Phishing Attacks: Why Energy Companies and Utilities Are Getting Zapped

5 min readDec 5, 2019

Editor’s Note: This blog post was originally found on the Agari Email Security blog.

By John Wilson

The Wall Street Journal’s report that a dozen US-based utilities were targets in a recent wave of coordinated phishing attacks should set off alarm bells throughout the sector and beyond.

Energy producers and utilities don’t just keep the lights on. They play a unique role in a country’s critical infrastructure, encompassing economic health, public safety, and national security — making them appealing targets for state-sponsored hackers and saboteurs.

For years, hackers linked to Russia and Iran have probed for weaknesses in energy and utility cybersecurity defenses around the world. Among their top prey: oil and gas producers, nuclear power companies, and electrical grid operations. And in nearly every instance, their strategies have included phishing emails targeting the weakest link in most organizations’ security: humans.

Organizations hit by a continuous barrage of phishing attacks often face an expensive, high-stakes problem that’s hard to solve with traditional email security practices.

Phishing: Rising Costs, Serious Risks

The average annual cost of cyberattacks was $17.84 million per utility company in 2018, according to Accenture’s 2019 Cost of Cybercrime Report. That’s a 16% jump from 2017. Energy companies saw average annual losses rise to $13.77 million. Yet bad as it is, the consequences for successful email attacks on energy producers and grid operators can easily eclipse remediation costs.

Government and cybersecurity company investigations have shown that state-sponsored attackers have spent years phishing for nuclear reactor technology, login credentials for power plant control engineers, and other sensitive data. The fear is that successful phishing campaigns could have serious consequences for the organizations that fall victim, as well as for the constituents and communities they serve.

It’s a valid fear. A 2017 report, for instance, found that one group of threat actors had successfully phished their way into US and European energy companies, gaining…


Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.