5 biggest phishing attacks

What happens when there’s a scam that preys on the last line of our cybersecurity defense – us? Unfortunately, the answer is billions of dollars worth of combined personal and corporate losses to phishing.

And no, I’m not exaggerating. Below, you’ll find ten famous phishing attacks that targeted both individuals and organizations. So let’s get to it.

In short: what is a phishing scam?

Phishing is a scam that relies on tricking you into giving your information away via digital means. It can come in many forms, from phishing emails pretending to be from your bank to fake websites that mimic the real thing. Spear phishing is a subtype that involves tailoring the attack specifically for the person targeted. In the end, you can end up losing your money, your private information, account access, and more. 

If you want to learn more about phishing, check out our dedicated article: What is phishing – recognize and avoid it.

The first ever phishing attacks

The term “phishing” was first coined in 1996 in an old hacking tool called AOHell. The software was created to simplify cracking across the American Online (AOL) platform. And that’s exactly where the first phishing scams began.

The AOHell enthusiasts on a particular cyber-pirate group called “warez” started posing as AOL employees and sending users verification requests via email and messenger. These phishers created most of the basic phishing techniques used today, primarily aiming for people’s passwords and credit cards.

The only difference is that these phishing techniques were much more efficient back then. Phishing was an entirely new concept at the time, and most people were not ready to face it.

It’s been over 20 years since the first phishing cases, and phishing has, sadly, come a long way since then. These days, it’s one of the biggest and costly cyberthreats to people and organizations.

The 5 most famous phishing attacks targeting organizations

In most cases, hackers target businesses because they yield more cash, and it’s easier to capitalize on disorganization. All you have to do is find a single window of opportunity, a weak link, and you’re in.

#1: Belgian Crelan bank CEO scam

Type of phishing scam: Business email compromise, Whaling

Affected parties: Crelan

Losses: $75.8 million

What happened: In 2016, the Belgian Crelan Bank fell victim to a $75.8 million business email compromise (BEC) scheme.

BEC happens when attackers pose as high-level executives to get what they want (Imagine receiving an email from your boss asking you to sign a document). 

In Crelan’s case, the attackers got a hold of the CEO’s stamp and signature and managed to get the $75.8 million transfer approved by the finance department.

The bank refused to disclose further details but said it took action to strengthen its internal security procedures. Such scams are rarer than other phishing schemes, but they’re some of the most costly as people rarely question authority.

#2: Sony’s infamous malware attack

Type of phishing scam: Spear phishing

Affected parties: Sony Pictures Entertainment

Losses: $83 million (estimated)

What happened: A group of hackers infiltrated Sony’s Network in 2015 through an intricate campaign of spear phishing emails.

These messages were targeted at Sony’s system engineers, network admins, and other people with access to their network. The scam was ingeniously simple: the employees were asked to verify their Apple IDs due to “unauthorized activity.” The emails also contained links to fake duplicate websites (phishing sites) to extract their victim’s credentials.

This went on for a while, and, at some point, the attackers hit the jackpot by scoring access to Microsoft’s System Center Configuration Manager (SCCM). This tool allowed the hackers to install software on everyone’s devices. From there, they proceeded to flood entire Sony employees’ computers with malware.

In the end, these phishing campaigns lost Sony data and infrastructure that was estimated to cost around $83 million to rebuild.

#3: Facebook and Google phishing scams

Type of phishing scam: Spear phishing

Affected parties: Google and Facebook

Losses: $120 million

What happened: A Lithuanian hacker Evaldas Rimasauskas fleeced Google and Facebook for more than $120 million.

The hacker created a scheme where he used spear phishing to lure money out of these companies. The acquired funds were then transferred through Cyprus and Latvia and later funneled into bank accounts around the world.

The perpetrator used an elaborate spear-phishing scam to carry out this scheme. He sent emails to Google and Facebook employees disguised as an Asian-based computer hardware company (Company-1). It worked like a charm.

As you may have already guessed from the fact that we know the perpetrator’s name – he was caught. Evaldas was sentenced to 60 months after his partially successful phishing scam.

#4: Ukrainian power grid blackout

Type of phishing scam: Spear phishing

Affected parties: The citizens of Ukraine

Impact: Around 225,000 citizens lost access to electricity

What happened: On December 23, 2015, around 225,000 Ukrainian citizens experienced a power outage at home due to an unscheduled mass blackout. The power outage was caused by spear-phishing emails that carried malware via Microsoft Office documents.

The outage lasted for around one hour, so, not that big of a deal, right? Well, the electricity had to be restored manually, and the automatic management mode had to be turned off for quite a while because the power grid’s firmware was riddled with BlackEnergy (grid-sabotaging) malware.

