Tag Archives: whaling

Whale phishing on the rise: Security industry exec offers advice

Whale phishing, also known as whaling, CEO Fraud or Business Email Compromise (BEC), is on the increase globally with no industry immune to an attack.

Whale phishing, a form of spear phishing, involves cyber attacks focused on the ‘big fish’ or ‘whales’ of the organization, like the CEO, CFO, etc. Cybercriminals will attempt to gather sensitive information or possible company funds from these executives. Alternatively, they will masquerade as these executives to gather information or funds from unsuspecting employees.

Research conducted by cloud-based email management firm Mimecast Ltd. in March, based on responses from 436 IT experts at organizations in the U.S., U.K., South Africa, and Australia, shows the whaling threat is on the rise. Since the start of the year, 67 percent of respondents had seen an increase in attacks aimed at instigating fraudulent payments. While 43 percent had seen an increase in attacks that are specifically focused on obtaining confidential data like HR records or tax information.

Organizations that have fallen prey to these attacks, or similar, include Seagate Technology LLC, whose employee was tricked into sending income tax data of all employees, after receiving what they assumed was a legitimate email request from CEO Stephen Luczo.

Messaging app, Snapchat Inc. fell victim to a similar attack the month before, when an employee handed over payroll data after receiving, what later turning out to be a fake request, from CEO Evan Spiegel.

The financial impact of BEC scams has cost companies more than $2.3 billion in losses, according to the Federal Bureau of Investigation, between October 2013 and February 2016. The victims of these attacks are spread across all U.S. states and at least 79 countries. While the FBI has seen a 270 percent increase in identified victims and exposed losses from BEC scams since January 2015.

Both Ubiquiti Networks Inc. and Scoular Co. were hit with substantial financial losses of $46.7 million and $17.2 million respectively after employees were tricked into transferring company funds to overseas bank accounts belonging to criminals.

In an interview with SiliconANGLE, Paul Everton, founder and CEO of MailControl — a provider of email security solutions — highlighted the most pressing email-related security concerns facing organizations today. Everton also shared a number of steps organizations and users can take to safeguard against whale phishing.

Top email-related security concerns

Currently, the top email-related security concerns facing organizations are “spear phishing and other social engineering scams,” says Everton, which targets the company’s human element. Attackers initially gather information about both the employees and the company through social media, company websites, and spymail. They then use it to trick unsuspecting employees into providing confidential documents, transferring funds, etc.

“Often, the victim is tricked into giving up login credentials with which the attacker can do all kinds of damage,” says Everton. An example that is gaining in popularity in the run-up to the presidential elections is hacking activism or ‘Hactivism’, says Everton. Whereby “attackers using stolen credentials to further a political agenda.”

Another example, “is the growing popularity of ransomware, which is growing symbiotically with bitcoin.”

How hackers use whale phishing and the industries most at risk

“Hackers can use information gained through spymail – email with [a] hidden tracking code that reveals information about the recipient such as where and when it was opened and forwarded – to determine when and where an executive is traveling for purposes of submitting a fraudulent money transfer request to her assistant,” says Everton.

While all industries can possibly fall prey to a whale phishing attack, Everton says the most at-risk industries include legal and healthcare industries, as well as educational initiations and government entities.

Recommendations to guard against whale phishing

Cybersecurity training

“While employee cybersecurity training is an integral component of any successful security strategy, it is especially crucial that a company’s top executives are properly trained on how to keep company information safe,” says Everton and provides the following suggestions for executives.

  • Executives need to understand how to identify malicious email.
  • Executives should verify the sender prior to opening any attachments.
  • Executives should understand the risks associated when clicking on any suspicious links.

Secure funds transfer

As was the case with Ubiquiti Networks and Scoular, more and more companies are being tricked into sending company funds to accounts controlled by attackers. In an attempt to combat this, Everton suggests companies “have well-defined funds transfer procedures such as requiring all funds requests to be via a secure banking portal and not email.”

Anti-spymail solution

Regardless of a company offering the best cybersecurity training for its employees and top executives, Everton says “human error will always pose a threat to company security,” due to the fact that attackers know a lot about the companies and its employees so it is easy to fall victim. Everton suggests companies implement an anti-spymail solution, which “blocks hackers’ attempts to covertly gain this intelligence via innocuous-looking emails.”

Image credit: design516; Pixabay

Collen Kriel

Collen Kriel is a beat writer for SiliconANGLE covering consumer technology with a focus on mobile. He has a passion for words, the Internet, the Web and all things tech. He endures a minor fascination with people who define themselves by the brand of smartphone they own. Prior to writing for SiliconANGLE he worked as an account executive in the IT industry, directly for, or in association with companies like Mimecast, IBM, VMware and Micros. He is an avid traveller currently making his way around South East Asia

Latest posts by Collen Kriel (see all)


Join our mailing list to receive the latest news and updates from our team.


Join our mailing list to receive the latest news and updates from our team.

RELATED:  Acer data breach loses customer credit cards



Phishing, Whaling & The Surprising Importance Of Privileged Users

By bagging a privileged user early on, attackers can move from entry point to mission accomplished in no time at all.

In the world of cybersecurity, there are two wildly different approaches to phishing.

The first, which we subscribe to, recognizes the threat posed to organizations by phishing attacks, and seeks to defend against it by both educating employees and tightening internal controls. In those cases where a phishing attack is successful, our camp aims to eliminate the threat as quickly as possible, and then learn from it.

The second approach is quite different.

There are those within the cybersecurity world who believe that since it is impossible to completely prevent employees from being suckered by phishing emails, there’s no point in even trying to educate them. The theory goes that defending against any form of cyber attack (including phishing) is the responsibility of your information security team. Employees are simply too busy, and too ignorant, to be involved in the process.

