Whale phishing is on the increase globally, with no industry immune to an attack.

Whale phishing, a form of spear phishing also known as whaling, CEO Fraud or Business Email Compromise (BEC), involves cyber-attacks focused on the “big fish” or “whales” of the organization, such as the chief executive officer or chief financial officer. Cyber-criminals will attempt to gather sensitive information or possible company funds from these executives. Alternatively, they will masquerade as these executives to gather information or funds from unsuspecting employees.

Research conducted by cloud-based email management firm Mimecast Ltd. in March, based on responses from 436 IT experts at organizations in the U.S., U.K., South Africa, and Australia, shows the whaling threat is on the rise. Since the start of the year, 67 percent of respondents had seen an increase in attacks aimed at instigating fraudulent payments. While 43 percent had seen an increase in attacks that are specifically focused on obtaining confidential data like HR records or tax information.

Organizations that have fallen prey to these attacks, or similar, include Seagate Technology LLC, whose employee was tricked into sending income tax data of all employees, after receiving what they assumed was a legitimate email request from CEO Stephen Luczo.  

Messaging app Snapchat Inc. fell victim to a similar attack the month before, when an employee handed over payroll data after receiving what later turning out to be a fake request from CEO Evan Spiegel.  

The financial impact of BEC scams has cost companies more than $2.3 billion in losses between October 2013 and February 2016, according to the Federal Bureau of Investigation. The victims of these attacks are spread across all U.S. states and at least 79 countries. While the FBI has seen a 270 percent increase in identified victims and exposed losses from BEC scams since January 2015.  

Both Ubiquiti Networks Inc. and Scoular Co. were hit with substantial financial losses of $46.7 million and $17.2 million respectively after employees were tricked into transferring company funds to overseas bank accounts belonging to criminals.

In an interview with SiliconANGLE, Paul Everton, founder and CEO of MailControl, a provider of email security solutions, highlighted the most pressing email-related security concerns facing organizations today. Everton also shared a number of steps organizations and users can take to safeguard against whale phishing. 

Top email-related security concerns

Currently, the top email-related security concerns facing organizations are “spear phishing and other social engineering scams,” which targets the company’s human element, said Everton. Attackers initially gather information about both the employees and the company through social media, company websites, and spymail. They then use it to trick unsuspecting employees into providing confidential documents, transferring funds, etc.

“Often, the victim is tricked into giving up login credentials with which the attacker can do all kinds of damage,” says Everton. An example that is gaining in popularity in the run-up to the presidential elections is hacking activism or ‘hactivism,'” said Everton, whereby “attackers using stolen credentials to further a political agenda.”

Another example is the growing popularity of ransomware, which he said is growing symbiotically with bitcoin.

How hackers use whale phishing and the industries most at risk

“Hackers can use information gained through spymail – email with [a] hidden tracking code that reveals information about the recipient such as where and when it was opened and forwarded – to determine when and where an executive is traveling for purposes of submitting a fraudulent money transfer request to her assistant,” said Everton.

While all industries can possibly fall prey to a whale phishing attack, Everton said the most at-risk industries include legal and healthcare industries, as well as educational initiations and government entities.

Recommendations to guard against whale phishing

Cybersecurity training

“While employee cybersecurity training is an integral component of any successful security strategy, it is especially crucial that a company’s top executives are properly trained on how to keep company information safe,” said Everton. He provided the following suggestions for executives:

• Executives need to understand how to identify malicious email.
• Executives should verify the sender prior to opening any attachments.
• Executives should understand the risks associated when clicking on any suspicious links.

Secure funds transfer

As was the case with Ubiquiti Networks and Scoular, more and more companies are being tricked into sending company funds to accounts controlled by attackers. In an attempt to combat this, Everton suggested companies “have well-defined funds transfer procedures such as requiring all funds requests to be via a secure banking portal and not email.”

Anti-spymail solution

Regardless of whether or not a company offers the best cybersecurity training for its employees and top executives, Everton said, “human error will always pose a threat to company security,” since attackers know a lot about the company and its employees. Everton suggested companies implement an anti-spymail solution, which blocks hackers’ attempts to covertly gain this intelligence via innocuous-looking emails.

Image credit: design516; Pixabay