Phishing Deep Dive: Whaling
Whaling scams are increasing at an alarming rate. In just a year, the number of attacks has risen 131%. Companies are the primary targets so it is important for you to be familiar this type of phishing and how to protect your business from it.
A whaling attack is a high-stakes spear phishing scam involving a high-level official in an organization, such as a chief executive officer (CEO), director, or prominent manager. Whaling attacks are also referred to as business email compromise (BEC) attacks and CEO fraud scams.
There are two main variations of whaling scams:
- A high-level official is the target (i.e., the email recipient). In this variation, the scammers often try to trick the target into authorizing high-value wire transfers. In the whaling email, the cybercriminals might masquerade as an employee (e.g., department manager), or business associate (e.g., supplier rep, lawyer).
- Cybercriminals impersonate a high-level official. The target is usually a lower-ranked employee, such as an accounting manager or human resources (HR) staff member. It can even be another high-level official who is a few rungs lower on the organizational chart. The scammers hope that the lower-ranked staff will be reluctant to question a request that appears to be from an authoritative figure in the company.
No matter the variation used, the cybercriminals perform extensive research to learn about the target, the person they are impersonating, and the company in general. That way, they can make the whaling email highly personalized and seemingly legitimate.
Whaling emails almost always include a deceptive sender email address. Scammers use a variety of deception techniques. Sometimes, they use spoofed email addresses that are nearly identical to their legitimate counterparts. Other times, they hijack the email account of the person they want to impersonate and use the hijacked account to send the whaling email. The target won’t know that the email is actually from a cybercriminal masquerading as the CEO rather than from the real CEO.
Scammers occasionally get creative. For example, if they are impersonating an executive and their research reveals that he will be on an overseas business trip for several weeks, they might create an email account that is supposedly the executive’s personal email account. Then, when the executive is on the trip, the cybercriminals will use the faux personal account to send the whaling email. The email will include a plausible reason why the personal account is being used, such as “I’m sending this via my personal email account because I couldn’t access our company’s email system from my hotel.”
Table 1 highlights other aspects of whaling emails. It also compares whaling emails to spear phishing and classic phishing emails.
Table 1. Comparison of Whaling, Spear Phishing, and Classic Phishing Emails
|Whaling Emails||Spear Phishing Emails||Classic Phishing Emails|
|Target||Businesses||Businesses||Individuals and businesses|
|Distribution size||One person typically||A small number of people||An extremely large number of people|
|Personalization||Highly personalized||Moderately personalized||Not personalized|
|Greeting||The email recipient’s name||The email recipient’s name||No greeting, a generic greeting, or the recipient’s email address|
|Tone of message||Professional tone||Professional tone||Urgent tone|
|Desired action||Varies (e.g., send a wire transfer)||Click a link or open an email attachment||Click a link or open an email attachment|
|Context in which the call for action is presented||Context is highly personalized and makes sense to the recipient||Context is personalized and makes sense to each recipient||One-size-fits-all context that might not make sense to some recipients|
|Has a deceptive sender email address||Almost always||Often||Sometimes|
|Includes misleading links||Sometimes||Often||Often|
|Has a weaponized email attachment||Sometimes||Sometimes||Sometimes|
Whaling Scams Cost Companies Big Bucks
One reason why the number of whaling scams keeps increasing is that this type of scam is bringing in big bucks for cybercriminals. For example, cybercriminals conned AFGlobal Corporation out of $480,000. Masquerading as the company’s CEO, the cybercriminals sent an email to the accounting director, informing him that he was assigned to work with a certain individual named Steven Shapiro on an acquisition. The alleged Shapiro contacted the accounting director via email and phone, requesting that he transfer $480,000 to a bank in China for the acquisition. The accounting director sent the money. A week later, he received another request from Shapiro to transfer an additional $18 million. At that point, the accounting director became suspicious and did not send the money.
In another case, a Wisconsin business fell victim to a highly sophisticated whaling attack, sending more than $1.6 million to the perpetrators. Before a single email was sent, the cybercriminals conducted research to learn about the Wisconsin company’s main suppliers. After selecting one to impersonate, they found out the name and email address of the supplier’s credit manager. The cybercriminals also created a fake corporation supposedly located in Florida and opened several accounts for it at banks in Miami and abroad. Then, masquerading as the supplier’s credit manager, the scammers sent an email to the Wisconsin business’s accounting manager. They requested that all invoice payments be sent to the supplier’s international account rather than the usual account due to problems with the latter. The Wisconsin business’s accounting manager responded, noting that he would not be able to send money to an international account. The scammers wrote back, saying that he could instead send the payments to the Miami bank account. The accounting manager authorized a payment of more than $1.6 million to that account. Fortunately, all but $8,000 of the $1.6 million was still in the account when the scammers were arrested so the Wisconsin business got its money back. Getting the money back is unusual, though.
Many other companies were also swindled out of large amounts of money or data, including:
- Toyota Boshoku Corporation, which lost $37 million when cybercriminals conned a finance executive into making a wire transfer
- Scoular Company , which was taken for $17.2 million after its corporate controller sent three wire transfers based on instructions supposedly sent by the CEO and the company’s outside auditing firm
- Fischer Advanced Composite Components (FACC), which lost $47 million in a whaling scam, prompting the dismal of the CEO
- Snapchat, which handed over employee payroll information to cybercriminals masquerading as the CEO
How to Protect Your Company from Whaling Attacks
The number of whaling attacks will likely keep increasing since whaling is a lucrative business for cybercriminals. Here are some ways you can protect your business from these scams:
- Keep your company’s email filtering and security software up-to-date to stop as many whaling emails as possible from reaching your employees. You might consider getting an email security solution that is designed to catch whaling and other types of phishing emails.
- Educate employees about whaling emails. Be sure to discuss deceptive sender email addresses and the techniques used to create them (e.g., spoofing, hijacking email accounts). And be sure to warn employees about the risks associated with clicking links and opening email attachments. Scammers sometimes use malicious links and weaponized attachments in whaling emails.
- Flag emails sent from outside your company’s network. Most email server software lets you automatically add a warning message to emails originating from an outside network. Doing so can make it easier to spot sender email addresses that are spoofed.
- Use two-step verification for business email accounts. Using two-step verification makes hijacking an email account much more difficult.
- Encourage employees to think before acting. When employees receive an email request from a CEO or another high-level official, the natural tendency is to jump into action to fulfill that request. However, you should encourage employees to closely examine the email, looking for suspicious elements such as a spoofed sender email address, especially if the email asks them to send a large amount of money or personal data. If the request seems a bit odd or suspicious, have them verify the request — it could save your company a lot of money.
- Consider requiring two people to authorize large payments or data dumps. This serves two purposes, according to experts. First, people can bounce doubts off of each other (e.g., “Does this look suspicious to you?”). Second, it calms employees’ fears that they could be singled-out and punished if they question a superior’s request.
- Make sure that potentially sensitive information (e.g., employees’ names, titles, and email addresses) is not publicly available. Besides inspecting your company’s website, check your company’s social media pages (e.g., LinkedIn and Facebook pages). In addition, let the high-level officials in your company know about the dangers of posting too many work-related details in personal social media pages. Scammers often check social media sites for information when researching their targets.