Phishing is one of the topics we hear about the most about cybercrime. So much so that it can seem mundane; however, it is anything but. 9 in 10 of today’s most damaging cyberattacks start with a phishing message, making phishing training a vital security tool. Phishing is the gateway to cybersecurity nightmares like business email compromise (BEC), malware and credential compromise. For the Port of Seattle, phishing was also the gateway to losing $500k.

• 2 phishing attacks cost the Port of Seattle half a million dollars

A newly released report of an audit conducted by the state of Washington sheds light on two expensive, damaging phishing attacks that impacted the Port of Seattle to half a million dollars in 2021. The Port eventually recovered some of the money and made an insurance claim for another chunk. However, state auditors determined that the Port should have done more to prevent the attacks from happening in the first place.

The saga started in October 2021 when the Port of Seattle Diversity, Equity & Inclusion department fell victim to what the auditors categorized as a classic phishing scam in which bad actors posed as an unnamed service provider owed money by the Port. In the first incident, employees in that office forwarded the email to the Port’s accounts payable office for payment and over three payments, the cybercriminals made off with $184,676.

The second incident took place in December 2021. Once again, crooks hit the Port of Seattle Diversity, Equity & Inclusion office with a phishing scam, and once again, they were successful. They used the same basic premise for this phishing attack — the common invoice scam. However, this time, they went for a much bigger score. By the time the damage was done, the Port had made five payments totalling $388,007.

Altogether, the Port of Seattle got hit for about $500K. Fortunately, officials got most of the stolen money back through various means. Thanks to detective work and good cyber insurance, the Port could recover all but $50,000 of the lost funds, with $356,520 from the bank and $166,163 from insurance. However, the outcome of this scenario could have been much worse. Employees falling for phishing tricks is a fast path to a ransomware nightmare for any business.

• Training neglect leads to disaster

What happened to cause these two cyber disasters? Auditors had a few things in mind in their report. First and foremost, the auditors noted that the staff missed apparent signs of fraudulent messages, including misspellings and bad grammar. That ineptness led to the phishing email passing through not one but two departments successfully, including one that should have had a higher standard of training due it its proximity to cybercrime. Auditors also faulted the staff for not consistently following the Port’s proper procedures for an electronic funds transfer.

This was not the first cybercrime loss by the Port of Seattle. The Port’s response to the audit noted that they hadn’t suffered a monetary loss to a cybercriminal scheme in the 15 months preceding this disaster. The State of Washington has experienced cybercrime losses, totalling $28 million since 2016. However, even in that environment, where phishing and the subsequent damage it could cause was a well-known risk, mistakes were made, and the means for preventing them were neglected.

After this incident, the departments involved in the scandal were required to take mandatory security awareness training with phishing simulations. The Port was also obligated to ensure that all employees had regularly refreshed security awareness training that included phishing training to keep them up to speed on phishing threats to avoid this problem in the future. That program was put into place in 2022. Training employees regularly is vital to ensure they remain at a high level of awareness of phishing and email-borne cyberattacks.

• Phishing training nets enormous benefits

Security awareness training that includes phishing simulation slashes employees’ chance of falling for a phishing lure dramatically. In a study, 80% of organizations said that security awareness training had substantially reduced the possibility of an employee falling victim to a phishing scam. Ultimately, researchers determined that security awareness training doesn’t work overnight. However, it makes steady progress that holds up over time, reducing a company’s phishing risk from 60% to 10% within the first 12 months. That’s a huge security improvement without a massive hit to a company’s budget.

Here are a few other benefits of regular security and phishing awareness training:

1. Security awareness training reduces the cost of phishing by more than 50%.
2. Security awareness training improves phishing awareness by an estimated 40%.
3. Security-related risks are reduced by 70% when businesses invest in cybersecurity awareness training.
4. Companies with regular security awareness training have 70% fewer security incidents.
5. Even a modest investment in security awareness and training has a 72% chance of significantly reducing the business impact of a cyberattack.

Source: ID Agent