Whaling emerges as major cybersecurity threat

Fraudsters are using legitimate executive names and email addresses to dupe unsuspecting employees to wire money or sensitive documents to their accounts. The CTO of the Boston Celtics, for one, is fighting back.

A clever variant of phishing scams is proliferating among enterprises, forcing CIOs to up their game even as they are still refining their cybersecurity practices to contend with various zero-day attacks. Called whaling, the social engineering grift typically involves a hacker masquerading as a senior executive asking an employee to transfer money.

Jay Wessland, CTO of the Boston Celtics

Jay Wessland, CTO of the Boston Celtics.

"We have seen a few of those," says Jay Wessland, CTO of the Boston Celtics. He says a typical example he's seen involves someone pretending to be CEO or CFO who emails a high-level employee in the finance department to wire money or W2 tax forms. He says whaling attacks, a form of business email compromise also known as "CEO fraud," have increased over the past few months.

FBI says whaling becoming big trend

Whaling is becoming a big enough issue that it's landed on the radar of the Federal Bureau of Investigation, which last week said that such scams have cost companies more than $US2.3 billion in losses over the past three years. The losses affect every US state and in at least 79 countries. The FBI said that it has seen a 270 per cent increase in identified victims and exposed losses from CEO scams since January 2015. For example, Mattel lost $US3 million in 2015 to one CEO fraud scam, while Snapchat and Seagate Technologies also fell prey to similar schemes.

[ Related: 10 whaling emails that could get by an unsuspecting CEO ]

Unlike typical phishing or spearphishing scams, in which an attacker typically includes a malicious URL or attachment, whaling is a pure social engineering hack targeting relationships between employees, says Steve Malone, director of security product management at Mimecast. Whaling fraudsters either gain access to an executive's email inbox, or email employees from a fake domain name that appears similar to the legitimate domain name. They ask the intended recipient to take some action, such as moving money from a corporate account to an account the fraudster has set up, Malone says.

An example of a whaling email scam

An example of a whaling email scam. (Click for larger image.)

Often, the language and phrasing of the email request are designed to sound similar to those that might come from CEOs, CFOs and finance staff. The notes may begin with a simple greeting, such as "Hello, how are you," and inquire if the recipient is in the office, a seemingly natural query. Then they'll ask the potential victim to trigger a money transfer, issue a bank payment, or email a W2 or some other sensitive document. "There's no way to spy that as bad," Malone says. "The content is human-written so a spam filter won't pick it up and it's hard to detect because there are no links or attachments."

[ Related: Work in finance or accounting? Watch out for 'whaling' attacks ]

Wessland says such attacks are impossible to pick up with basic spam-filtering technologies, noting that hackers will simply keep creating new fake domains from which to send their targeted messages. "You have to inspect the header of mail more intimately," says Wessland, who is responsible for safeguarding 200 employee email inboxes.

Throwing a net around the whaling problem

Vendors such as Microsoft, Proofpoint, Cloudmark and Mimecast are building tools to help companies defend against these attack. Mimecast, which makes cloud software designed to spot and quarantine phishing emails with malicious attachments and URLs, has just launched a tool designed to harpoon whaling. Called Impersonation Protect, the software's algorithms analyze the language content of emails as they come in through a corporate server. It looks for key indicators, beginning with whether the source name actually works for the company.

The software will then parse the email content for requests that includes keywords and phrases such as "W2" or "wire transfer," and provides a probability score that a target email is either safe or malicious. "One indicator in isolation is not bad, but two together could be fishy," Malone says. A third indicator -- and one unlikely to be caught by one of the corporate employees -- is that the attackers will register a domain similar to the victim company's name. For example, an attacker trying to spoof Mimecast employees might register the domain header "Minecast" and send email from it. CIOs can set policies in Impersonation Protect, programming it to reject suspicious mail or quarantine it for review, Malone says.

The Celtics’ Wessland says he will begin using Impersonation Protect in conjunction with Mimecast's URL and attachment-protection software this month. "Hopefully the automated tool will detect a lie and block or quarantine it and I can go and review it," Wessland says.

How afraid is Wessland of whaling attacks? About as afraid as he is of any cybersecurity threat and targeted attacks. He says he uses a number of desktop antivirus, gateway antivirus and application security tools to fend off attackers. "No matter what you do there always seems to be things that happen and that’s a concern," Wessland says. "All of those things keep me up at night."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags whaling

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Clint Boulton

CIO (US)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?