The Anatomy of a Whaling attack
Whaling attacks are the new buzz word in email security. But what does this mean, how can it affect you, and what can you do to prevent this type of malicious attack?
What is a whaling attack?
Whaling is derived from an analogy with a ‘big phish’. A whaling attack is a form of phishing attack which targets specific individuals with an aim of attempting to steal money, sensitive financial information or personal details about employees, from a company. These types of attacks target senior management who have a level of power or authority within the company such as the CEO, COO or CFO.
A cyber-criminal, disguised as a senior member of staff such as the CEO, CFO, typically sends an email message to a colleague and convinces them to initiate a wire or data transfer. These attacks are also referred to as impersonation attacks or business email compromise attacks.
What makes these types of attacks so successful?
Messages appear highly credible. Having researched the intended recipient and ‘sender’ on social media, the perpetrators ensure that the messages contain the right names, titles and have very similar looking domain names. Being custom written messages, they are able to avoid companies spam filters.
They appear to originate from the CEO, CFO or another senior executive and request immediate action. Requests for money transfers are always under the amount required for a second signature and can often occur when a key executive is on holiday.
The recipient of the mail often ignores the set procedures for fear of annoying the CEO or CFO who is making the request. Many victims also reported that they were fearful that the time spent double-checking could risk delaying or derailing a deal completely.
How to prevent attacks
- Educate employees, especially senior management, key staff and your financial team. Train these team members on the common characteristics of phishing and whaling attacks.
- Keep personal information private and off social media. Key personnel should have as little information on their public profiles as possible. Birthdays, hobbies, friends and the locations of their homes can all be used in an attack. The best way to ensure this knowledge remains private is to set privacy restrictions in place on all public platforms.
- Tap into the right technology such as email gateway technology which identifies and can quarantine suspicious messages. Implement data protection which protects against malware, advanced phishing (including whaling), other emerging attacks and prevents data leaks.
- Multi-level authentication and approvals can greatly reduce risk. Adjust your verification procedures such as adding a second signature or lowering the monetary value required before a second signature is needed.
- Establish a verification process. Be sure that there is a separate, alternative validation channel in place for employees to check the validity of the request for a money transfer or sensitive information.
It can happen to anyone
Below is a list of some well-known companies who fell victim to Whaling attacks.(1)
FACC: The Austrian aircraft industry supplier lost 50 million euros ($57.6 million), reportedly due to a whaling attack. Its stock fell 17% after the breach became public. (3)
Seagate: A successful whaling attack landed thieves up to 10,000 W-2 tax documents for all current and past employees. (4)
Snapchat: An employee fell for an email impersonating a request from CEO Evan Spiegel and compromised payroll data for 700 employees. (5)
Ubiquiti Networks: The high-performance networking tech company suffered a $39.1 million loss as a result of a whaling attack. The San Jose-based firm has recovered only a portion of the sum. (6)
Weight Watchers International: A whaling email allowed thieves to obtain tax data for nearly 450 current and former employees. (7)
- Mimecast: Whaling: The Anatomy of an attack – Protecting your organisation from CEO scams
- Digital Guardian: What is a Whaling Attack? Defining and Identifying Whaling Attacks
- ComputerWeekly.com, “$54m cyber fraud hits aircraft supplier share price,” Jan. 22, 2016
- KrebsonSecurity, “Seagate Phish Exposes All Employee W-2’s,” March 16, 2016
- CNN.com, “Snapchat employee fell for phishing scam,” Feb. 29, 2016
- CSO, “Ubiquiti Networks victim of $39 million social engineering attack,” Aug. 6, 2015
- MSN.com, “Tax Forms: Cybertheft Schemes on the Upswing,” April 4, 2016