A whaling attack is targeting organizations financial department by imitating senior executives and initiating a request for payment.
As whaling attacks increase with targeted malicious emails, you should be aware of some alarming stats. Whaling attacks have increased 55% since 2015 and over 70% of them are turning to domain spoofing to trick employees into payment. Also, security professionals have found that 72% of all attacks are targeted at CEOs.
Also known as spear phishing, whaling attacks are the more targeted and more purposeful version of phishing emails. They appear as an internal or personal email, often complete with footers and corporate branding, and reflect the language and tone of the person they are pretending to be. When executed properly, they look legitimate.
So who are some of the known victims recently of whaling attacks?
- The CEO of FACC Operations GmbH which is an Austrian aircraft parts manufacturer was fired after the company lost €40.9 million (£31 million) to a whaling attack.
- In 2016, the CEO of Snapchat fell victim to a whaling attack when a high-ranking employee was emailed by a cybercriminal impersonating him and was fooled into revealing employee payroll information.
- Also in 2016, when an executive at Seagate unknowingly answered a whaling email that requested the W-2 forms for all current and former employees resulting in a security breach of income tax data for nearly 10,000 current and former Seagate employees.
The FBI stated whaling scams have cost companies more than $2.3 billion in losses over the past three years. 17,642 organisations from the US and 79 other countries have fallen victim to a whaling attack.
Most of these whaling attacks range in complexity, from very poorly executed to extremely intelligent attacks that are well focused and executed. Cybercriminals invest a lot of time and effort to identify the corporate structure within their victims. They then use social engineering to manipulate employees into wiring funds to bank accounts. Once payment the employee was tricked into making the payment, the cyber criminals immediately withdrew or transferred the funds leaving little to recoup the funds.
Most of these whaling attacks happen by simply using a technique called email spoofing where a generic email is disguised to look like it is coming from the senior executive. Now there is email security software that will block spoofed emails however hackers are now using brute force attacks (guessing passwords) on the email account and tailored phishing attacks used to manipulate senior executive to disclose their email password.
Once email access is established, the cybercriminal will monitor conversations and learn the executive’s language and tone prior to sending targeted emails requesting logical payments be made by finance departments or personal accountants.
A whaling attack is mostly focused on electronic fund transfers, however, there has been an increase in cyber criminals trying to illegally secure confidential information and to gain access to other systems.
How do you protect your business from a Whaling Attack?
- Review and create a business process on payment requests.
Many companies have implemented a policy that requires multiple confirmations or verbal confirmation on all payments over a predefined amount. The FBI has warned that a whaling attack attempts to withdraw small amounts as part of their test run ($500, $1,000, etc.) followed by requests for much larger amounts if successful once they learn your behavior.
- Develop systems to protect information and access to other systems.
You should educate your entire staff on whaling attacks and have a policy on how to handle them. One of the best lines of defense is educating employees to understand social engineering methods as this will increase their chances to spot possible attacks.
- Use a different complex password for your email account.
Do not use the same password on your network as you would use for other online services such as Facebook, LinkedIn, Twitter, etc. Also, do not share your password with other employees electronically. Many times it may be an attempt via email spoofing to get your password and start the process for a whaling attack.
- Identify a spoofed email address
When an email is spoofed, you will notice the name is the same but the email address will change slightly to confuse the users. Example: Instead of getting an email from “John Smith email@example.com”, you will get a spoofed email from “John Smith firstname.lastname@example.org”. Notice how the extra “c” hides very well in the spoofed email address.
- Use proactive email security and next-generation firewalls.
You need to ensure with your IT department or managed IT services provider that your company is staying ahead of the security threats. You can reduce spoofed emails with a proactive security procedure including all steps listed above as well as a next-generation firewall protecting your network.
Is your business safe and protected from a whaling attack?
Let our complimentary network and security assessment will put your security to the test.