Real-world phishing email attacks and what you can learn from them

Real-world phishing email attacks and what you can learn from them

Phishing scams never go out of style. In fact, along with other social engineering schemes, they remain the top concerns for security professionals and they’re also regarded among the most dangerous threats to businesses, whether you’re a large corporation or a small- to medium-sized business (SMB).

In the first half of 2019, a phishing campaign called Heatstroke showed how phishing techniques have evolved over time — from mimicking legitimate websites to using multiple, more complex methods like business email compromise (BEC), which involves the impersonation of CEOs or C-suite executives, government organizations, among others.

Why is phishing so effective?

Phishing doesn’t require much technical skills. Its low cost and high return on investment has made it a very lucrative way to trick users. But despite greater efforts on increasing awareness about phishing, millions of users and businesses are still falling for them on a daily basis.

Here are some phishing attack examples and what we can learn from them:

Facebook and Google

Between 2013 and 2015, both tech giants were scammed out of more than $100 million through an elaborate fake invoice scam. Based on reports, a Lithuanian hacker sent each company a series of fake invoices while impersonating a large Asian-based manufacturer that they used as a vendor. It took several years before the two companies disclosed the attack. Both businesses said that they promptly alerted authorities and had recovered the bulk of the funds shortly after the incident.


Mattel, the popular toy maker behind Barbie and Hot Wheels, was a victim of a phishing scam in 2016. The manufacturer was almost scammed out of $3 million via a BEC scheme. Luckily, because the scam was performed the day before a bank holiday, Mattel was able to get authorities involved. Ultimately, the company was able to recover the stolen funds within days of the transfer.

Ubiquiti Networks

The US-based computer networking company found themselves a victim of a BEC scam when their finance employees were duped into making wire transfers as per request of a bogus email claiming to be from a top executive. Ubiquiti lost an estimated $46 million.

Ukranian power grid

This 2015 incident was a history-making event because of its complexity in planning and execution. For one, the malware used for the attack was designed specifically to render physical machinery inoperable. Second, the attackers used phishing emails to deliver a malicious Word document to employees. When one employee clicked on the attachment, a popup prompted them to enable macros for the document. When they complied, a program called BlackEnergy3 infected their machines and opened backdoors to hackers, giving them network access.

These real-world phishing attacks show that cybercriminals don’t run out of sophisticated fraud attack tactics that users can fall prey to. Additionally, a single mistake like clicking on a suspicious attachment could wreak havoc and cause massive damages. As such, organizations must learn from past phishing schemes and take the lessons to heart as they enter a new decade of security risks.

The following best practices can reduce the risk of phishing attacks:

  • Be cautious of individuals or organizations that ask for personal information. Legitimate companies do not normally ask for sensitive information from its customers through email. If in doubt, verify with the company itself via phone call.
  • Always check the legitimacy of an email. Most company URLs and emails use a single domain. If they’re different, consider that a red flag.
  • Do not click links or download files even if they come from seemingly legitimate sources.
  • Look out for grammatical errors and mistakes in the subject title and body of the email. Professional companies don't tend to make such careless mistakes.
  • Beware of emails that try to create a sense of urgency, such as those that claim your bank account will freeze in a few days.. If you are uncertain of the status of your accounts, call and check with the company directly, not over email.
  • Enable maximum email security. An ounce of protection is worth a pound of cure. By using proper security software, malicious programs won’t be able to infiltrate your systems.

As the saying goes, if something seems suspicious, it probably is. This is why you should train your employees to err on the side of caution when it comes to sending out and receiving emails.

Don’t be the next phishing victim. Capstone IT provides robust cybersecurity that’s comprehensive and cost effective for your business. Email us at [email protected] to schedule a complimentary network consultation.

Find out how you can avoid malware attacks with our indispensable guideStart Reading