A recent conviction related to a widespread phishing scheme reminds us how simple it can be to disrupt an entire organization. It doesn’t take a large group of co-conspirators or strong technical skills. All it takes is internet access and a willingness to take advantage of strangers.

What Happened

Oriyomi Sadiq Aloba’s scheme began with a phishing email. A Los Angeles Superior Court employee fell for the scam and that account was compromised. Once Aloba had access to a valid account, he used it to send thousands of spear-phishing attacks to other LASC employees. He sent a fake Dropbox notification and was able to collect login information for hundreds of employees.

With access to hundreds of logins, Aloba expanded his attack to two million phishing attacks. In this round, the emails appeared to be from American Express and Wells Fargo. Links in these emails directed victims to falsified login pages where banking credentials and credit card information were collected. On top of the individual victimization that occurred, the world’s largest court system was significantly disrupted. Hundreds of employees were taken offline for hours or even days. Likely thousands of man hours were wasted dealing with this attack.

When Aloba was caught, law enforcement found dozens of phishing kits on his laptop. What is a phishing kit? It’s the falsified website, designed to look like an authentic site, that a criminal uses to collect victims’ data. Administrators try to keep up with and block these fake sites, but criminals are registering new domains by the thousands. These kits make it easy for non-technical scammers to execute a phishing attack.

Basic phishing awareness can help you avoid a scam like this. Never click links in suspicious emails and always check the URL before entering any personal information into a website.

If your workplace needs help with phishing awareness, contact us today.