The global rise of whaling attacks hasn't failed to affect Australian companies, with losses from local targeted attacks ranging from $5000 to $400,000, according to cases revealed to email security firm, Mimecast.
As the next step up from spear phishing – whaling is a form of business email compromise (BEC). It involves cybercriminals impersonating the CEO, CFO or other high ranking business authority to dupe employees into making fraudulent payments or unwittingly share confidential data.
The main targets of whaling attacks are staff from finance and accounting departments that are entrusted with sensitive employee information and undertaking money transfers.
The genius behind the attacks lies in the detailed research undertaken by hackers, who utilise public information about the company and its employers, particularly via social media. From this they can determine which employees handle money transfers and whom they should impersonate.
As tax time approaches for Australians, whaling attempts could see a dramatic upswing as requests for tax forms and sensitive financial information will naturally be on the rise.
A survey by Mimecast last month found that since January 2016, 67 per cent of respondents (from Australia the US, South Africa, and the UK) had seen an increase in attacks designed to instigate fraudulent payments since January, and 43 per cent saw an increase in attacks specifically asking for confidential data like HR records or tax information.
“We're certainly seeing lots of multi-staged, well-planned and well-informed attacks, and they’re often aimed squarely at the C-suite,” says Ben Adamson, a tech lead with Mimecast.
But how can employees spot a whaling email? Traditional spam and malware filters are often no match for these attacks, which generally don't include malicious links or attachments. But no matter how carefully planned these social engineering scams are, there are some give aways to save you from ever encountering your own white whale:
1. Carefully inspect the address
Yes, the email seems to have come from a name that matches your boss, but look again.
You should be suspicious if the email address used does not resemble the usual contact point for that executive, or anyone else in the company. According to Adamson, sometimes identifying a whaling email is as simple as a dodgy address.
“Is it your domain name? Is the spelling of the company correct? Is the person’s name correct? You need an extra layer of diligence there,” Adamson says.
While some fake addresses are fairly laughable, often a fake domain can appear very similar to a legitimate one, with familiar symbols or an extra letter, so read carefully. According to Mimecast research, domain-spoofing is the most popular attack type, occurring in 70 per cent of recent whaling attacks. This handy slideshow of whaling attempts provides some good examples of what to look for.
2. Be wary of unusual language or activity
In more advanced attacks, the hackers can compromise the real email account of a company's CEO or CFO by using phishing or malware. This allows them to contact employees using their actual email address. But there are still some signs to be wary of.
Though the email is designed to sound as similar as possible to that of the person being impersonated - following extensive research into the company workflow and communication styles - sometimes the language and phrasing might be slightly off. Suspicion over a misspelled word or an abrupt request shouldn’t be ignored.
It is also worth checking the whereabouts of the executive making the request – are they in the office? Perhaps they’re out at a business lunch, or on a plane to Hong Kong where they can’t be contacted or be expected to intervene.
“Often attackers will be monitoring the activities of the CEO via sites like TripIt to note when they plan to travel, so they can send whaling emails at a time the real CEO cannot be contacted and can’t take action,” says Adamson.
3. Don't be tempted to neglect protocol
Scammers can also take the form of a foreign business partner or supplier seeking payment, or a customer seeking money or personal information. The threat of losing important partners or clients if their demands are not met makes it tempting for busy employees to bypass usual practice.
“You'll have the customer asking for a release of funds, which could be timed around when the CEO is on a flight, so because they’re not available to confirm or approve that action, you'll see that pressure being stepped up again and again,” says Adamson.
“The recipient is there thinking, 'am I going to lose a customer, if I don't make this transfer?’ but on the other hand, obviously wanting to do the right thing, in terms of process in the organisation.
“It's a really strong social engineering mechanism, where they're playing off emotions and long term relationships between customers and organisations.”
Adamson adds that a hacker’s aim is often to target workers who are time poor, and thus are unlikely to think 'should I open this link or not?' or ‘should I trust this account?’ because they just want to get through their inbox.
“Those executives are a little bit more prone because they just need to get on with it and do what they need to,” says Adamson.
Instead of expecting busy workers to check every avenue before complying to email requests, consider implementing some new layers of procedure for extra security. This could be the use of a code word for transactions over a certain size, or ruling that requests for sensitive information must be done in person or over the phone, or should involve a third party CC’d in for confirmation.
4. Get email scanning software
Vendors such as Mimecast, Proofpoint and Cloudmark are working to provide new tools to combat whaling. Security software, Impersonation Protect, by Mimecast, uses advanced scanning techniques to monitor company email traffic for keywords like ‘wire transfer,’ ‘tax form’ or ‘urgent’, and other elements commonly used by criminals, including suspicious addresses and domain names.
The software allows IT administrators and security organisations to block suspicious emails, or choose to display additional security warnings and prompts for greater employee awareness.
Though ensuring user education around these attacks makes for a strong security foundation, the additional use of prompts to remind people, or caution them of the risks, can provide an extra nudge in the right direction and help IT and security teams to avoid singling out people that have fallen victim to whaling or phishing attacks.
“People are often left feeling a bit affronted by the fact that they have been tricked and don’t want to be singled out for it,” says Adamson.
“Someone may have clicked on a malicious URL, so the IT team is required to communicate back into the business that a particular stakeholder has clicked on a link, therefore it’s a reminder to every one of the risks.
“A softer option takes away that punitive feel. Having that integrated mechanism around identifying suspicious emails means you can then have that person bring the conversation to you.”
A real and growing threat
Whaling should be taken very seriously by business leaders around the world. According to an alert issued earlier this month by the FBI, 17,642 organisations from the US and 79 other countries have fallen victim to whaling attacks, with combined losses amounting to over $2.3 billion between October 2013 and February 2016 alone. Additionally, since January 2015 there has been a 270 per cent rise in the number of whaling victims and losses.
In March, AP reported that back in 2015, a finance executive from toy maker Mattel wired $3 million to a bank in China after falling victim to a whaling scam. In February, a Snapchat employee in HR also fell prey to a whaling scheme when responding to a seemingly normal request for employee payroll data; Belgian bank Crelan lost a whopping €70 million following similar attacks, and this is just some of many examples this year.
“Whaling is a particularly insidious attack and has proven lucrative by successfully targeting specific teams and individuals that attackers have researched via social media. It catches out even the most cautious people,” says Peter Bauer, Mimecast chief executive.
“Without the right protection, organisations are losing millions of dollars and exposing data to fraudsters.”