Whale phishing on the rise: Security industry exec offers advice

Whale phishing, also known as whaling, CEO Fraud or Business Email Compromise (BEC), is on the increase globally with no industry immune to an attack.

Whale phishing, a form of spear phishing, involves cyber attacks focused on the ‘big fish’ or ‘whales’ of the organization, like the CEO, CFO, etc. Cybercriminals will attempt to gather sensitive information or possible company funds from these executives. Alternatively, they will masquerade as these executives to gather information or funds from unsuspecting employees.

Research conducted by cloud-based email management firm Mimecast Ltd. in March, based on responses from 436 IT experts at organizations in the U.S., U.K., South Africa, and Australia, shows the whaling threat is on the rise. Since the start of the year, 67 percent of respondents had seen an increase in attacks aimed at instigating fraudulent payments. While 43 percent had seen an increase in attacks that are specifically focused on obtaining confidential data like HR records or tax information.

Organizations that have fallen prey to these attacks, or similar, include Seagate Technology LLC, whose employee was tricked into sending income tax data of all employees, after receiving what they assumed was a legitimate email request from CEO Stephen Luczo.

Messaging app, Snapchat Inc. fell victim to a similar attack the month before, when an employee handed over payroll data after receiving, what later turning out to be a fake request, from CEO Evan Spiegel.

The financial impact of BEC scams has cost companies more than $2.3 billion in losses, according to the Federal Bureau of Investigation, between October 2013 and February 2016. The victims of these attacks are spread across all U.S. states and at least 79 countries. While the FBI has seen a 270 percent increase in identified victims and exposed losses from BEC scams since January 2015.

Both Ubiquiti Networks Inc. and Scoular Co. were hit with substantial financial losses of $46.7 million and $17.2 million respectively after employees were tricked into transferring company funds to overseas bank accounts belonging to criminals.

In an interview with SiliconANGLE, Paul Everton, founder and CEO of MailControl — a provider of email security solutions — highlighted the most pressing email-related security concerns facing organizations today. Everton also shared a number of steps organizations and users can take to safeguard against whale phishing.

Top email-related security concerns

Currently, the top email-related security concerns facing organizations are “spear phishing and other social engineering scams,” says Everton, which targets the company’s human element. Attackers initially gather information about both the employees and the company through social media, company websites, and spymail. They then use it to trick unsuspecting employees into providing confidential documents, transferring funds, etc.

“Often, the victim is tricked into giving up login credentials with which the attacker can do all kinds of damage,” says Everton. An example that is gaining in popularity in the run-up to the presidential elections is hacking activism or ‘Hactivism’, says Everton. Whereby “attackers using stolen credentials to further a political agenda.”

Another example, “is the growing popularity of ransomware, which is growing symbiotically with bitcoin.”

How hackers use whale phishing and the industries most at risk

“Hackers can use information gained through spymail – email with [a] hidden tracking code that reveals information about the recipient such as where and when it was opened and forwarded – to determine when and where an executive is traveling for purposes of submitting a fraudulent money transfer request to her assistant,” says Everton.

While all industries can possibly fall prey to a whale phishing attack, Everton says the most at-risk industries include legal and healthcare industries, as well as educational initiations and government entities.

Recommendations to guard against whale phishing

Cybersecurity training

“While employee cybersecurity training is an integral component of any successful security strategy, it is especially crucial that a company’s top executives are properly trained on how to keep company information safe,” says Everton and provides the following suggestions for executives.

  • Executives need to understand how to identify malicious email.
  • Executives should verify the sender prior to opening any attachments.
  • Executives should understand the risks associated when clicking on any suspicious links.

Secure funds transfer

As was the case with Ubiquiti Networks and Scoular, more and more companies are being tricked into sending company funds to accounts controlled by attackers. In an attempt to combat this, Everton suggests companies “have well-defined funds transfer procedures such as requiring all funds requests to be via a secure banking portal and not email.”

Anti-spymail solution

Regardless of a company offering the best cybersecurity training for its employees and top executives, Everton says “human error will always pose a threat to company security,” due to the fact that attackers know a lot about the companies and its employees so it is easy to fall victim. Everton suggests companies implement an anti-spymail solution, which “blocks hackers’ attempts to covertly gain this intelligence via innocuous-looking emails.”

Image credit: design516; Pixabay

Collen Kriel

Collen Kriel is a beat writer for SiliconANGLE covering consumer technology with a focus on mobile. He has a passion for words, the Internet, the Web and all things tech. He endures a minor fascination with people who define themselves by the brand of smartphone they own. Prior to writing for SiliconANGLE he worked as an account executive in the IT industry, directly for, or in association with companies like Mimecast, IBM, VMware and Micros. He is an avid traveller currently making his way around South East Asia

Latest posts by Collen Kriel (see all)


Join our mailing list to receive the latest news and updates from our team.


Join our mailing list to receive the latest news and updates from our team.

RELATED:  Acer data breach loses customer credit cards



Leave a Reply

Your email address will not be published. Required fields are marked *