Springthrough Thoughts

True Story- A Phishing Scam Caused $100,000 Loss for a West Michigan Business

Mar 2, 2020 by Patrick Kimbrell

Recently, a small manufacturing firm in West Michigan reached out to Springthrough as they were targeted for an email phishing scam which caused $100,000 in financial loss. What happened to them can happen to you as hacker attacks occur every 39 seconds. Phishing attacks evolve constantly and have become more sophisticated. 

What Happened in the Phishing Scam  

The story began with (let's say) John, the owner of the firm whose company email account was phished and hijacked. The phish attacker put up an elaborate scheme to impersonate John's digital identity and fabricated email correspondence with a fake client.  

After a month or so, John's accounting department received a legitimate-looking invoice in PDF format from a spoofed email address requesting payment of the invoice amount, supported by John's correspondence with the client.  

John reviewed the company expenses a month later and spotted this irregular expense. He investigated and realized that an inbox rule had redirected this correspondence to the RSS Feed folder in the Inbox to hide the conversation from him while the phishing attacker built a credible story for the accounting department to request payment.  


John was unable to reverse the situation and sustained a financial loss of $100,000. It was too late to take any reactive measures to amend the circumstance.  

Going forward, Springthrough has recommended that John implementing end-user training for all company employees about phishing emails and how to detect phishing scams on a semi-annual basis. 

Lessons Learned  

While John had insurance, this incident was not covered due to the failure to verify the client's information.  

It is always best practice to verify the sender's identity before transferring large amounts of money both internally and externally. End users should always  verify the email address and be careful with any suspicious attachments or links.  

Studies have shown that 30% of working adults do not understand what phishing attacks are and 15% of phishing victims will click dangerous links again. Springthrough suggests implementing a company-wide user training regularly. Proofprint 2020 'State of Phish' report shows that 80% of survey respondents indicated that security awareness training has led to measurable improvements to combat phishing attacks. It will help employees to be more vigilant about phishing scams and empower them to identify potential cyber-attacks to protect not only your business but also your customers and clients.   

CTA- Cyber Security

Thank you for filling out our form. Loading animation