Please fill in the form below to subscribe to our blog

The Port of Seattle Lost $500k to 2 Phishing Scams That Could Have Been Avoided

April 13, 2023

Training & Employee Awareness Can Stop Phishing Attacks from Landing

Phishing is one of the topics we hear about the most in relation to cybercrime. So much so that it can seem mundane. However, it is anything but. 9 in 10 of today’s most damaging cyberattacks start with a phishing message, making phishing training a vital security tool. Phishing is the gateway to cybersecurity nightmares like business email compromise (BEC), malware and credential compromise. For the Port of Seattle, phishing was also the gateway to losing $500k. 

Learn to defend against devastating cyber threats with A Comprehensive Guide to Email-based Cyberattacks. GET IT>>

2 phishing attacks cost the Port of Seattle half a million dollars

A newly released report of an audit conducted by the state of Washington sheds light on two expensive, damaging phishing attacks that impacted the Port of Seattle to the tune of half a million dollars in 2021. The Port was eventually able to recover some of the money and make an insurance claim for another chunk. However, state auditors determined that the Port should have done more to prevent the attacks from happening in the first place. 

The saga started in October 2021 when the Port of Seattle Diversity, Equity & Inclusion department fell victim to what the auditors categorized as a classic phishing scam in which bad actors posed as an unnamed service provider that was owed money by the port. In the first incident, employees in that office forwarded the email to the Port’s accounts payable office for payment and over three payments the cybercriminals made off with $184,676. 

dark web threats represented by a hacker in a hoodie shrouded in shadows with faint binary code

Find out about five of today’s biggest dark web threats to businesses in this infographic. DOWNLOAD IT>>

The second incident took place in December 2021. Once again, crooks hit the Port of Seattle Diversity, Equity & Inclusion office with a phishing scam, and once again they were successful. They used the same basic premise for this phishing attack — the common invoice scam. However, this time, they went for a much bigger score. By the time the damage was done, the Port had made five payments totaling $388,007.  

Altogether, the Port of Seattle got hit for about $500K. Fortunately, officials were able to get most of the stolen money back through a variety of means. Thanks to a combination of detective work and good cyber insurance, the Port was able to recover all but $50,000 of the lost funds, with $356,520 coming from the bank and $166,163 coming from insurance. However, the outcome of this scenario could have been much worse. Employees falling for phishing tricks is a fast path to a ransomware nightmare for any business.

Get the scoop on 5 of the worst email-based attacks plus tips to protect businesses from them. GET INFOGRAPHIC>>

Training neglect leads to disaster

What happened to cause these two cyber disasters? Auditors had a few things in mind in their report. First and foremost, the auditors noted that the staff missed obvious signs that these were fraudulent messages, including things like misspellings and bad grammar. That ineptness led to the phishing email passing through not one but two departments successfully, including one that should have had a higher standard of training due it its proximity to cybercrime. Auditors also faulted the staff for not consistently following the Port’s proper procedures for an electronic funds transfer. 

This was not the first cybercrime loss by the Port of Seattle. In the Port’s response to the audit, they noted that they hadn’t suffered a monetary loss to a cybercriminal scheme in the 15 months preceding this disaster. The State of Washington had experienced its own cybercrime losses, totaling $28 million since 2016. However, even in that environment, where phishing and the subsequent damage it could cause was a well-known risk, mistakes were made, and the means for preventing those mistakes were neglected. 

In the aftermath of this incident, the departments involved in the scandal were required to take mandatory security awareness training with phishing simulations. The Port was also obligated to ensure that all employees had regularly refreshed security awareness training that included phishing training to keep them up to speed on phishing threats in the hopes of avoiding this problem in the future. That program was put into place in 2022. Training employees regularly is vital to ensure they remain at a high level of awareness for phishing and email-borne cyberattacks.

Learn how a new integration between BullPhish ID & Graphus saves time & money. SEE THE DETAILS>>

Training is a small investment with a high ROI

Frequent, regular security awareness training is one of the most effective defensive measures that a company can put into place. It’s also very affordable, with an amazing ROI. The difference in the cost of phishing to a business before and after training is stark.  

Annual ROI of security awareness training 

Small and midsize businesses (SMB, 50 to 999 employees): 69% ROI 

Large businesses (1,000+ employees): 562% ROI 

IT/Security Costs Before Security Awareness Training   

  50 to 99 Employees 1,000+ Employees 
Annual IT payroll hours spent disinfecting workstations, networks 760.0  137.3  
Annual misc. incident remediation cost per email user  $29.23  $5.28 
Annual IT/security costs per email user  $7.51  $28.11 
Annual costs per email user $249.39 $455.41  

Source: Osterman Research

IT/Security Costs After Security Awareness Training 

  50 to 99 Employees  1,000+ Employees  
Annual IT payroll hours spent disinfecting workstations, networks  565.5  120.5  
Annual misc. incident remediation cost per email user  $21.75  $4.63  
Annual IT/security costs per email user  $0.75  $2.81  
Annual costs per email user  $24.94   $45.54  
Cost of employee time spent in SAT   

 Source: Osterman Research

Can you spot a phishing message? This infographic points out red flags to watch for to sniff them out! DOWNLOAD IT>>

Phishing training nets big benefits

Security awareness training that includes phishing simulation slashes the chance that employees will fall for a phishing lure dramatically. In a study, 80% of organizations said that security awareness training had substantially reduced the chance that an employee falling victim to a phishing scam. Ultimately researchers determined that although security awareness training doesn’t work overnight, it makes steady progress that holds up over time reducing a company’s phishing risk from 60% to 10% within the first 12 months. That’s a huge security improvement without a huge hit to a company’s budget.

Here are a few other benefits of regular security and phishing awareness training:  

How much is data really worth on the dark web? Find out in The IT Professionals Guide to the Dark Web! GET EBOOK>>

Get world-class security and phishing awareness training at an affordable price

BullPhish ID is an affordable security and compliance awareness training solution and the industry leader in phishing simulations. This solution contains all of the tools that IT professionals need to run great training programs. The wide variety of training materials ensures that employees quickly gain cybersecurity knowledge and compliance skills while developing their phishing resistance fast to protect organizations from phishing-based cybercrime. The robust array of features including automated delivery ensures that running a training program is a snap for you. 

  • Choose from a wide variety of plug-and-play phishing simulations, with new phishing simulation kits added every month  
  • Train your way with fully customizable content including links and attachments to reflect industry-specific threats  
  • Access a huge library of security and compliance training videos with fresh videos added every month  
  • Simple reporting with automated delivery to stakeholders helps prove the value of training, measure retention and see who needs more help 
  • Quickly create, import and edit target employee groups to be included in your phishing simulation and training campaigns, run different campaigns for multiple groups, and schedule campaigns 
dark web threats

Read case studies of MSPs and businesses that have conquered challenges using Kaseya’s Security Suite. SEE CASE STUDIES>>

let us help secure you against passwords reuse with contact information and the ID Agent logo on grey.

Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!


Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>

See Graphus in action in an on-demand video demo WATCH NOW>>

Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!