Two scary examples of real-world phishing attack

In recent years, phishing attacks have become increasingly prevalent, exploiting human psychology and technological vulnerabilities to steal sensitive information or deploy malicious software. One notable real-world phishing attack targeted a major financial institution, demonstrating the sophistication and impact such attacks can have.

The Attack:

In this instance, employees of the financial institution received emails purportedly from the IT department. The emails appeared authentic, utilising the company’s logo, email format, and language consistent with internal communications. The message warned employees of a security breach and instructed them to click on a link to change their passwords immediately to secure their accounts.

The link directed employees to a convincing replica of the company’s login page, which was actually a cleverly disguised phishing website. Upon entering their login credentials, unaware employees unwittingly handed over their usernames and passwords directly to the attackers.

The Consequences:

Once the attackers gained access to employee accounts, they were able to infiltrate the company’s network and access sensitive financial data, customer information, and proprietary systems. This breach not only compromised the security and privacy of the financial institution’s clients but also posed significant reputational and financial risks to the company itself.

Furthermore, the attackers used the compromised accounts to launch secondary phishing attacks, targeting customers and partners of the financial institution. These secondary attacks spread rapidly, amplifying the initial breach’s impact and causing widespread concern among stakeholders.

The Response:

Upon discovering the breach, the financial institution initiated an emergency response plan, involving IT security teams, forensic experts, and legal counsel. They immediately shut down compromised accounts, revoked unauthorised access, and strengthened security measures to prevent further intrusions.

Additionally, the company launched an internal investigation to determine the scope of the breach, identify the perpetrators, and assess the extent of the damage. Law enforcement agencies were also notified to aid in the investigation and apprehension of the attackers.

To mitigate the fallout from the breach, the financial institution implemented comprehensive cybersecurity awareness training for employees, emphasising the importance of vigilance against phishing attacks and best practices for identifying suspicious emails and websites.

Lessons Learned:

This phishing attack serves as a stark reminder of the ever-present threat posed by cyber criminals and the critical importance of robust cyber security measures. It underscores the need for constant vigilance, employee education, and proactive defences to safeguard against evolving threats in the digital landscape.

Ultimately, by learning from such incidents and implementing effective security protocols, organisations can better protect themselves, their customers, and their sensitive data from the potentially devastating consequences of phishing attacks.

You’ve probably read plenty of security scare stories like this.

But the following two examples happened to clients of ours and they bring home the real dangers of phishing attacks for companies that want to keep their confidential information safe.

Real-world Phishing Attack: One phish, two phish

One of our customers recently suffered a breach when an attacker obtained their user login credentials following a phishing attack. The victim received a link from someone who appeared to be someone they trusted.

They clicked the link and entered their login details on a carefully crafted webpage. This webpage harvested the login details and the attacker was able to log in as the user, sending malware links and proliferating the phishing attack to all the victim’s contacts.

Additionally, they were able to access everything in the victim’s mailbox, even setting up a forwarding rule so that any new email went to the attackers’ Gmail account so they could continue to see new email – even after the victim changed their password.

Several of their contacts clicked the link and were attacked in their turn. This is obviously bad for the original victim’s reputation and it led to some difficult phone conversations with their customers.

They also had to consider carefully whether details of the breach needed to be passed to the Information Commissioner’s Office.

What type of sensitive information sits in your mailbox? What could someone do with all your email and contacts? What would you have to do if all that information fell into the wrong hands?

Real-world Phishing Attack: Red phish, blue phish

Another customer recently received a similar phishing email. They also fell for it and gave away their password details.

Thankfully they didn’t suffer the same fate as the first customer. The reason they were protected? Multi Factor Authentication (MFA). This customer had taken our suggestion to enable MFA for logins, meaning the attacker was unable to access the intended victim’s account – even thought they had the password. The system notified the victim about the attempted login and simply blocked it.

(Note from our update of this blog in 2024: Things have moved on from this MFA example and it’s not so black and white anymore. MFA doesn’t protect against these phishing attacks completely. It’s helpful and will prompt for any new logins which might be a prompt to users to think twice – but if they enter their MFA code an attacker can now use this to access the system for around a month. To detect this type of breach M365 logons need to be monitored and checked using a service like Defender for Cloud Apps or various third-party tools.)

How to stay safe from phishing

A traditional username and password are no longer good enough to protect company assets. At Doherty Associates we encourage all our customers to embrace MFA to help protect against phishing. MFA can be configured to have a very low user impact –prompting for authorisation only when access is requested from an untrusted device or network. It’s a cost-effective solution to a growing security risk.

We also offer phishing tests where we will send a “dummy” phishing email to customers, helping them train and educate their employees about phishing. A robust email filtering service such as Microsoft ATP (2024 Update: Now called Defender for Office 365) – an add-on service for Office 365/Microsoft 365 – or Mimecast can also help to detect and block phishing attempts.

To find out more about Doherty Associates, visit our Services page.