Despite the proliferation of high-tech cybersecurity products, frustratingly low-tech approaches are creating huge headaches for corporations.
Just ask Walter Stephan, the former CEO of Austrian aerospace parts maker FACC. Or his former CFO, Minfen Gu. Both were sacked when the company was scammed of 50 million euros in a whaling attack last year.
Also known as CEO fraud or a fake president incident, whaling attacks involve a criminal posing as a C-suite executive to persuade an employee to make an unapproved financial transfer.
FBI figures show CEO fraud scams cost business more than $3 billion in the past three years – with many more cases likely unreported.
Security experts predict this type of attack will overtake ransomware this year because the rewards for a successful attack are far higher.
Global security providers say the average payout for a whaling scam is now $140,000, versus just one Bitcoin (AU$1550) for ransomware.
With little planning or time invested, cybercriminals know a multimillion-dollar payday could be just around the corner. Here’s how it typically unfolds.
The cybercriminal chooses their target. Potential victims abound. A CFO is the perfect target to imitate or exploit due to their influence over financial matters. Other factors might be:
- Company size and growth trajectory. It might be a fast-growth startup that doesn’t have finely-tuned procedures for financial transfers.
- The availability of valuable company information and contact details online.
- Industry events: Is there a well-known industry conference happening in Singapore? Knowing a CFO will be in attendance is a crucial snippet of information a cybercriminal can use to leverage their colleagues in a spear-phishing attack.
The groundwork is laid
The scammer plans their attack. Information can be easy to gather, especially for targets with a strong social media presence.
- The company’s website might reveal the team structure and contact details of employees, allowing them to discover who reports to who, and the relevant email addresses.
- LinkedIn might reveal that the target is excited to be a keynote speaker at an insurance conference on June 28.
- Twitter could demonstrate that the target is flying out of Sydney at 8am the day prior, and due to land in Singapore just before midnight.
- Instagram could show that the subject plans to stay on for a few extra days with his family, confirming he’ll be out of the office the entire week. All this information is useful in plotting a scam.
The bait is set
Whaling emails usually follow a simple formula. Here’s one sent by cybercriminals posing as the managing director of an ASX-listed business.
The characteristics of a typical whaling email:
- They’re simple, plain-text emails with no link or attachment (malicious or otherwise). This helps them bypass virus filters.
- They have a personal greeting (‘Hi Michael’), a brief message, and usually a ‘Sent from my iPhone’ line to imply the person making the request is out of the office and not necessarily contactable for verification.
- “I am a bit busy now but will give you a call within the hour” is a further effort to convey urgency. They hope the victim will make the transfer before the request can be verified.
- Often whaling emails are sent early in the morning or late at night, meaning few people are in the office to ask for a second opinion.
Why whaling works
- It’s specific and targeted, and looks like it comes from an important contact.
- The sense of urgency, and the hierarchy factor make staff less likely to query a request that might sound suspicious.
- They’re harder to detect. They are single, standalone emails rather than bulk distributions that might be easier to detect by antivirus providers.
- It’s a low-cost approach with potentially high rewards.
How to reduce your chances of falling for a whaling scam
Take your time
- Check who it was sent by. Examine the sender or reply-to address and check that it hasn’t been sent from a similar, but recently-registered domain such as example.com instead of example.com.au
- Be alert for strange sentence structure, or phrasing uncommon to the apparent sender
- Never sidestep formal processes for payments. If in doubt, ring the apparent sender. If they’re not available, wait until they are. An enormous transfer is better to arrive later than to be lost without a trace to an overseas cybercriminal
- Implement scam-proof approvals processes for financial transfers such as two-factor authentication, which requires two employees to sign off on wire transfers
- Education is imperative. Teach staff and employees what fraudulent emails look like. Here’s a good place to get started: Spot the scam.
- Ensure your email security is up to scratch. Global security specialists such as MailGuard use AI-led threat detection to protect your staff in real-time from targeted attacks, without the dangerous time-lag associated with traditional antivirus vendors. Activated as a subscription service, it provides immediate results for only a few dollars per person per month.
Click here to download your free executive guide, Surviving the Rise of Cybercrime, by MailGuard CEO and founder Craig McDonald.
Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update, or follow us on Twitter @MailGuard.