Apr 28 2017   7:42PM GMT

Google, Facebook just fell victim to a phishing scam: The takeaway for CIOs

Brian Holak Brian Holak Profile: Brian Holak


We finally know which two big tech companies were conned millions by an email phishing scam, as reported last month, and you might recognize them.

The culprit — a Lithuanian man being charged with fraud, aggravated identity theft, and money laundering by the Department of Justice — swindled Google and Facebook out of $100 million collectively by pretending to be a popular Taiwanese electronics manufacturer.

The man allegedly forged emails from employees, invoices and contracts and asked the tech giants to send payments to his bank accounts in Latvia and Cyprus, instead of the real company’s actual bank accounts — and it was enough to convince employees at Google and Facebook.

Humans are the most vulnerable point of any information system; even the world’s biggest tech companies aren’t immune to this,” said Neil Wynne, CISSP and Gartner analyst. “The vast majority of cyberattacks use social engineering, such as phishing, to trick employees into taking actions detrimental to the company. Many large and high-profile breaches have started with successful phishing attacks.”

A recent report from threat management provider PhishMe found that 91% of cyberattacks start with a phish. The top reasons that people fell for the emails: curiosity, fear and urgency. These are the things that attackers pray on — and upping technology-based defenses can’t address those kinds of vulnerabilities, said Wynne.

“There tends to be an over reliance on a technology-based approach,” he said. “Instead, CIOs should take a multipronged approach that spans technical, procedural and educational controls to effectively mitigate these attacks. The education aspect is a critical component because it increases employee resilience to social engineering.”

Bryce Austin, CISM and CEO at IT consulting company TCE Strategy, agrees that phishing scam detection hinges on training.

“I think the big takeaway from this incident is, first and foremost, that a cybersecurity awareness program is critical to all companies regardless of size — big or small,” said Austin. “Many of these fraudsters will try to get employees to break standard process and procedure by saying ‘this is very confidential’ or ‘this is related to some new merger or acquisition’ or something like that.”

Austin said the size of the scam suggests that the Lithuanian scammer got employees at Google and Facebook to break process and procedure by convincing them to do it through believable documentation and credentials and/or by finding someone who wasn’t trained on what the process and procedure was.

In other words, the major takeaway for CIOs to avoid similar phishing scams: educate, educate, educate employees on their role in data protection.

1  Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • amygirlboss
    Are there any good training materials that an IT manager can use to train their employees? Teaching the severity of being victim to a scam only seems to resonate when it affects employees on a personal basis. Creating something from scratch looks like it's just my opinion, but a course that is given by a different entity may hold more value. 
    45 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: