Phishing Scam Costs U.S. Department of Defense $23.5 Million in Damages

How a Phishing Scam Cost the U.S. Department of Defense $23.5 Million

In a stark reminder of phishing's pervasive threat, a 2018 phishing attack managed to steal $23.5 million from the U.S. Department of Defense (DoD). Led by Sercan Oyuntur and several fellow conspirators, this sophisticated scam exploited DoD vendors' trust, exposing vulnerabilities even in high security environments. As phishing tactics continue to evolve in 2026, this case remains one of the most instructive examples of how social engineering can compromise even the most secure government systems.

In this post, we'll examine how this phishing attack unfolded, the critical vulnerabilities it revealed, and why phishing attacks remain a primary weapon for cybercriminals in 2026 and beyond.

Cloned Websites and Stolen Credentials

One of the compromised vendors was a contractor responsible for supplying jet fuel to U.S. troops in southeast Asia. Through June to September 2018, the attackers targeted various DoD vendors, sending phishing emails that appeared to be government communications. The attackers created a nearly identical copy of the General Services Administration (GSA) website, known for its role in supporting federal agencies. Vendors trusted the familiar interface, entering their login information without suspicion.

Once the attackers acquired these credentials, they accessed and altered financial systems, redirecting government funds to their accounts. By the end of the attack, they had rerouted $23,453,350 designated for jet fuel purchases into their own bank accounts.

Selecting High Value Targets: The Sophisticated Approach

What made this attack particularly insidious was the attackers' deliberate choice of targets. They didn't send emails randomly; instead, they specifically targeted vendors with high value contracts with the DoD. One key target was an employee in New Jersey, responsible for communicating with the government on behalf of their employer, a jet fuel supplier.

The attackers directed their efforts toward users of the System for Award Management (SAM), a database where government contractors register. When they stole a SAM user's credentials, they could alter the user's banking details, substituting their account with one under the attackers' control. Ultimately, the criminals convinced the DoD to transfer payment for 10,080,000 gallons of jet fuel into their account instead of the legitimate vendor's.

Lessons Learned: Persistent Vulnerabilities in High Security Environments

This attack exposed vulnerabilities that all organizations, including government entities, must take seriously. Here are key lessons that can help fortify defenses against sophisticated phishing schemes:

1. Double Check Domain Accuracy

Attackers leveraged a slightly altered domain, "dia-mil.com," that looked nearly identical to the DoD's legitimate domain. It underscores the importance of vigilance when reviewing email addresses and URLs. Tools like phishing simulators can train employees to spot such slight discrepancies, which may be crucial in preventing attacks. Consider implementing a phishing risk score trend system to measure awareness improvement over time.

2. Implement Multifactor Authentication (MFA)

Had MFA been required, stolen login credentials alone wouldn't have granted attackers the access they needed. MFA adds an essential layer of security by requiring a second form of verification. In 2026, passwordless authentication and hardware security keys are increasingly recommended for high value government systems. Strengthen your multifactor authentication policies to reduce the risk of compromised accounts.

3. Train Vendors Alongside Internal Teams

Vendor relationships are an extension of any organization's cybersecurity. Even the most secure organizations are vulnerable when their vendors are unaware of phishing risks. Implement security awareness training for employees and vendors alike to ensure that all parties handling sensitive information are alert to phishing tactics. According to Verizon's 2025 DBIR, third party involvement in breaches reached 30%, making vendor training more critical than ever.

4. Adopt AI Powered Phishing Detection Tools

AI based security tools can identify phishing patterns, such as similar looking domains or high risk login behavior. The Keepnet Human Risk Management Platform offers advanced tools that simulate and detect phishing behaviors, empowering organizations to respond in real time. In 2026, AI crafted phishing emails achieve up to 54% click rates compared to 12% for human written ones, making AI powered defenses an essential investment.

5. Establish Payment Verification Protocols

The DoD attack succeeded in part because banking detail changes in the SAM system went unverified through a secondary channel. Organizations should implement out of band verification for any change to payment or banking information. Learn more about protecting your financial workflows in our guide on government security awareness training.

Why Phishing Remains a Persistent Threat in 2026

Despite advancements in cybersecurity, phishing attacks continue to rise. According to the FBI's 2025 Internet Crime Report, the IC3 received over 1,008,597 total complaints, with phishing/spoofing once again ranking as the most frequently reported crime type. Total cyber enabled fraud losses reached nearly $21 billion in 2025, a sharp increase from $16.6 billion in 2024. Phishing and spoofing alone accounted for 193,407 complaints in the 2024 report, more than double the next most common category.

In 2026, AI powered phishing campaigns are dramatically increasing attack success rates, making human behavior the most critical security variable. Organizations can assess their exposure using Keepnet's free phishing simulation test to establish a baseline human risk score.

Steps to Safeguard Your Organization Against Phishing

To protect against phishing, organizations need to employ a multifaceted approach that addresses both technology and human factors:

1. Regular Security Awareness Training: Educate all employees on identifying phishing signs, even in emails appearing from trusted sources. Use Keepnet's Phishing Simulator to run simulated phishing campaigns that reinforce learning in real world scenarios.
2. Strong Authentication Practices: Enforce strong, unique passwords across systems and implement MFA for all accounts, especially for vendors and contractors with access to critical information.
3. Secure Vendor Management: Since vendors are a part of your security ecosystem, they should receive the same level of phishing awareness training as your internal team.
4. Use of Phishing Detection Tools: Consider investing in AI driven solutions like Keepnet's Phishing Incident Responder to detect and respond to phishing attempts before they reach employees.

The Takeaway

The 2018 DoD phishing attack highlights the continued need for vigilance, training, and advanced cybersecurity solutions in today's digital landscape. Phishing is not only a threat to small businesses but also to high security government entities, demonstrating that no organization is immune. By strengthening security awareness among all stakeholders and leveraging the right technology, organizations can better defend against increasingly sophisticated phishing attacks.

What Teams Should Do Next

Phishing Scam Costs U.S. Department of Defense $23.5 Million in Damages becomes harder to stop when users only learn definitions and never practice decisions. The strongest defense is to pair awareness with clear operational habits such as verification, reporting, and escalation rules that people can follow when a message, page, or call feels urgent.

In practice, teams get the best results when they focus on realistic scenarios. Users should know how the attack fits into normal workflows, what signal is easiest to miss, and which response path is safest when they are unsure.

Keepnet teams usually see failure rates drop when the scenario is mapped to a real workflow such as payment approval, login recovery, or document review. What gets missed most often is not the threat label. It is the small trust cue that makes phishing scam costs u.s. department of defense $23.5 million in damages feel routine.

Keepnet Checklist

• Teach the scenario in the context of real business workflows, not as an isolated scam label.
• Show users how to verify unusual requests and where to report them quickly.
• Measure report quality and response speed alongside failure rates.
• Refresh examples so they match current tools, brands, and attacker behavior.

Editor's Note: This article was updated on April 13, 2026.