Whaling emerges as major cybersecurity threat

Fraudsters are using legitimate executive names and email addresses to dupe unsuspecting employees to wire money or sensitive documents to their accounts. The CTO of the Boston Celtics, for one, is fighting back.

A clever variant of phishing scams is proliferating among enterprises, forcing CIOs to up their game even as they are still refining their cybersecurity practices to contend with various zero-day attacks. Called whaling, the social engineering grift typically involves a hacker masquerading as a senior executive asking an employee to transfer money.

Jay Wessland, CTO of the Boston Celtics

Jay Wessland, CTO of the Boston Celtics.

"We have seen a few of those," says Jay Wessland, CTO of the Boston Celtics. He says a typical example he's seen involves someone pretending to be CEO or CFO who emails a high-level employee in the finance department to wire money or W2 tax forms. He says whaling attacks, a form of business email compromise also known as "CEO fraud," have increased over the past few months.

FBI says whaling becoming big trend

Whaling is becoming a big enough issue that it's landed on the radar of the Federal Bureau of Investigation, which last week said that such scams have cost companies more than $US2.3 billion in losses over the past three years. The losses affect every US state and in at least 79 countries. The FBI said that it has seen a 270 per cent increase in identified victims and exposed losses from CEO scams since January 2015. For example, Mattel lost $US3 million in 2015 to one CEO fraud scam, while Snapchat and Seagate Technologies also fell prey to similar schemes.

[ Related: 10 whaling emails that could get by an unsuspecting CEO ]

Unlike typical phishing or spearphishing scams, in which an attacker typically includes a malicious URL or attachment, whaling is a pure social engineering hack targeting relationships between employees, says Steve Malone, director of security product management at Mimecast. Whaling fraudsters either gain access to an executive's email inbox, or email employees from a fake domain name that appears similar to the legitimate domain name. They ask the intended recipient to take some action, such as moving money from a corporate account to an account the fraudster has set up, Malone says.

An example of a whaling email scam

An example of a whaling email scam. (Click for larger image.)

Often, the language and phrasing of the email request are designed to sound similar to those that might come from CEOs, CFOs and finance staff. The notes may begin with a simple greeting, such as "Hello, how are you," and inquire if the recipient is in the office, a seemingly natural query. Then they'll ask the potential victim to trigger a money transfer, issue a bank payment, or email a W2 or some other sensitive document. "There's no way to spy that as bad," Malone says. "The content is human-written so a spam filter won't pick it up and it's hard to detect because there are no links or attachments."

[ Related: Work in finance or accounting? Watch out for 'whaling' attacks ]

Wessland says such attacks are impossible to pick up with basic spam-filtering technologies, noting that hackers will simply keep creating new fake domains from which to send their targeted messages. "You have to inspect the header of mail more intimately," says Wessland, who is responsible for safeguarding 200 employee email inboxes.

Throwing a net around the whaling problem

Vendors such as Microsoft, Proofpoint, Cloudmark and Mimecast are building tools to help companies defend against these attack. Mimecast, which makes cloud software designed to spot and quarantine phishing emails with malicious attachments and URLs, has just launched a tool designed to harpoon whaling. Called Impersonation Protect, the software's algorithms analyze the language content of emails as they come in through a corporate server. It looks for key indicators, beginning with whether the source name actually works for the company.

The software will then parse the email content for requests that includes keywords and phrases such as "W2" or "wire transfer," and provides a probability score that a target email is either safe or malicious. "One indicator in isolation is not bad, but two together could be fishy," Malone says. A third indicator -- and one unlikely to be caught by one of the corporate employees -- is that the attackers will register a domain similar to the victim company's name. For example, an attacker trying to spoof Mimecast employees might register the domain header "Minecast" and send email from it. CIOs can set policies in Impersonation Protect, programming it to reject suspicious mail or quarantine it for review, Malone says.

The Celtics’ Wessland says he will begin using Impersonation Protect in conjunction with Mimecast's URL and attachment-protection software this month. "Hopefully the automated tool will detect a lie and block or quarantine it and I can go and review it," Wessland says.

How afraid is Wessland of whaling attacks? About as afraid as he is of any cybersecurity threat and targeted attacks. He says he uses a number of desktop antivirus, gateway antivirus and application security tools to fend off attackers. "No matter what you do there always seems to be things that happen and that’s a concern," Wessland says. "All of those things keep me up at night."

Join the CSO newsletter!

Error: Please check your email address.

Tags whalingcybersecuritysecurity

More about ClickCloudmarkFBIFederal Bureau of InvestigationMattelMicrosoftMimecastProofpointSeagate

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Clint Boulton

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts