Employees at Air India, India's only government-owned airlines company, fell for a sophisticated phishing scam in 2017 that involved Nigerian hackers posing as employees of Pratt & Whitney and demanding the transfer of $300,000 (£230,905) to a bank account located in Nigeria.
A report published by Outlook India has revealed that Air India has failed to recover the lost sum from the Nigerian Bank but the airline insists that investigations into the loss of money to the phishing attack are still underway.
Pratt & Whitney supplies engines for A320 passenger planes flown by Indian aviation companies, as well as a large variety of equipment and spare parts that are ordered by such firms in large numbers every year.
Air India is, at present, suffering from mounting debts and is not able to operate fluidly as a large number of its planes are presently grounded due to the lack of spare parts that are manufactured by US-based aircraft equipment manufacturers such as Pratt & Whitney, GE Aviation, Honeywell, Turbomeca, and CFM International. The loss of a large amount of money to cyber fraudsters has further impacted its procurement efforts of essential items.
Phishers also successfully conned Facebook & Google employees
The successful phishing attack targeting Air India employees posted to its New York office took place reminds us of the elaborate phishing attack that swindled as much as $100 million from Facebook and Google, with the hackers posing as vendor companies.
For two years between 2013 and 2015, a Lithuanian national named Evaldas Rimasauskas impersonated a vendor company named Quanta Computer and demanded payments for goods and services from Google and Facebook employees. He interacted with them via phishing e-mails.
Once he received the said payments, he transferred the money to a number of banks located in countries like Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong. The successful phishing attack not only revealed that even large firms like Google and Facebook are vulnerable, but also the fact that they kept silent about it even after they discovered that they were tricked.
In March this year, Rimasauskas pled guilty in a U.S. District Court in Manhattan for his crimes and agreed to forfeit $49.7 million even though he wasn't charged with carrying out these crimes alone.
In September 2017, a scammer also conned MacEwan University in Canada of 11.8 million CAD after he convinced employees to change payment details for a vendor using email communications. After the phishing attack was discovered, the university said that "controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed."