Australian business executives are proving to be desirable targets for scammers that have been remarkably successful at using business email compromise (BEC) (also known as 'whaling') schemes to wring millions of dollars from unwitting victims. Yet even as they struggle to clamp down on losses to scammers breaches of the so-called human firewall, those same businesses are also becoming key contributors to efforts to stop BEC in its tracks.
Human scepticism is the main way to accurately identify whaling emails, which are carefully worded to convince unwitting staff to transfer money – purportedly on the instructions of CEOs, CFOs or other business executives – that ends up going straight to the scammers' wallets. BEC fraud costed businesses more than $US2.3 billion ($A3b) from late 2013 to early 2016, according to recent figures from an analysis by the US FBI, and the losses are continuing to pile up as crafty scammers scour LinkedIn, Facebook and other resources to build up convincing profiles of their targets.
Whaling emails are hard to spot by conventional security tools, which have traditionally been focused on checking file attachments and links but have little efficacy against mails consisting mostly of plain text. Email filtering technology has no reason to filter such innocuous messages, which are delivered straight to the victim with an exhortation that they act quickly.
“These emails are designed in a way that there's no malware payload and nothing that an antivirus or malware engine is going to detect,” says Nicholas Lennon, country manager at Mimecast.
“In Australia, we're seeing fairly targeted attacks that are looking at specific organisations. It's embarrassing for IT because they have to explain to executives that whaling messages aren't really spam, and that there are reasons their security products couldn't pick them up.”
Lennon and his Mimecast colleagues have been working with Australian customers to explore the common wording and phrasing that characterises whaling emails, helping identification efforts even though whaling emails lack the telltale signs of typical malware such as dodgy URLs or malformed attachments.
This analysis has identified five key indicators of a BEC email – each of which can be protected against in a different way. For example, a whaling email will always appropriate the name of an internal employee as the supposed sender – but this can be checked against an Active Directory profile and by the email server's records of mails sent by that particular person. Ditto the second telltale sign, which is where the Reply-to address of the message doesn't match the correct company address for the alleged sender.
Another common tactic used by scammers, Lennon, said, is to play on the shape of letters to send mail from domain names that look similar to the actual domain being targeted – for example using mirnecast.com instead of mimecast.com. This trick has been around for a long time and it is easy to spot by security systems using fuzzy logic to parse the domain names of sending emails.
Dictionary terms provided another vector for attack, with many whaling emails relying heavily on words associated with a particular activity. For example, an email with the words 'transfer', 'urgent', 'supplier', 'payment' and a dollar value in it should be enough to raise a warning flag. Mimecast was able to develop common vocabularies for whaling emails targeting different types of staff, then use these to proactively flag similar incoming mails.
Also typical of whaling emails were their reference to information that attackers had gleaned from social media. For example, if an Australian CEO posts on her Facebook page that she is about to leave on a trip to the United States, attackers know they have at least 14 hours to instigate a whaling fraud; if they can apply enough pressure on the victim in the CEO's absence, the transfer can be complete before the CEO lands.
Building a base of effective rules is helping anti-whaling technology improve dramatically, and Lennon says Mimecast's Impersonation Protect service – which enforces these and other rules in the cloud – has seen strong adoption since it was introduced earlier this year.
“By using those points to identify whaling, we were able to help out clients build out a bigger-picture view,” Lennon said. “In some cases all those characteristics were met; more often than not, there might only be one or two of these. But we were able to identify that this looks suspicious.”
Yet technology is only one part of the defence against whaling: Executives at all levels must be educated and continuously reminded not to publicly share information about their personal lives, movements, and so on – and all staff should be educated to be sceptical when receiving an email instructing them to send money anywhere.
Businesses should also review their approval processes for any financial transfers and implement a layered approval process that prevents one employee from being tricked into unilaterally sending large transfers to anybody. These processes can be tested by regularly running simulated whaling campaigns and seeing how employees and executives respond.
In the long term, growing analysis of known whaling attacks will continue to inform industry efforts to stop whaling perpetrators in their tracks. Mimecast has just partnered with human phishing defence company PhishMe to form the Cyber Resilience Coalition, a framework designed to unite security firms in the effort against whaling.
“With the shift to cloud solutions like Microsoft Office 365, organisations are really looking to shore up their security defences,” Lennon said. “They're moving from using security technology alone to having resilience, testing recovery and education as part of their cyber strategy. Hackers these days have a lot more experience in how users perform – which is why we're making this whole issue a C-level discussion.”