PhiShark Logo
Back to blog
Phishing Case StudiesJune 9, 20264 min readOzan İsmail Çolhak

Why Do Million-Dollar Castles Collapse With a Single Link? (Part 1)

How Google and Facebook lost $120 million to a single phishing campaign — and what traditional security tools missed.

PhishingCase StudyGoogleFacebookPhiSharkAI Security

In the cybersecurity industry, we are all living inside a major illusion.

Companies spend millions of dollars, deploy the most advanced firewalls, segment their networks, and build massive Security Operations Centers (SOCs). From the outside, you see an impenetrable, flawless corporate castle. But while most cybersecurity budgets are spent on technical infrastructure, many successful attacks still happen through the human factor. This is a massive contradiction that the industry often avoids facing.

Most of these million-dollar castles collapse with a single fake link, a single email, a single QR code, or a single PDF file that lands in front of an exhausted employee at the end of a long and busy day.

Because of this, attackers no longer need to spend all their energy hacking systems directly. Instead of spending months trying to break into a hardened server, it is much easier, cheaper, and more destructive to hack people's trust, fatigue, and momentary urgency. Unfortunately, traditional cybersecurity tools are naturally blind on this new front line.

Let's go down to the real front line of cybersecurity. In the first part of this three-part series, we will look at how some of the world's biggest companies were openly hunted.

The Blind Spot Behind Perfect Firewalls: The Google and Facebook Case

We are talking about two global giants that employ some of the best cybersecurity engineers in the world and use some of the most advanced AI-based filtering systems: Google and Facebook.

A cybercriminal targeted Quanta Computer, a major Taiwanese hardware manufacturer that had billion-dollar business relationships with both companies. This was not an ordinary "reset your password" email. The attacker spent days analyzing the companies' corporate email structures, real invoice templates, payment terms, and writing style, then copied them almost perfectly. After that, he purchased fake domain names that looked so similar to the original ones that it was almost impossible to notice the one-letter difference with the naked eye. Through these fake domains, he started sending fraudulent invoices to employees in the accounting departments.

From a cybersecurity perspective, what happened here? Why could this not be prevented?

Traditional Secure Email Gateways (SEGs) scanned these incoming emails. Corporate security tools mostly work with signature-based and reputation-based logic. There was no known malware inside the email. The links inside the messages were also brand-new, clean domains that had never appeared on any cyber threat intelligence blacklist before. The filters looked at historical data, decided that everything was "clean," and the emails landed in front of busy employees.

When employees saw the familiar invoice format from a supplier they had worked with for years, they did not suspect anything. The result? Google and Facebook transferred a total of 120 million dollars to the attacker's bank accounts after trusting those fake invoice emails.

What Would Have Changed If PhiShark Had Been There?

If those employees had PhiShark Browser Extension integrated into their browsers or their company email network, the system would not have acted like traditional tools and only asked, "Is this URL already known on a blacklist?"

PhiShark's Mail Protection and Real-Time URL Module would have started thinking like a cybersecurity analyst in the background within milliseconds of that invoice link being triggered. Our agentic AI analyst (AIPA) would have asked critical questions such as:

  • This domain was registered only 3 days ago. Why is it impersonating the name of a trillion-dollar hardware manufacturer?
  • Why do the sending server records not match the real infrastructure records of the impersonated brand?
  • Why are there structural anomalies in the redirection chain?

Even if the domain had no reputation history, PhiShark would have detected the attack from its live behavior and brand spoofing structure. When the employee clicked the link to pay the invoice, before their finger even lifted from the mouse, our extension would have stepped in, turned the screen red, and stopped the transaction. That 120 million dollars would have stayed inside the company.

Because the best firewall is the one that destroys the threat at the very first millisecond it appears on the employee's screen.

In the second part, we will examine how malicious PDF files that bypass traditional email filters can bring down major companies.

Stay safe. Download PhiShark.

By the way, if you would like to share technical feedback about the extension or talk about anything related to cybersecurity, you can always reach out to me on LinkedIn.

Oh, and the other parts are coming soon — we've got some wild stories lined up. Stay tuned. :D

Best, Ozan.