Let's Define Email Whaling

"Whaling" is both highly deceptive and damaging. A hacker, disguised as the CEO, CFO or other senior executive, typically sends an email message to a recipient and convinces this person to initiate a wire or data transfer. These attacks are also referred to as impersonation attacks or business email compromise attacks. "Whaling schemes led to more than $2.3 billion in losses over the last three years according to the Federal Bureau of Investigation."

The 5 Phases of a Whaling Assault

1. Cyber thieves frequently rely on social media sites, such as LinkedIn™, to gather details about a high-level executive to impersonate along with a lower-level target. The target is typically a controller or human resources executive with the authority to request a financial transaction or send data without additional approvals. A key part of the scam is to make the target react to the perceived power of the spoofed executive. "55% of organizations witnessed an increase in the volume of whaling attacks at the end of 2015."
2. Crooks register a domain that appears similar to the actual domain for a company. For instance, testcompany becomes “testconpany” or “testcornpany.” This creates potential confusion. The busy target may not notice the fake domain "70% of whaling attacks involve domain spoofing."
3. The recipient receives an email message with his or her name on it, as well as other details that make it look authentic. This includes relevant details about the impersonated executive and likely mentions a specific business initiative. "72% of whaling attackers pretended to be the CEO, while 36% were attributed to the CFO."
4. To the target, the email looks authentic — and prompts for the specific action or transaction leading to a loss. The request usually has a sense of urgency and it may request that the individual bypass normal procedures. "43% of organizations witnessed an increase in attempted sensitive data transfers involving whaling or CEO impersonation fraud over the last three months."
5. In most cases, cyber thieves impersonating a high-level executive request a wire transfer or for the recipient to send tax data containing personal employee information, such as W-2 forms in the U.S. or P60 forms in the U.K.. "41 companies fell for W-2 fraud in the first quarter of 2016."

Why Whaling Works

Messages appear highly credible. They are well researched using social engineering techniques that exploit the natural human tendency to trust and be helpful. Messages use the right names, correct titles and have very similar-looking domain names. They are custom-written to avoid spam filters. They appear to originate from the CEO, CFO or another senior executive and often request immediate action. They’re almost always under the amount or threshold required for a second signature. In some cases, impersonation messages are sent by thieves when a key executive is on vacation — making an external or unknown domain name seem legitimate.

The targeted company lacks essential authentication and controls, such as a second signature or sign-off on key transfers or transactions. Or, the recipient ignores key procedures for fear of raising the ire of the CEO or CFO. In many instances, employees are duped into thinking that checking on a transaction might slow things down and derail a key deal. 

Organizations may lack essential security safeguards, including endpoint security, data encryption and email gateway technology to identify suspicious email.

6 Ways to Harpoon The Thieves

1. Educate and inform employees. Coach key employees to recognize an impersonation email and what steps to take to avoid falling victim to thieves. Train them to pick up the phone and verify a large transaction.
2. Use simulations. An effective method for detecting weaknesses and raising awareness is the use of tests and simulations. This takes the form of a staged whaling message that is intentionally sent to key individuals in the organization.
3. Make faking messages difficult. Customized stationery and unique identifiers contained in messages — as well as changes in design periodically — make it more difficult for cyber thieves to create convincing-looking emails.
4. Tap technology. A highly-effective method for thwarting thieves is advanced email gateway technology that identifies and, if desired, quarantines suspicious messages through the use of names, domains and keywords.
5. Stay alert. Monitoring and alert services that notify organizations when a new or different threat exists are also valuable. In today’s fastmoving cybersecurity environment, hours and even minutes matter.
6. Rethink procedures. It may be necessary to change authentication and approval methods by adding a second signature or lowering the monetary amount required to trigger secondary approval. Multilevel authentication and approvals can greatly reduce risk.

* All information here within provided by Mimecast