Close Menu
  • Home
  • Articles
    • Attacks
      • BEC
      • Data Breach
      • DDoS
      • Evasion Attacks
      • Injection
      • Malware
      • MITM
      • Phishing
      • Ransomware
      • RCE
      • Social Engineering
      • Spoofing
      • Spyware
    • Business and Policy
      • BCP and DRP
      • GRC
      • Regulations
    • Data Protection
      • DLP
      • DRM
      • Encryption
      • IAM
    • Future, Trends and Insight
      • AI
      • Events & Community
      • Emerging Tech
      • Expert Panel
      • Interviews With Experts
      • Insights
      • Study & Research
    • Resources
      • Guides
      • Tools
      • Training & Education
    • Security
      • API
      • Apps
      • Cloud
      • Critical Infrastructure
      • Endpoint
      • Hardware
      • IoT
      • Mobile
      • Network
      • OT
      • Port Security
      • Security Architecture
      • Software Development
      • Supply Chain
      • Zero Trust
    • Threats and Vulnerabilities
      • Emerging Threats
      • Insider Threats
      • Risk Management
      • Threat Intelligence
      • Zero Day
  • News and Exclusives
    • Latest News
    • ISB Exclusive
    • Positive News
  • Who We Are
    • About Us
    • Information Security Buzz Expert Panel​
    • Write for Us
    • Media Pack
  • Contact Us
  • Newsletter
Facebook X (Twitter) LinkedIn
Facebook X (Twitter) LinkedIn
Information Security BuzzInformation Security Buzz
  • Home
  • Articles
    • Attacks
      • BEC
      • Data Breach
      • DDoS
      • Evasion Attacks
      • Injection
      • Malware
      • MITM
      • Phishing
      • Ransomware
      • RCE
      • Social Engineering
      • Spoofing
      • Spyware
    • Business and Policy
      • BCP and DRP
      • GRC
      • Regulations
    • Data Protection
      • DLP
      • DRM
      • Encryption
      • IAM
    • Future, Trends and Insight
      • AI
      • Events & Community
      • Emerging Tech
      • Expert Panel
      • Interviews With Experts
      • Insights
      • Study & Research
    • Resources
      • Guides
      • Tools
      • Training & Education
    • Security
      • API
      • Apps
      • Cloud
      • Critical Infrastructure
      • Endpoint
      • Hardware
      • IoT
      • Mobile
      • Network
      • OT
      • Port Security
      • Security Architecture
      • Software Development
      • Supply Chain
      • Zero Trust
    • Threats and Vulnerabilities
      • Emerging Threats
      • Insider Threats
      • Risk Management
      • Threat Intelligence
      • Zero Day
  • News and Exclusives
    • Latest News
    • ISB Exclusive
    • Positive News
  • Who We Are
    • About Us
    • Information Security Buzz Expert Panel​
    • Write for Us
    • Media Pack
  • Contact Us
  • Newsletter
Subscribe
Information Security BuzzInformation Security Buzz
Home - News & Analysis - Facebook And Google Fall Victims To A $100M Phishing Scam
News & Analysis

Facebook And Google Fall Victims To A $100M Phishing Scam

ISBuzz TeamBy ISBuzz TeamMay 1, 2017Updated:July 4, 20245 Mins Read
Share LinkedIn Twitter Facebook Copy Link Email
Dridex Malware
Share
Facebook Twitter LinkedIn Email Copy Link
Quick AI Summary
ChatGPTClaudeGeminiGrokPerplexityDeepSeekCopilot

Facebook and Google were the victims of a $100M phishing scam. According to the Justice Department, the crook forged email addresses, invoices, and corporate stamps in order to impersonate a large Asian-based manufacturer with whom the tech firms regularly did business. The point was to trick companies into paying for computer supplies. IT security experts from AlienVault, ESET, Tripwire, Comparitech.com and FireMon commented below.

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik“CEO / CFO fraud, is where a CFO being sent a phishing email purporting to be from the CEO demanding they immediately transfer some money to a third party.

The concept of this heist is identical, albeit at a much higher level, with a lot more foundational work being put in place beforehand.

Therefore, it is not unexpected that many of the mitigation strategies would be similar in nature, these would include, better third party identification and verification process, more stringent payment authorisations, and not solely relying on email as an authority to process.”

