We finally know which two big tech companies were conned millions by an email phishing scam, as reported last month, and you might recognize them.
The culprit — a Lithuanian man being charged with fraud, aggravated identity theft, and money laundering by the Department of Justice — swindled Google and Facebook out of $100 million collectively by pretending to be a popular Taiwanese electronics manufacturer.
The man allegedly forged emails from employees, invoices and contracts and asked the tech giants to send payments to his bank accounts in Latvia and Cyprus, instead of the real company’s actual bank accounts — and it was enough to convince employees at Google and Facebook.
“Humans are the most vulnerable point of any information system; even the world’s biggest tech companies aren’t immune to this,” said Neil Wynne, CISSP and Gartner analyst. “The vast majority of cyberattacks use social engineering, such as phishing, to trick employees into taking actions detrimental to the company. Many large and high-profile breaches have started with successful phishing attacks.”
A recent report from threat management provider PhishMe found that 91% of cyberattacks start with a phish. The top reasons that people fell for the emails: curiosity, fear and urgency. These are the things that attackers pray on — and upping technology-based defenses can’t address those kinds of vulnerabilities, said Wynne.
“There tends to be an over reliance on a technology-based approach,” he said. “Instead, CIOs should take a multipronged approach that spans technical, procedural and educational controls to effectively mitigate these attacks. The education aspect is a critical component because it increases employee resilience to social engineering.”
“I think the big takeaway from this incident is, first and foremost, that a cybersecurity awareness program is critical to all companies regardless of size — big or small,” said Austin. “Many of these fraudsters will try to get employees to break standard process and procedure by saying ‘this is very confidential’ or ‘this is related to some new merger or acquisition’ or something like that.”
Austin said the size of the scam suggests that the Lithuanian scammer got employees at Google and Facebook to break process and procedure by convincing them to do it through believable documentation and credentials and/or by finding someone who wasn’t trained on what the process and procedure was.
In other words, the major takeaway for CIOs to avoid similar phishing scams: educate, educate, educate employees on their role in data protection.