No Phishing Allowed

Word Count: 1,960 Estimated Read Time: 8 Min.

It used to be that when people talked about fishing, it meant catching actual fish. Today, when businesspeople discuss fishing, they’re more likely talking about phishing. Both involve using bait to reel in a catch, but one uses worms and a fishing pole to catch grouper, while the other is a cyberattack using digital emails or text messages to reel in unsuspecting, vulnerable people and steal their money or information, or both. That’s bad enough, but it’s even worse when they hijack a reputable and successful company’s brand to do it.

Phishing as a cybercrime is a relatively new form of crime. It first emerged in the mid-1990s, specifically targeting dial-up ISP America Online (AOL) users who were typically new to the internet. The first widespread attacks involved social engineering tactics where attackers, posing as AOL employees, tricked users into revealing their login credentials. The term “phishing” itself was coined in 1995 in relation to a software tool called AOHell, which automated the process of stealing AOL passwords and other data. And with that, a new form of cybercrime was born.

After that, attacks using email or instant messaging became increasingly more common. Phishers would request users to “verify” their accounts, leading to stolen passwords. By the late 1990s and early 2000s, phishing attacks evolved further, broadening their scope beyond AOL to target businesses, banks, and other institutions with more sophisticated methods.

Of course, over time, people and companies also became considerably more aware and suspicious of such scams. Gone were the gullible AOL-newbies and novice internet users. The scammers weren’t the only ones who got smarter. By now, one would assume most Gen X, Millennials, and Gen Zs are well aware of and unsusceptible to such obvious cyber scams, right? Well, think again.

The Persistence of Phishing Scams

Even though companies today are more knowledgeable and savvier in dealing with phishing, vishing, smishing, and the host of other communication-based scams like whaling, they can still fall prey to new variations of these attacks. Despite more rigorous security protocols and training (so employees recognize the red flags of a phishing-type email, text, or call), major phishing scams are still being deployed against major brands as recently as the last few years. The severity of an attack is measured by financial loss, operational disruption, or impact on consumer trust. Several major attacks that relied on phishing as the initial vector have happened quite recently.

Case in point: In 2021, the Colonial Pipeline ransomware attack was a cyber incident that started with a phishing vector and resulted in major real-world consequences. The cyber-scammers gained access to Colonial Pipeline’s systems by compromising an employee’s password, most likely through a phishing email. They then deployed ransomware to encrypt the company’s business networks. Colonial Pipeline was forced to shut down its operations, leading to major fuel shortages and a declared state of emergency along the U.S. East Coast. To end the attack, Colonial Pipeline paid a $4.4 million ransom to the hackers. Those funds were never recovered.

Second case in point: The Change Healthcare cyberattack—considered possibly the worst phishing attack due to its massive impact on the U.S. healthcare system—happened just last year, affecting patients, doctors, and pharmacies nationwide. A report revealed that the initial entry point for the attack was a server that lacked multifactor authentication (MFA). It’s believed that compromised login credentials, likely obtained through a phishing scheme, allowed the ALPHV/BlackCat hacking group to gain access. Their breach of the company’s system disrupted critical healthcare operations, including billing, insurance claims, and prescription services. The personal medical data of approximately one-third of the U.S. population was likely exposed. To add insult to injury, UnitedHealth (Change Healthcare’s parent company) paid a $22 million ransom, but the attackers never returned the stolen data and neither the data nor money was recovered, nor the perpetrators caught.

So despite knowing more and being more aware and suspicious of such scams and schemes, it didn’t stop cybercriminals from successfully attacking global companies with sophisticated systems, encryption, and other safeguards.

No Phishing Allowed

So how does a company’s brand protect itself from such an attack? A plethora of more rigorous security protocols must be adopted, and employees must be trained to recognize the red flags of phishing-related schemes and scams. Here are just a few things a company can, should, and are doing to prevent such attacks.

• Enhance Verification Processes Companies, especially in real estate, title insurance, finance, and accounts payable, have widely adopted multi-step verification procedures for outgoing wire transfers. This includes independent phone calls to a known, verified number and multiple levels of sign-off.
  
  
• Simulate Phishing Exercises Many businesses now conduct regular, unannounced phishing simulations where they send fake phishing emails to employees. This helps gauge employee awareness and provides a safe learning environment for those who fail the test.
  
  
• Increase Cybersecurity Budgets Attacks often serve as a wake-up call for many organizations to invest more heavily in their cybersecurity defenses, including advanced email filtering, network monitoring, and employee training programs. But waiting for a cyberattack to boost security is like waiting for a thief to steal the family jewels to install a safe, security cameras, and stronger locks. Increase the budget now and stay on top of it. Paying for the latest software is less expensive than paying ransoms and hiring PR firms to handle the fallout after an attack.
  
  
• Collaborate with Law Enforcement All responses to cyberattacks underscore the importance of working with law enforcement and other companies to track and report cybercrime, which can lead to the arrest and prosecution of the attackers. It may feel like a waste of time, but if all companies did it, scammers would be serving time and new scammers would think twice before launching an attack on a company known for working closely with law enforcement.
  
  
• Train Employees to Suspect Urgent or Pressuring Language This may sound odd, but ask all company employees to slow down, especially when being urged to hurry. While leaders want employees to be fast and efficient, an environment where everyone is being asked to move quickly will help disguise phishing scams. In a harried environment, constant urgency creates a false sense of familiarity and disguises an urgent request by scammers (such as “Transfer funds immediately!”). In a calm environment, an urgent request should raise suspicion and sound the alarm.
  
  
• Detect Email Address Discrepancies Fraudulent emails often use a “look-alike” domain that is a slight variation of the real one. Employees should be trained to scrutinize the full sender’s email address, not just the display name. When it comes to spotting phishing, attention to detail really matters. For that, employees need to work in an environment that is not harried or understaffed.
  
  
• Suspect Requests for Unusual or Secret Transactions An employee should be immediately suspicious of a request to transfer a large sum of money for a “secret” deal that bypasses standard procedures.
  
  
• Use Multi-Factor Authentication (MFA) While the Ubiquiti case was a BEC scam that didn’t necessarily require credential theft, MFA is a crucial defense against many phishing attacks. Had the attack involved a stolen password, MFA would have prevented the attacker from gaining access to the company’s internal systems.
  
  
• Restrict Access and Authority In the Ubiquiti case, the attacker exploited the fact that the finance employee had the authority to make such a large transfer without a second layer of approval. Implementing a “least privilege” principle, where employees only have access to the systems and financial authority necessary for their job, limits the potential damage of a successful phishing attack.

Phishing cyberattacks can clearly be thwarted if not eliminated entirely. It just takes time, intent, and a budget.

Case Study: Cloudflare’s Phishing Defense

A notable example of a company successfully thwarting a phishing attack is Cloudflare, the web infrastructure and security company. In July 2022, Cloudflare was the target of a highly sophisticated phishing campaign that also targeted other prominent companies like Twilio.

Spotting the Attack The attack began with employees receiving legitimate-looking text messages (a form of “smishing,” or SMS phishing) pointing to what appeared to be a Cloudflare Okta login page. The attackers had likely obtained a list of employee phone numbers. Three Cloudflare employees did, in fact, fall for the ruse and entered their credentials on the fraudulent page.

However, the attack was thwarted because of Cloudflare’s robust security measures, particularly its use of physical security keys for two-factor authentication (2FA). Unlike typical 2FA that uses codes sent via text message or an authenticator app, Cloudflare requires every employee to use a physical FIDO2-compliant security key (like a YubiKey) to access all applications.

When the employees entered their credentials, the attackers attempted to log in using the stolen passwords. But because they did not possess the physical security keys, they could not complete the second step of the authentication process. The failed login attempts were immediately flagged, and the security team was alerted.

Responding to the Attack The Cloudflare security team acted quickly to block the malicious domain. They added the phishing domain to their internal gateway to prevent any further access from employees. They also reset compromised credentials. They identified the three employees whose credentials were leaked, reset their passwords, and terminated any active sessions. Then they took down the threat infrastructure. They worked with the hosting provider and domain registrar to shut down the attacker’s server and seize control of the malicious domain, preventing the attack from harming other organizations. Last but not least, they updated their security posture, using the intelligence gathered from the attack to enhance their own detection systems and block any similar future attempts.

What if they hadn’t Succeeded? If Cloudflare’s security team and its physical security key requirement had not successfully thwarted the attack, the consequences could have been catastrophic and far-reaching. It would have resulted in:

• Data Breach and Intellectual Property Theft: The attackers would have gained access to Cloudflare’s internal systems and sensitive data. This could have included intellectual property, customer data, and proprietary company information. The theft of this data would not only be a massive financial loss but could also severely compromise their competitive advantage.
  
  
• Customer Impact: As a company that provides security services to millions of websites, a breach of Cloudflare’s systems could have had a domino effect. The attackers could have used their access to compromise the websites of Cloudflare’s customers, leading to widespread data breaches for those organizations and their users. This would have caused a massive loss of trust and potentially led to lawsuits.
  
  
• Reputational Damage: Cloudflare’s brand is built on trust and security. A successful, public phishing attack would have severely damaged its reputation, causing customers to lose confidence in Cloudflare’s ability to protect their data and its own systems. Rebuilding that trust would have been a long and difficult, if not impossible, process. It’s like a bank where people put their money for safekeeping. If the bank is robbed, it would cause customers to wonder if the bank can safeguard their money effectively.
  
  
• Financial Fallout: The financial cost would have been immense, including the costs of incident response, forensic analysis, legal fees, regulatory fines (for non-compliance with data protection regulations), and the loss of business from customers who switch to a competitor. A data breach can also cause a company’s stock price to plummet.
  
  
• Operational Disruption: The company’s operations could have been shut down or severely hampered as the security team worked to contain the breach and clean up the compromised systems. This would result in lost productivity and a significant impact on revenue.

Every business needs to do what’s necessary to avoid these kinds of attacks. Cloudflare did and averted a crisis. Indeed, it’s easier to do these things upfront than to try to undo the damage after the fact.

Quote of the Week
“Phishing is a gateway to every other type of cyberattack. If you can stop the phishing attack, you’ve stopped the majority of attacks that are going to happen to your organization.”
Caleb Barlow, former VP of IBM Security

© 2025, Keren Peters-Atkinson. All rights reserved.