Research Finds Sharp Increase in 'Whaling'

Whaling is not just another fish story. It’s a real threat. The terms whale phishing and whaling are used to describe a type of attack that targets the “big fish” in a company. However, more often it is when someone impersonates the “big fish” in the company to trick employees into doing something that results in a financial gain to the criminal and loss to the company. A survey conducted by Mimecast, Ltd. of 436 IT experts around the world found that 67% of the respondents saw an increase in fraudulent payment attacks and 43% reported an increase on attacks attempting to get confidential information such as tax or HR information.

Spearphishing is typically how whaling attacks are perpetrated. Someone will send an email pretending to be a CEO or other executive to an employee in the targeted department, such as accounting or HR. Often they will ask for wire transfers, such as what happened to Ubiquiti Networks, resulting in losses to that company of $46.7 million. In the case of Seagate, an employee was tricked into sending income tax data of all employees by posing as the company’s CEO. And a Snapchat employee handed over payroll data to a scammer after being convinced it was a request from that company’s CEO.

Business Email Compromise (BEC) scams such as these are on the rise and according to the FBI have increased 270% since January of 2015. Therefore, it’s important to be aware of them and how not to fall victim.

• Always confirm with the requester any wire transfers or transfer of sensitive information before taking any action. Do this by making a phone call to him or her, by emailing with a completely new email message (do not hit the reply button), or by walking to the requester’s office or desk. Doing this will take very little time, but could save your organization millions of dollars.
• If there is not a process in place for multiple approvals for wire transfers, put one in place. The more people that see such requests, the less likely a fraudulent one will occur.
• Be wary of any email request that seems so urgent that you don’t have time to verify it. If you are made to believe it’s just too urgent to confirm, it should be considered a big red flag that it is a scam.
• Never give out login credentials to anyone, especially if they are requested in email. Email is usually not a secure form of communication, so anything you send is in plain text for those who wish to steal credentials to easily get.
• Use caution in what you post on social media and networking websites. Often, the scammers find out whom to target in spear-phishing using sites like LinkedIn.
• Get training on cyber security or provide training if you have the authority and ability to do so. If you can’t do it yourself, there are many qualified and reputable companies that will provide everything from annual training, to ongoing training and testing on cyber security threats.

Whaling and other types of phishing are not going away any time soon. That’s because they work. No industry is immune and smaller organizations are being targeted more often. So, don’t get complacent and let the phishers hook you, even if you think you are just a small fish.

© Copyright 2016 Stickley on Security