Phishing attacks of various degrees have been plaguing businesses of all sizes, especially in recent years. The FBI estimates that from October 2013 to February 2016, there have been over 17,642 victims of business-related email scams, with total losses exceeding $2.3 billion. Not all phishing schemes work the same way, and some attacks will even go so far as to impersonate positions of authority within your own company in order to pull a fast one on you.
These types of threats – whaling schemes – are dangerous and often difficult to identify and protect against. As you can imagine, compared to the traditional phishing attack, whaling attacks are designed to bring in the big haul rather than empty nets. By masquerading around as yourself (or any other member of your business’s executive staff), hackers will use their silver-tongued wit to convince employees – usually someone in charge of corporate finances – to send an urgent wire transfer.
In comparison to traditional phishing scams, which will often contain a malicious URL or file attachment, whaling attacks are true social engineering attacks. Their success relies on the end-user’s willingness to go along with the request; which, let’s face it, will often happen, especially if the request comes from one of authority. People want to please their bosses and avoid confrontation whenever possible, so it becomes second-nature to comply with a well-planned whaling scam.
Whaling attacks are becoming such a big problem that the FBI has issued a warning:
”The schemers go to great lengths to spoof company e-mail or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy.”
In one reported case, a finance executive at Mattel performed a wire transfer of over $3 million to the Bank of Wenzhou, China, in response to an email supposedly from Mattel’s new CEO, Christopher Sinclair. Sinclair had no idea that the transaction was requested, which was an immediate red flag that something had gone horribly wrong. According to CBS News, most of the money that’s stolen via whaling attacks passes through banks in China or Hong Kong, particularly due to China’s refusal to cooperate in order to resolve money-laundering schemes.
Here are a few other examples of what a whaling attack may look like, courtesy of CIO and Mimecast:
Note that in many of the above cases, hackers will deliberately register email domains that are similar to another organization. The major differences are easily overlooked, especially if they aren’t obvious glaring mistakes, like numbers replacing important letters, or including too many of a particular letter. In general, you want your organization’s employees to always be wary of suspicious requests via email.
In situations like this, remember that whaling attacks aren’t random attacks that happen to slip through your business’s defenses; they’re targeted attempts designed to work specifically against your organization. Hackers will extensively research your organization’s chain of command, and impersonate higher-ups in a deliberate attempt to undermine your business. Since the emails are customized specifically for your organization, and since they rarely hold malicious links or attachments, even enterprise-level spam blocking solutions have trouble keeping them out of inboxes. Plus, think about how bad it would look if your name were to be associated with a whaling scam; wouldn’t it be embarrassing?
The FBI recommends the following course of action be taken if you are the victim of an email-based business scam:
- Contact your financial institution as soon as possible.
- Request that they contact the financial institution where the transfer was sent to.
- File a complaint with the IC3.
Of course, the best way to handle potential threats is to avoid them altogether, if at all possible. By focusing on educating your employees on how to identify and respond to email scams, you can prevent them from fulfilling their intended purpose. Instead of rushing into a decision by a whaling email, you should explain to your employees that they need to calmly assess the situation. Here are some ideas for preventing whaling scams from harpooning your organization’s profits:
- Drill best practices into your staff through regular training sessions and workshops.
- Emphasize the importance of cross-checking contact information, like email addresses and phone numbers, before making a suspicious transfer.
- Create a solid workflow that’s designed to authenticate any irregular wire transfers.