Phishing is big business for criminals. But as targeted phishing campaigns, known as spear-phishing, continue to evolve, hackers don’t seem to be satisfied with small fish, aiming more often than ever for high-level and C-suite employees in attacks dubbed “whaling.”
“We believe there has been a recent uptick in whaling scams aimed at businesses, and we want to warn companies to alert their employees about this potential fraud,” Katherine Hutt, national spokesperson for the U.S. Better Business Bureau, said in a recent statement.
This increase is likely because there’s much to gain from the access granted via top-level executives. While gaining access through lower-level employees may grant scammers visibility into day-to-day operations, CEOs and CFOs can offer top-down access to all business operations.
Whaling, CEO Impersonation and BEC Attacks on the Rise
So, what is a whaling attack, specifically? According to Mimecast, “a whaling attack is a kind of phishing scam and CEO fraud that targets high-profile executives with access to highly valuable information. In a whaling attack, hackers use social engineering to trick users into divulging bank account data, employee personnel details, customer information or credit card numbers, or even to make wire transfers to someone they believe is the CEO or CFO of the company.”
But this isn’t the only type of attack aimed at higher-level executives that’s growing.
The BBB also warns businesses about a CEO impersonation scam, in which scammers will reach out to employees “who can pay a large bill or provide wide-sweeping information,” while posing as a CEO or CFO, which offers the request “legitimacy and urgency.” Often, the request will be for a nonrecoverable wire transfer, and the scammer can pepper in details about the company or employee gained via online research or even through hacking emails,” the BBB notes.
Similarly, business email compromise attacks are on the rise as well. These cyberattacks involve hackers infiltrating legitimate business email accounts to transfer funds out of the business. The FBI notes in a July report that losses from BEC attacks were up 136 percent between December 2016 and May 2018. Similarly, a report from Mimecast released in August found there was an 80 percent increase in these types of impersonation attacks in the third quarter of 2018.
“Targeted malware, heavily socially engineered impersonation attacks and phishing threats are still reaching employee inboxes. This leaves organisations at risk of a data breach and financial loss,” said Matthew Gardiner, cybersecurity strategist at Mimecast, in a statement, ComputerWorld reports. “Our latest quarterly analysis saw a continued attacker focus on impersonation attacks quarter on quarter. These are difficult attacks to identify without specialised security capabilities, and this testing shows that commonly used systems aren’t doing a good job catching them.”
How to Protect Against Whaling Scams
What can businesses do to protect against other scams that target high-level executives? For whaling scams, in particular, the BBB offers the following tips:
- Be wary of short, generic messages. Scammers won't write a long email; they'll try to pass off something short and generic as harmless, hoping you'll click quickly without thinking.
- Double check before clicking or downloading. A mouse click is all it takes to inadvertently grant access to your computer, accounts and information, or unleash malware on your systems.
- Think about how you share. Never send sensitive, personal, or proprietary information via email, regardless of who's asking you for it.
- Watch out for emails to groups. Sending an email "from the CEO" to a staff or employee email list is the fastest way for a scammer to attack and affect an entire business.
- Set up processes. Make sure your company has a procedure for all requests involving sensitive information or payments, and make sure that procedure is followed. For particularly wide-reaching requests or large payments, require employees to check with their managers first.