliers.
-
Update your tendering documents or legal agreements to include clauses covering security measures and best practices.
-
Remember that you and your business partners form a chain that’s only as strong as its weakest link.
The Twitter crypto scam
In 2020, hackers hijacked 130 high-profile Twitter accounts. They used more than 40 of them to promote a cryptocurrency scam.
Posing as Apple, Uber, Bill Gates, Elon Musk, and others, the hackers sent tweets appealing for Bitcoin donations to a fake COVID-19 relief fund. They promised that all donors would be repaid double the value of their donation.
How the attack happened
First, the hackers used LinkedIn to identify Twitter employees who had administration rights to access client accounts.
Then, taking advantage of remote working during the pandemic, they contacted these employees. Pretending to be Twitter colleagues, they tricked them into signing into a fake VPN portal and harvested their credentials.
From there, they signed into Twitter’s internal systems, took over the accounts, and posted the fake tweets.
How it could have been prevented
This attack was carefully planned and executed. Once again, it underlines how vital it is that employees:
-
Learn to spot potential phishing attacks. Make them aware of the tell-tale signs. For example, a sudden request for sensitive data in a stressful or threatening scenario.
-
Never hand over sensitive information until they’ve made sure the request is genuine.
-
Be extra vigilant when working remotely.
The attackers’ use of LinkedIn to select their victims also shows the importance of managing your digital footprint. Personal information you publish on social media might be used in unexpected ways. Always think before you post.
People are your first line of defense against phishing
Phishing is more than an IT problem — it’s a business problem. Even a single compromised account can result in massive disruption and damage to your business.
And yet, no matter how organized and sophisticated the attackers may be, phishing attacks can only succeed if someone falls for the initial scam. That’s why safeguarding your organization requires both technology and awareness.
It’s vital to provide security awareness training organization wide. Everyone must learn to recognize potential phishing messages and avoid giving cybercriminals a way in.
Credential monitoring: Information is the power to defend yourself
Credential monitoring solutions such as Cybercheck can help. We constantly monitor forums where cybercriminals buy and sell stolen personal information. If cybercriminals are trading data about you or your organization, we alert you right away.
That means you know immediately when you’re at risk and what data has fallen into the wrong hands. With an early warning, you can be extra vigilant about phishing attacks. You can also change passwords, block system access, and shut out the cybercriminals before they strike.
Credential monitoring can also help raise security awareness in your organization. Discovering that cybercriminals have obtained credentials belonging to you or your colleagues can bring the risks into sharp focus and quickly dispel any complacency.
It’s a stark reminder that a proactive cyber security strategy is now a must-have for organizations of all sizes.