I believe this is a mistake, and I’ll explain why.

Understanding your attacker

Whatever your approach to cyber security, it makes sense to start with an understanding of the people you’re trying to protect.

Image Source: PhishLabs

The Verizon 2016 Data Breach Investigation Report is a tremendous resource for this sort of research; it immediately informs us that external attackers cause the majority of breaches. The insider threat is certainly a concern, but statistically you’re far, far more likely to be breached by an external actor.

The report also explains that although you’ll need to defend against many different cyber weapons (malware, social engineering, hacking, etc.), most attacks fall into two categories: point of sale (PoS) and phishing. Unsurprisingly, our main focus is on the various threats posed by phishing attacks. But perhaps most important of all, the report provides an insight directly into the mind of your attacker. Over the past 12 months there has been tremendous speculation as to the motives behind cyber attacks, with much being made of a few high-profile instances of state-sponsored cyber espionage.

But are governments and competitors really lining up to steal your secrets? Well… no.

In an overwhelming majority of cases, the motivation behind cyber attacks is financial reward. There is a huge black market, accessible through the Dark Web, where hackers can sell proprietary and payment data to the highest bidder. Typically this is a collection of large organized crime syndicates, many of which are based in countries with no extradition treaties.

Rest assured that there is big money in play here, and successful hackers get paid extremely well for their “work.”

So what does all this tell us? In short, it lets you know where to concentrate your cybersecurity efforts for maximum effect. If your organization does fall prey to an attack, it’s most likely to come in the form of a phishing email designed to grant access that can ultimately be used to steal saleable information.

The anatomy of a (successful) phishing attack

Now that we understand the methods and motivations of most attackers, it’s much easier to comprehend the format of a typical attack. Initially, the attacker needs an entry point. In most cases, this will be a phishing email that baits one of your employees into installing malicious software (malware) or giving away their login credentials (social engineering).

Once the attacker has gained access to your network, they’ll try to make lateral movements to expand their access and level of control. This could include stealing proprietary data to inform further targeted phishing attacks (spear phishing), identifying vulnerabilities, and/or stealing higher value credentials.

Finally, once they have the required level of access, your attacker can enact their primary mission: to steal and sell your data.

Going after the big phish

As you’ve no doubt gathered, your attackers’ job will be much easier if they can successfully phish someone with a high level of access. Rather than spending time gradually increasing their permissions and control, by bagging a privileged user early on they can move from entry point to mission accomplished in no time at all. This tactic is known as whale phishing, or “whaling,” and it can spell disaster for your organization. Clearly, this is not what you want to happen.

Every phishing attack relies, at some point, on being able to sucker employees into clicking on something they shouldn’t. Now, while it’s true that the information security team can play a huge part in preventing this, many phishing emails can be kept out of employees’ inboxes by well-maintained filters, and more can be foiled by tight security controls.

But what about your privileged users: directors, executives and system admins who all usually have a high level of access? What if they’re targeted by spearphishing or whaling attacks?

Access controls on your whales

I know it’s tempting to overestimate access requirements, but it’s important to consider how much access these people really need. Nobody wants the finance director to fly off the handle because he can’t run a report, but in reality he probably doesn’t need read/write access to every area of the network.

Regardless of your approach to dealing with the threat of phishing attacks, tightening internal controls such as user access levels is hugely important, and can spell the difference between a narrow escape and a crushing data breach. Most users do not need to be able to install programs or access sensitive data, and if for some reason they do, they can always be granted specific access on a case-by-case basis.

Controls aren’t enough

It’s true that you can’t rely 100% on your employees to report and delete phishing emails, but you also can’t rely 100% on your security controls. Like it or not, some phishing emails are going to end up in the inboxes of privileged users, and it’s going to come down to them to determine whether that attack is successful. If you can engage and train your employees to recognize and report phishing emails, you’re adding a vital last line of defense that otherwise wouldn’t be there.

At the end of the day, it’s a choice between a reported phishing email and a successfully installed malware package. I know which side I’m standing on.

Related content:

Black Hat’s CISO Summit August 2 offers executive-level insights into technologies and issues security execs need to keep pace with the speed of business. Click to register.

Joseph Opacki is vice president, threat research, at PhishLabs, responsible for threat research, analysis and intelligence. Prior to joining PhishLabs, Mr. Opacki was the senior director of global research at iSIGHT Partners. Before his career in the private sector, Mr. … View Full Bio

More Insights



Crowdsourced phishing protection eliminates threats in under 13 minutes

IronScales, a cybersecurity provider that crowdsources phishing protection, has reported that training designated staff in an organisation to detect and report threats as they are found can quickly eliminate threats.

According to the company, this method of phishing prevention has reduced clickthrough rates to malicious content by 90%, while detections are occurring nine times faster. Reporting of threats occurs less than two minutes after detection and threats can be totally eliminated in under 13 minutes.

The crowdsourced technology relies on designated staff to identify threats and act accordingly, after going through the training process.

This, the company says, is a rapid improvement to results from before training even begins, where up to 40% of users click on a sample phishing email.

Eyal Benishti, IronScales CEO, says “phishing is an insidious, constant threat to enterprises,” IronScales CEO Eyal Benishti said. “Organisations need to take a proactive approach to make sure it becomes a far less successful channel of attack.”

According to a study by SANS, 95% of all enterprise attacks are caused by spear phishing, and that coupled with a reported increase of spear and whale phishing attacks means that companies need to prepared when mistakes happen and information is leaked.

Companies could lose up to $4 million in funds, a study by Ponemon Institute says.

The importance of cyber security has never been more important, particularly as customers become more critical of brand images in every area from loyalty, reputations, profit potential and the threat of customer information hacks, IronScales says.

According to IronScales, a focus on threat prevention, threat detection and threat management should be part of every company’s security system.