7 Examples of Spear Phishing Attacks
The year 2022 isn’t over yet, but over 255 million phishing attacks have already been reported. Scary to know, right?
With more than ten phishing attack variations and even more sophisticated techniques, understanding and preventing such cybercrimes has become crucial. This blog focuses on spear phishing examples and types.
Spear phishing is a campaign targeted toward a particular individual, group, or organization. The typical intentions include stealing data for malicious activities, spreading malware, and hurting an organization.
Do you know most spear phishers work when their victims also work to get a quick response? However, they may also send emails or messages on weekends when you’re more likely to be engaged with friends and family. They design them so that you proceed with the request without reading the red flags or overthinking.
So, read the below-shared real-life spear phishing examples to identify red flags.
Spear Phishing Types
Targeted spear phishing attacks are soaring in volume, complexity, and the impact they leave on businesses. Threat actors design phishing emails in a way that they pass security checks and look like they originate from a legitimate sender.
These email exploits are categorized into three major categories. We’ve also included some real-life spear phishing examples.
Business Email Compromise
According to the FBI, the total losses incurred due to BEC attacks in 2020 was a whopping $1.8 billion!
In business email compromise or BEC, cyberactors target a business to defraud and cause billions of dollars in potential losses. Irrespective of size and capacity, this is a prevalent issue amongst many industries and organizations.
In a BEC attack, a hacker impersonates someone you know (usually a colleague, boss, vendor, or colleague) and sends requests to wire money, divert payrolls, change banking details for future payments, etc. These attacks are challenging to detect as they don’t use malware or malicious links.
Spear Phishing Real Life Example #1: BEC Attack on Google and Facebook Worth $122 million
Between 2013 and 2015, Evaldas Rimasauskas impersonated a Taiwanese hardware supplier, Quanta computer, whose services were used by two tech giants, Google and Facebook. He sent out fake invoices worth $122 million ($99 million and $23 million to Google and Facebook, respectively) to these companies for almost three years until he was arrested and prisoned for 30 years.
In whaling, malicious actors attack senior employees like CEOs or CFOs to obtain sensitive details crucial to their company. They can also manipulate lower-level employees to authorize high-value wire transfers.
Like business email compromise, it’s challenging to detect whaling attacks as they seem legitimate and don’t require victims to click on malicious links. The best way to avoid them is to have management personnel undergo information security awareness training. Financial or informational requests should also be confirmed directly.
Spear Phishing Real Life Example #2: CEO of FACC Fired For His Part in a Whaling Attack
FACC, an Austrian aerospace manufacturer, lost €50 million in a whaling attack and later fired its CEO, Walter Stephan, and other employees over the incident. The scammers impersonated an executive or finance official to manipulate the victim into wiring a hefty sum from the company’s accounts to theirs.
CEO fraud is a scam where phishers spoof a company’s email accounts and mimic executives (typically in accounting or HR) to trick the company;s CEO. They manipulate them into making unauthorized wire transfers or sharing sensitive details related to banking, tax, etc.
Threat actors try social techniques like display name spoofing, which usesthats different email addresses but the same display name. This trick often works because mail providers don’t display the sender’s email address by default on mobile devices.
Another tactic involves email spoofing, where hackers use both the CEO’s name and the correct email address. The hackers use a different reply-to address, so the response email goes to them.
Spear Phishing Real Life Example #3: CEO Fraud with French Cinema, Pathé Costs €19.2 Million
Another infamous example of a spear phishing email is when France’s leading cinema group, Pathé, lost €19.2 million when several emails were sent from the personal account of CEO Marc Lacan. The emails requested to transfer the sum in four ranches to Towering Stars General Trading LLC in Dubai. The incident was followed by Lacan stepping down from the position.
4 More Spear Phishing Examples
You may think detecting and preventing spear phishing attacks is easy, but that isn’t the case. Scammers are becoming more sophisticated and organized in planning and executing cyberattacks. We’ve shared five spear phishing examples to help you understand their tactics.
#1: Spoofed Emails Caused a Loss of $46.7 Million to Ubiquiti Networks Inc.
Ubiquiti Networks Inc, an American network technology company, became a victim of spear phishing when its employees were tricked by hackers. The bad actors impersonated an outside entity and some high-level employees. Targeting the finance team, they requested wire transfers totalling $46.7 million.
The company’s audit committee and external advisers found significant weaknesses in Ubiquiti’s internal controls regarding financial reporting. The CFO also resigned.
This wrecking incident proves how easy it has become for threat actors to imitate an individual. They use information readily available on the internet to create realistic spoofed emails.
#2: Attackers Sent Well-Crafted Emails to EMC Corp’s Junior Level Employees to Initiate a Zero-Day Exploit
Another hair-raising spear phishing example involved the RSA security group of EMC Corp, the cloud computing and big data giant. In 2011, RSA was targeted when hackers used a Flash file secretly embedded in an Excel file attached to an email. The attachment was named ‘2011 Recruitment Plan’ and sent to a small group of junior-level employees.
The hackers used a then-unknown Adobe zero-day exploit to install a remote administration tool (RAT) on victims’ computers. This incident shows beyond a doubt that cybersecurity training and employee awareness is vital.
#3: Fake Invoices of $8.7 Million Ends Up Closing Down Sydney Hedge Fund
In November 2020, the co-founder of Australian hedge fund Levitas Capital received an email with a fake Zoom meeting link. The link planted malware allowing hackers to send impersonated emails and fake invoices totalling $8.7 million. While the d fraudsters could only get away with $800,000, the hedge fund closed down after the attack.
#4: Government of Puerto Rico Fell Victim to Spear Phishing Attack Stealing Over $4 Million
In 2019, scammers hacked an employee’s computer in the finance department and sent emails to multiple government agencies alleging a change in bank accounts. Two agencies proceeded with the request, out of which one lost $63,000 in December and more than $2.6 million in January, and the other sent $1.5 million in January.
This spear phishing email example proves that private companies and government entities should also train their employees to identify red flags and proceed only after confirming such requests in person.
Spear phishing is a common data breach method that poses a real threat as it can bypass security filters. Training yourself and your employees about cyber hygiene is the best preventive measure.
From the spear phishing examples above, it’s crucial to take measures to block, filter, and flag suspicious emails. Also, be mindful of strange and dubious email requests from coworkers, supervisors, banks, merchants, etc. Use our free phishing URL checker that provides you with real-time results to help you detect if the URL in an email is legitimate or a phishing link.