When it comes to lists that cover the biggest phishing attacks in the world, it’s always about corporate CEOs being swindled out of large sums of the company’s money. But you’re not a CEO and not even his accountant. Are there any famous phishing attacks that targeted individuals? Yes, yes, there are. Here are the 5 biggest phishing attacks that targeted humans rather than companies!
In short: what is a phishing scam?
Phishing is a scam that relies on tricking you via electronic impersonation. It can come in many forms, from emails pretending to be from your bank to fake websites that mimic the real thing. Spear-phishing is a subtype that involves tailoring the attack specifically for the person targeted. In the end, you can end up losing your money, your private information, account access, and more.
The 5 most famous phishing attacks
The Hillary Clinton campaign email leak
You can be forgiven for thinking that 2016 was 20 years ago. It feels that way due to the news cycle running red hot to the point of meltdown. One of the incidents that added fuel to the reactor was the Hillary Clinton email breach of 2016.
Now, it doesn’t really matter to us what was in those emails. But the way they were obtained definitely falls under the scope of this article. The method was deceptively simple. Someone sent an email to Clinton campaign chairman John Podesta, urging him to change his compromised Gmail password. A staff security member confirmed that it was a good thing to do and provided Podesta with a Google link to do it.
Instead, Podesta or whoever was taking care of his Gmail account clicked the shortened link in the original email. Changing the password via the provided link actually gave the passwords to hackers pretending to be writing on Google’s behalf. The rest is history.
Incidentally, the very same method was used to hack Colin Powell’s emails and the Democratic National Convention.
Hacker targets rappers, athletes
In March 2019, Kwamaine Jerell Ford pleaded guilty in a celebrity hacking case. He had targeted rappers as well as NBA and NHL athletes with his phishing emails. In these letters, the hacker pretended to be a representative of Apple’s customer support service. He asked the victims to provide their username and password or answers to security questions. Ford framed these as necessary steps for account resets or other activities.
By obtaining access to their accounts, the hacker would change their email addresses and passwords. This made recovery impossible without contacting actual Apple support. Ford then spent the celebs’ money on money transfers, buying furniture, and paying travel expenses.
The government did not disclose who exactly it was who got hacked. But Apple reported hundreds of fraudulent logins, and the hacker made away with thousands of dollars.
Back on August 31, 2014, around 500 intimate and private photos of celebrities (mostly women) started spreading online. It is officially called the “iCloud leak of celebrity photos.” More informally, it’s called “the fappening” – a portmanteau of a masturbatory onomatopoeia and “happening.” It still remains the biggest phishing attack of its kind.
All the photos and videos had been stolen from Apple’s iCloud service. How did that happen? Apple claims that it was done by a spear-phishing campaign. Hackers used the fake “appleprivacysecurity” email account to ask the celebs for their security data. The login data was then used to download the erotic material. Security experts claim that access to iCloud would have also given the hackers the ability to access texts, address books, and more.
The intimate footage passed around the dark circles of the web before surfacing in 2014. Two more batches of leaked photos and videos surfaced the same year. Among the affected celebrities were Jennifer Lawrence, Kate Upton and her husband Justin Verlander, Mary Elizabeth Winstead, Jessica Brown Findlay, Kaley Cuoco, and Kirsten Dunst – all of them confirmed that the footage was authentic.
Amazon Locky ransomware attack
In 2017, Amazon customers were targeted in a massive phishing attack. Depending on which experts you ask, the May 17 attack sent out from 30 million to 100 million fake emails. Masquerading as real Amazon shipping updates, they served as a way to install ransomware on the users’ computers. To this day, it remains one of the biggest phishing attacks by the sheer scale.
It was a noticeably sophisticated attack as well. The hackers manipulated the header to make it appear like the email was genuine. The email came from [email protected] while the subject read “Your Amazon.com order has dispatched (#code).” However, there was no body to the email, only a Microsoft Word file.
A curious person downloading the file would be asked to enable macros to open it. This would allow Locky ransomware to be downloaded and installed on the device. Once that was done, the user would have to pay somewhere between $250-$500 to unlock their device. Amazon never revealed how many users were affected that way.
The activist phishing attack
It’s not always about the money – or nudes. Back in 2016, Safeena Malik got in contact with a variety of activists and journalists working with the sphere of human rights. Her Facebook account looked real, but she herself wasn’t.
Malik would use her appearance of being genuine to lure people into giving up their Google log-ins. Most often, she’d ask to help with her university papers, dropping a Google Drive link. This would lead to a fake but genuine-looking (down to the target’s profile picture) login page. After they logged in, they’d be directed to a real document – or a Google Hangouts page.
It is not known who carried out these attacks or what they did with the information obtained from the activists. However, the victims had all worked on human rights investigation projects focusing on Qatar. There were also logins into the stolen accounts that could be traced to IP (Internet Protocol) addresses from Ooredoo, an internet service provider from Doha, Qatar. This led Amnesty International to believe that the attack had a state sponsor.
Phishing: was it big in 2020?
Phishing didn’t diminish in scope in 2020. The US Secret Service was warning of Covid-related scams as far back as March 2020. If anything, it increased in maliciousness and scope, with a 13% increase in phishing and scam site growth from Q1 to Q2 of 2020. That’s according to the Q2/Q3 State of Phishing and Online Fraud report by Bolster:
On average, 18,000 scam sites were created every day.
When it comes to domains, phishing scams started using .info more often than .net.
COVID-19 related scams rose by 22%.
45% of phishing attacks used free Gmail accounts.
Phishing targeting remote workers was rising as well.
There was a wide variety of pandemic related scams, which were centered around:
- Emergency supplies
- Online hangouts
- Covid relief-checks
- Covid vaccination registration
- Job opportunities
- Impersonating Amazon and other services.
In fact, experts say that vaccine-related spear-phishing attacks rose by 26% between October 2020 and January 2021. And it’s not just emails – it’s also websites. Starting out from scams that offered medical supplies and outright cures in 2020, scammers have moved to vaccination in 2021.
Phishing: targeting more than corporations
Whether it’s regular phishing or spear-phishing targeting you specifically, they may come after you even if you don’t have spectacular riches to swindle. As these most famous phishing attacks show, there’s more to lose than money. Therefore, you should educate yourself on the most common forms of phishing, and take the appropriate security measures. How about getting a nice VPN to keep your IP address secret and block known phishing websites?