Mark James, IT Security Specialist at ESET:

mark-james“It’s a fact in today’s digital world that there is always someone trying to scam you. We fight it, we delete it, we even highlight it and use it to teach others what to look out for but there is one thing humans are good at and that’s adapting. Most spam or phishing attacks end up a failure, but that’s the nature of these types of attacks they don’t all have to succeed. For us to be safe we have to detect or block 100% of those attempts but they only need to get one right. If someone puts their mind to doing something there is a good chance they will succeed, whether that’s education, business or foul deeds. The good thing about the latter is most of the time people get caught. This particular plan involved forging email addresses, invoices, and corporate stamps in order to trick some big companies into believing they are dealing with the “right” company and handing over thousands, it just goes to prove that all companies large and small can be scammed.”

Paul Norris, Senior Engineer at Tripwire:

isbuzz-author-male_1“Phishing has long been a valuable technique for cyber criminals because both trained humans and detection software have difficulty identifying a well-crafted phishing email. However, the bigger problem across the board is user awareness. Organizations should implement training programs that help their users understand aspects of spam, phishing, and malware. A little bit of training can go aSecurity Experts long way in this area.”

Lee Munson, Security Researcher at Comparitech:

Lee Munson“Phishing or, more appropriately in this case ‘CEO Fraud’, poses a huge problem to organisations of all sizes.

While technical controls have a small part to play in reducing the likelihood of such an attack being successful, it is staff awareness training that is key here.

That a non-technical business could be attacked in this way is, perhaps, forgivable but the same cannot be said for firms operating in the tech sector.

If the companies behind the $100 million loss are indeed Facebook and Google, it would be a surprise as, even if their teams are not completely alert to this sort of ruse, they should have a security department that can generate awareness around this type of financial fraud.

Thus, while current disclosure laws may not require the victims in this case to come clean about what happened – from a financial point of view – I certainly believe there is a public interest angle.

Investors in technology firms have a right to know that the business is managing its systems and people in an effective way that minimises risks that can have a significant impact – and CEO Fraud is relatively easy to identify and avoid – especially in this case, where the scam was allowed to continue unchecked over a two-year period.”

Paul Calatayud, Chief Technology Officer at FireMon:

paul-calatayud“The type of attack both these companies fell pray to did not impact customer data or cooperate intellectual property. Also, this scam prays on finance departments rather then the cyber or engineering “talent”, so any company – no matter how innovative – can become a victim.

The issue at hand is whether or not these types of events warrant disclosure. Given that both these companies have significant amounts of money in the bank and some was recovered, as the law stands, I don’t feel reporting it was necessary. I do feel that we are lacking federal level breach disclosure laws that center around eliminating public vs. private or material vs. immaterial conditions. We need to drive awareness; and these notifications can serve to benefit other companies. Until we do that, we will remain debating in Board rooms whether or not cyber investments are necessary or  how likely attacks may be. Like other debates on social forums, many crimes go unreported and this only benefits the criminals by being able to operate in the shadows.”

ISBuzz Team
  • ISBuzz Team
    Air Canada Data Breach: BianLian Extortion Group Claims A Massive Heist Contrary To Airline’s Earlier Statement
  • ISBuzz Team
    Unprecedented DDoS Attack Rocks The Web: Tech Giants Reveal A Digital Tsunami
  • ISBuzz Team
    CISA Flags High-Severity Adobe Acrobat Reader Flaw Amid Active Exploits
  • ISBuzz Team
    Curl Security Alert: Patching A Critical Bug Averting Potential Cyber Catastrophe

The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.

Share. Facebook Twitter LinkedIn Email Copy Link

Related Posts

New Phishing Kit Starkiller Defeats Multi-Factor Authentication

February 23, 20264 Mins Read

ReliaQuest Uncovers Social Media Phishing Campaign Built on Trusted Tools

January 22, 20266 Mins Read

What Happens after a Phishing Email Lands in Your Inbox?

January 5, 20266 Mins Read
ISB-Bora-Side-Bar

No se ha podido establecer conexión. Error 429

 
ISB-Bora-Side-Bar
Black ISB Logo

Information Security Buzz is an independent resource that provides the experts’ comments, analysis, and opinion on the latest Cybersecurity news and topics

X (Twitter) LinkedIn Facebook RSS

Working With Us

  • About Us
  • Advertise With Us
  • Contact Us

Write For Us

  • How To Contribute

The Pages

  • Privacy Policy
  • Cookie Policy
  • AI Policy
  • Terms & Conditions
  • Copyright Notice

Information Security Buzz and all its contents are copyright © 2014-2025. All rights reserved. All third-party trademarks are recognized.

Type above and press Enter to search. Press Esc to cancel.

Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}