Whaling emerges as major cybersecurity threat

Fraudsters are using legitimate executive names and email addresses to dupe unsuspecting employees to wire money or sensitive documents to their accounts. The CTO of the Boston Celtics, for one, is fighting back.

A clever variant of phishing scams is proliferating among enterprises, forcing CIOs to up their game even as they are still refining their cybersecurity practices to contend with various zero-day attacks. Called whaling, the social engineering grift typically involves a hacker masquerading as a senior executive asking an employee to transfer money.

Jay Wessland, CTO of the Boston Celtics

Jay Wessland, CTO of the Boston Celtics.

"We have seen a few of those," says Jay Wessland, CTO of the Boston Celtics. He says a typical example he's seen involves someone pretending to be CEO or CFO who emails a high-level employee in the finance department to wire money or W2 tax forms. He says whaling attacks, a form of business email compromise also known as "CEO fraud," have increased over the past few months.

FBI says whaling becoming big trend

Whaling is becoming a big enough issue that it's landed on the radar of the Federal Bureau of Investigation, which last week said that such scams have cost companies more than $US2.3 billion in losses over the past three years. The losses affect every US state and in at least 79 countries. The FBI said that it has seen a 270 per cent increase in identified victims and exposed losses from CEO scams since January 2015. For example, Mattel lost $US3 million in 2015 to one CEO fraud scam, while Snapchat and Seagate Technologies also fell prey to similar schemes.

[ Related: 10 whaling emails that could get by an unsuspecting CEO ]

Unlike typical phishing or spearphishing scams, in which an attacker typically includes a malicious URL or attachment, whaling is a pure social engineering hack targeting relationships between employees, says Steve Malone, director of security product management at Mimecast. Whaling fraudsters either gain access to an executive's email inbox, or email employees from a fake domain name that appears similar to the legitimate domain name. They ask the intended recipient to take some action, such as moving money from a corporate account to an account the fraudster has set up, Malone says.

An example of a whaling email scam

An example of a whaling email scam. (Click for larger image.)

Often, the language and phrasing of the email request are designed to sound similar to those that might come from CEOs, CFOs and finance staff. The notes may begin with a simple greeting, such as "Hello, how are you," and inquire if the recipient is in the office, a seemingly natural query. Then they'll ask the potential victim to trigger a money transfer, issue a bank payment, or email a W2 or some other sensitive document. "There's no way to spy that as bad," Malone says. "The content is human-written so a spam filter won't pick it up and it's hard to detect because there are no links or attachments."

[ Related: Work in finance or accounting? Watch out for 'whaling' attacks ]

Wessland says such attacks are impossible to pick up with basic spam-filtering technologies, noting that hackers will simply keep creating new fake domains from which to send their targeted messages. "You have to inspect the header of mail more intimately," says Wessland, who is responsible for safeguarding 200 employee email inboxes.

Throwing a net around the whaling problem

Vendors such as Microsoft, Proofpoint, Cloudmark and Mimecast are building tools to help companies defend against these attack. Mimecast, which makes cloud software designed to spot and quarantine phishing emails with malicious attachments and URLs, has just launched a tool designed to harpoon whaling. Called Impersonation Protect, the software's algorithms analyze the language content of emails as they come in through a corporate server. It looks for key indicators, beginning with whether the source name actually works for the company.

The software will then parse the email content for requests that includes keywords and phrases such as "W2" or "wire transfer," and provides a probability score that a target email is either safe or malicious. "One indicator in isolation is not bad, but two together could be fishy," Malone says. A third indicator -- and one unlikely to be caught by one of the corporate employees -- is that the attackers will register a domain similar to the victim company's name. For example, an attacker trying to spoof Mimecast employees might register the domain header "Minecast" and send email from it. CIOs can set policies in Impersonation Protect, programming it to reject suspicious mail or quarantine it for review, Malone says.

The Celtics’ Wessland says he will begin using Impersonation Protect in conjunction with Mimecast's URL and attachment-protection software this month. "Hopefully the automated tool will detect a lie and block or quarantine it and I can go and review it," Wessland says.

How afraid is Wessland of whaling attacks? About as afraid as he is of any cybersecurity threat and targeted attacks. He says he uses a number of desktop antivirus, gateway antivirus and application security tools to fend off attackers. "No matter what you do there always seems to be things that happen and that’s a concern," Wessland says. "All of those things keep me up at night."

Join the PC World newsletter!

Error: Please check your email address.

Tags whalingcybersecuritysecurity

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Clint Boulton

Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?