Fraud takes on many forms and claims many victims: there were over 14 million people affected in 2018 and losses were above $1.7 billion, but statistics on identity theft don’t tell the whole story. Scammers who seek to steal money from people are continuously devising new ways to do so, and a new version of spear phishing, called whaling, is cropping up everywhere.
Spear phishing is an email scam through which perpetrators attempt to get individuals to divulge personal information by posing as an authority figure from a bank, a school, a utility, or the government. A typical phishing attack may use some previously-stolen information, such as a bank account number or birthdate, to mimic the appearance of an official communication. The emails generally use words like “confirm your information” or “resubmit your PIN number” to elicit the data needed to hack the individual’s account.
Whaling, or CEO fraud, is a higher-level spear phishing communication, and it’s more sophisticated as well. In general, these emails appear to come from a superior at the victim’s place of employment, and usually include instructions for moving funds to an outside account or for releasing sensitive company information.
Why it’s important
Losing a significant amount of money to a CEO fraud scheme can set a company back in many ways, including delaying plans for expansion or roll-out of new products. In the highly-competitive tech market in particular this effect could spiral and result in damage to the company that’s hard to recover from. Losing data is similar, whether it’s proprietary product information, customer information, or even a strategic planning tool. Each can set a company back, give an edge to competitors, or even create a liability issue with customers that results in lawsuits over the lost information.
There are four basic parts to a CEO fraud attack:
- the email address of the sender is spoofed so that it appears to be coming from within the company;
- the scammer has prior knowledge that the CEO or other corporate officer being impersonated is away and cannot be reached for confirmation;
- the message has a sense of urgency and secrecy, sometimes including demanding a statement of confidentiality from the employee asked to transfer the data or funds, and
- the target, or employee who acts on the information, is specifically chosen for his position in the company – he is too junior to recognize the unlikelihood of a manager or CEO telling him to carry out this task, yet has enough of the right passwords and authorizations to access the data or account desired by the scammer.
Ways to combat whaling
Training employees and educating them about the presence of such a threat is important. Rather than overwhelm a new hire with information, linking education about fraud and phishing scams to newly-attained levels of authority can be more effective. Congratulations to the junior executive on his achievement but clearly point out, and have him acknowledge in writing, that there are potential pitfalls to be aware of, including such schemes. Employees should be made aware, up front, that their bosses will never ask them to redirect company funds or assets to outside accounts.
The company culture, depending on the number of employees, should be enhanced so that employees don’t feel isolated and unable to question directives or interrupt their superiors to double-check on the authenticity of incoming messages. People who are under stress, overworked, and highly competitive are those who may follow through on a CEO fraud email without thinking twice.
Some companies set up automated tests for their employees, sending spear phishing and whaling emails at random intervals to ensure that training will prevent disclosure of sensitive information. Those who fall prey to the test emails are sent for further education on the matter.
It is also possible to improve the way incoming emails are filtered so that fewer of the spoofed addresses get through to their intended recipients. Test “pings” may be sent back to sender’s accounts to ensure authenticity, and those accounts that show different originating and “reply to” addresses can be rejected.
CEO fraud is a serious issue for most businesses, complicating relationships with customers, adding to investment in employee training, and requiring vigilance.
Daniel William is Content Director and a Cyber Security Director at IDStrong. His great passion is to maintain the safety of the organization’s online systems and networks.
He knows that both individuals and businesses face the constant challenge of cyber threats. Identifying and preventing these attacks is a priority for Daniel.