Phishing Attacks: Why Energy Companies and Utilities Are Getting Zapped

5 min readDec 5, 2019

Editor’s Note: This blog post was originally found on the Agari Email Security blog.

By John Wilson

The Wall Street Journal’s report that a dozen US-based utilities were targets in a recent wave of coordinated phishing attacks should set off alarm bells throughout the sector and beyond.

Energy producers and utilities don’t just keep the lights on. They play a unique role in a country’s critical infrastructure, encompassing economic health, public safety, and national security — making them appealing targets for state-sponsored hackers and saboteurs.

For years, hackers linked to Russia and Iran have probed for weaknesses in energy and utility cybersecurity defenses around the world. Among their top prey: oil and gas producers, nuclear power companies, and electrical grid operations. And in nearly every instance, their strategies have included phishing emails targeting the weakest link in most organizations’ security: humans.

Organizations hit by a continuous barrage of phishing attacks often face an expensive, high-stakes problem that’s hard to solve with traditional email security practices.

Phishing: Rising Costs, Serious Risks

The average annual cost of cyberattacks was $17.84 million per utility company in 2018, according to Accenture’s 2019 Cost of Cybercrime Report. That’s a 16% jump from 2017. Energy companies saw average annual losses rise to $13.77 million. Yet bad as it is, the consequences for successful email attacks on energy producers and grid operators can easily eclipse remediation costs.

Government and cybersecurity company investigations have shown that state-sponsored attackers have spent years phishing for nuclear reactor technology, login credentials for power plant control engineers, and other sensitive data. The fear is that successful phishing campaigns could have serious consequences for the organizations that fall victim, as well as for the constituents and communities they serve.

It’s a valid fear. A 2017 report, for instance, found that one group of threat actors had successfully phished their way into US and European energy companies, gaining…

Phishing Attacks: Why Energy Companies and Utilities Are Getting Zapped

Phishing: Rising Costs, Serious Risks

Written by Agari

More from Agari

Strategies for Testing Async Code in Python

Editor’s Note: This blog post was originally found on the Agari Email Security Blog.

Advanced Strategies for Testing Async Code in Python

Editor’s Note: This blog post was originally found on the Agari Email Security blog.

DKIM vs. SPF: Do I Need Them Both?

By Brent Sleeper, senior manager of product marketing, Agari

The Threat Taxonomy: A Working Framework to Describe Cyber Attacks

Editor’s Note: This blog post was originally found on the Agari Email Security blog.

Recommended from Medium

22.6k+ GitHub Stars Note-Taking App Hit by XSS Vulnerability

CVE-2023–3067: Stored Cross Site Scripting Vulnerability on renowned note-taking thick client app Trillium

The ChatGPT Hype Is Over — Now Watch How Google Will Kill ChatGPT.

It never happens instantly. The business game is longer than you know.

Lists

Email Marketing

Productivity

Now in AI: Handpicked by Better Programming

Mastering Reconnaissance with Project Discovery

Dissect your target during reconnaissance with Project Discovery

Bypassing 2FA with CSRF Token

In my time as a security researcher and professional, I’ve come across some clever ways to bypassing 2-Factor Authentication (2FA). What’s…

Building a Secure Cybersecurity Research Lab: A Journey of Isolation and Exploration

Introduction

Accessing data on A525FXXU4BVG1 without unlocking.

Hello, it has been a while since I last wrote a post. In essence, it’s a write-up on a logical issue I recently discovered on Samsung…