What made it worse was that the cybersecurity researchers later found that the blackout was just a test run. Upon investigation, the malware was found to be easily adaptable and not exclusive to Ukraine.

In other words, it’s possible to use the BlackEnergy malware on different electric utilities and components and automate such attacks across multiple countries. The researchers guess that hackers used Ukraine to simply “build and test a platform for future attacks.”

And while 225,000 people lost access to electricity for only an hour, this event shook the cybersecurity world to its core. The hack showed that cyberattacks can now impact people on a grand scale. And what was the delivery method? Good ol’ phishing.

#5: Colonial Pipeline shutdown

Type of phishing scam: Phishing

Affected parties: The US citizens

Impact: State of emergency across multiple states, oil price inflation, panic.

What happened: The Colonial Pipeline, which transports about 45% of all fuel consumed on the East Coast, got hit and shut down by a ransomware attack. The ransomware was allegedly distributed via phishing.

On May 7, 2021, The Colonial Pipeline announced that their 5,500 thousand mile (8,850 km) fuel pipeline got shut down by hackers. The attackers identified themselves as DarkSide, a Russian hacker group that primarily targets large corporations.

The hackers bypassed the Colonial Pipeline’s defenses using phishing and installed ransomware on its systems. The group then asked for a $5 million ransom and threatened to delete the stolen files if the company refused to pay.

The entire East Coast was short on fuel supply for around six days. During this period, the average gas prices across the whole country increased to nearly $3 per gallon. The US had not seen such prices since 2014, and the shortage caused panic.

Virginia, North Carolina, Georgia, and Florida declared a state of emergency. People were panicking and forming mile-long lines at their local gas stations. In the end, the incident didn’t cause the company that much. The hacker group got their $5 million, and the fuel line was restored. 

However, the Colonial Pipeline attack is considered one of the most impactful cyberattacks of all time. This phishing scheme disrupted the lives of millions of US citizens, and its economic impact due to price inflations is currently immeasurable.

The 5 most famous phishing attacks targeting people

Businesses, organizations, and even countries can suffer greatly from phishing. But that doesn’t mean that individual people are excluded from this threat. In fact, individual phishing campaigns happen quite often. Here are the 5 biggest phishing attacks that specifically targeted people.

#1: The Hillary Clinton campaign email leak 

Types of phishing scam: Spear phishing

Affected parties: US politician Hillary Clinton

Impact: May have contributed to her losing the election

What happened: The US presidential candidate Hillary Clinton’s 2016 campaign got hit by a successful phishing attack.

You can be forgiven for thinking that 2016 was 20 years ago. It sure feels that way with the news cycle running red hot to the point of meltdown. One of the incidents that added fuel to the news reactor was the Hillary Clinton email breach of 2016. 

Now, it doesn’t really matter to us what was in those emails. But the way they were obtained definitely falls under the scope of this article. The method was deceptively simple. Someone sent an email to the Clinton campaign chairman, John Podesta, urging him to change his compromised Gmail password. A staff security member confirmed that it was a good thing to do and provided Podesta with a Google link to do it.

Source: CBS/Wikileaks

Instead, Podesta or whoever was taking care of his Gmail account clicked the phishy-looking shortened link in the original email. Changing the password via the provided link actually gave the passwords to hackers pretending to be writing on Google’s behalf. The rest is history. 

Incidentally, the very same method was used to hack Colin Powell’s emails at the Democratic National Convention.

#2: Hacker targets rappers, athletes

Types of phishing scam: Spear phishing

Affected parties: Rappers, NBA and NHL athletes

Impact: Undisclosed amount of money (“thousands of dollars”)

What happened: In March 2019, Kwamaine Jerell Ford pleaded guilty in a celebrity hacking case. 

He had targeted rappers as well as NBA and NHL athletes with his phishing emails. In these letters, the hacker pretended to be a representative of Apple’s customer support service. He asked the victims to provide their username and password or answers to security questions. Ford framed these as necessary steps for account resets or other activities.

By obtaining access to their accounts, the hacker would change their email addresses and passwords. This made recovery impossible without contacting actual Apple support. Ford then spent his earnings on money transfers, buying furniture, and paying travel expenses. 

The government did not disclose who exactly it was who got hacked. But Apple reported hundreds of fraudulent logins, and the hacker made away with thousands of dollars. 

#3: The fappening 

Types of phishing scam: Spear phishing

Affected parties: Celebrities

Impact: Highly personal photos leaked

What happened: Back on August 31, 2014, around 500 intimate and private photos of celebrities (mostly women) started spreading online. 

The official name was the “iCloud leak of celebrity photos.” More informally, it’s called “the fappening” – a portmanteau of a masturbatory onomatopoeia and “happening.” Silly as it sounds, this incident still remains the biggest phishing attack of its kind. 

All the photos and videos had been stolen from Apple’s iCloud service. How did that happen? Apple claims that it was done by a spear-phishing campaign. The hackers used a fake “appleprivacysecurity” email account to ask the celebs for their security data. The login data was then used to download the erotic material. Security experts claim that access to iCloud would have also given the hackers the ability to access texts, address books, and more

The intimate footage was passed around the dark circles of the web before surfacing in 2014. Two more batches of leaked photos and videos surfaced during the same year. Among the affected celebrities were Jennifer Lawrence, Kate Upton and her husband Justin Verlander, Mary Elizabeth Winstead, Jessica Brown Findlay, Kaley Cuoco, and Kirsten Dunst – all of whom confirmed that the footage was authentic. 

#4: Amazon Locky ransomware attack

Types of phishing scam: Spam phishing

Affected parties: Amazon customers

Impact: $250 to 500$ per victim (victim count undisclosed)

What happened: In 2017, Amazon customers were targeted in a massive phishing attack. Depending on which experts you ask, the May 17 attack sent out from 30 million to 100 million fake emails. 

Masquerading as real Amazon shipping updates, they served as a way to install ransomware on the users’ computers. To this day, it remains one of the biggest phishing attacks by sheer scale. 

It was a noticeably sophisticated attack as well. The hackers manipulated the header to make it appear like the email was genuine. The email came from auto-shipping@amazon.com while the subject read “Your Amazon.com order has dispatched (#code).” However, there was no body to the email, only a Microsoft Word file. 

A curious person downloading the file would be asked to enable macros to open it. This would allow Locky ransomware to be downloaded and installed on the device. Once that was done, the user would have to pay somewhere between $250-$500 to unlock their device. Amazon never revealed how many users were affected by this attack. 

#5: The activist phishing attack

Types of phishing scam: Angler phishing

Affected parties: Activists

Impact: Unknown

What happened: It’s not always about the money – or nudes. Back in 2016, Safeena Malik got in contact with a variety of activists and journalists working with the sphere of human rights. Her Facebook account looked real, but she herself wasn’t.

Source: Vice

Malik would use her appearance of being genuine to lure people into giving up their Google logins. Most often, she’d ask to help with her university papers, dropping a Google Drive link. This would lead to a fake but genuine-looking (down to the target’s profile picture) login page. After they logged in, they’d be directed to a real document – or a Google Hangouts page. 

It is not known who carried out these attacks or what they did with the information obtained from the activists. However, the victims had all worked on human rights investigation projects focusing on Qatar. There were also log-ins into the stolen accounts that could be traced to IP (Internet Protocol) addresses from Ooredoo, an internet service provider from Doha, Qatar. This led Amnesty International to believe that the attack had a state sponsor. 

Phishing: how big was it in 2021?

Phishing: was it big in 2020?

In terms of phishing, 2021 was even more than business as usual – exceptionally active. The current tensions and the continuing COVID-19 pandemic have put people and organizations on edge.

In July alone, over 260,000 phishing attacks were recorded (the highest number since 2004). We also see that halfway through 2021, the COVID spell is far from being dispersed. 

People are still being targeted by themed “pandemic relief scams” from last year, but new “vaccination forms and passports” scams are taking over. Essentially, people are getting emails from hackers pretending to be government institutions or travel agencies. They then ask them to apply for fake digital passports on spoofed websites or provide their payment information to receive incentives. 

The advice goes the same as always – be extra careful with anyone asking for your personal or payment information (if you receive an email or a call like that from an institution or a company, call them yourself!)

Business-wise, phishing emails targeting credentials have been booming lately, with a whopping 64% of all phishing cases. So, where do these credentials go? Mostly ransomware attacks (91%).

Direct response scams like Business Email Compromise (BEC) make up the remaining 33% of attacks on corporations (plus 4% of spam emails with infected files). They don’t phish for credentials but usually ask for money to be transferred directly.

Overall, phishing is a pandemic on its own, and it’s unlikely to go anywhere anytime soon. Not as long as there is (and hopefully always will be) a human factor in our lives.

Targeting people and organizations

Whether it’s regular phishing or spear phishing targeting you specifically, hackers don’t discriminate. As these infamous phishing attacks show, there’s always something to lose. Therefore, you should educate yourself on the most common forms of phishing and take the appropriate security measures. So  start your education about cybersecurity today – just check out our blog for more articles on how to be safe online!

Improve your security with Surfshark VPN

Get Surfshark!