Cyber attackers net almost $100 million with email phishing attempts10.19.18
The U.S. Securities and Exchange Commission (SEC) has completed an investigation involving nine unnamed companies with deficient internal controls that became victims of phishing cyberattacks, which happens when employees receive compromised electronic communications.
As a result of the phishing attack, employees of the nine companies wired large sums of money or paid fake invoices that collectively totaled nearly $100 million – each of the companies lost at least $1 million and two of them lost more than $30 million each.
The SEC’s report, called a 21(a) report, focused on two common cyberattacks: one where the attacker poses as a senior executive of the company (most often, the CEO), and the other where the attacker poses as a vendor of the company that is owed money. In certain instances, cyberattackers enter the executive or vendor’s actual (email and bank) accounts to send the spoofed communications.
In the aggregate, losses for the nine companies totaled nearly $100 million, almost all of which has not been recovered. Some of the fraud wasn’t discovered until a vendor complained they hadn’t been paid.
In order to avoid similar losses, companies should be sure to put controls, policies and training in place to ensure that employees do not fall for cyberattacks.
A campaign to instruct employees how to reach to phishing attempts emails can go a long way towards preventing successful attacks.