22nd September 2020
Save the Whales (10)
It’s 4pm on Friday afternoon and unbeknown to you, you’re about to have the worst ending to your week that you’ve ever had in your career.
You’re the CFO of a company and you’ve had a tough week full of important meetings and high-pressure deadlines to meet. With the weekend in sight you are sat at your desk frantically trying to tie up all the loose ends you hadn’t got around to during the week. An email arrives in your inbox from the CEO:
I’ve just had an uncomfortable call with [name] from [supplier]. He said despite being promised payment the funds still haven’t arrived. He’s forwarded me the below invoice, can you make payment please as soon as possible, we need to keep these guys onside.
You open the email and within a minute you have subconsciously scanned the content, assessed the legitimacy of the email and made a decision to act on it. Your finance team have gone home and you are keen to give your CEO a positive response before the weekend. You logon to the online banking system and make a same day payment to the bank details on the invoice for £30,000.
Thanks for letting me know. Apologies for the oversight, payment now made. Have a good weekend.
You have just been the victim of a Whaling attack and it is quite unsettling how common this form of cyber-attack is. A whaling attack, also known as whaling phishing or a whaling phishing attack, is a specific type of phishing attack that targets high-profile employees, such as the CEO or CFO, in order to steal sensitive information from a company, as those that hold higher positions within the company typically have complete access to sensitive data. The example above is a relatively straightforward example but they are becoming increasingly more sophisticated with the addition of a phone which appears to come from a bona-fide number, for example a bank, but in fact the number has been spoofed. I have personally been the victim of a very convincing Whaling attack myself (unsuccessful I might add!). In fact, I know of two personal connections who have been a victim of a whaling attack both of which resulted in a material loss to their business. Whaling and similar attacks have cost businesses more than $1.2bn according to a study by the FBI.
So how can a cybercriminal successfully defraud a business savvy ‘C suite’ executive out of £30,000? The answer lies in the meticulous planning and slick execution of the attack targeted at a specific, high ranking individual within an organisation. In the scenario above the following key elements of the attack working collectively ensured this was a convincing and successful cyber-attack :
- Highly personalised
The cybercriminal had likely been planning the attack for a number of weeks, carrying out extensive research, such that on the execution of the attack they already know your names, how the CEO refers to you and how the CEO signs off his email. They know the suppliers to your business and the names of the key contacts you are dealing with and they have gained access to an invoice previously sent by a supplier.
- Extremely timely
The attack was carried out at a time to ensure maximum success. They know at 4pm on Friday afternoon you are more likely to be at your desk, not in meetings and your team are likely to have left the office. They know at this time you will be rushing to get things resolved before the weekend.
- Visually convincing
The email looks visually convincing. The email address will exactly match the CEO’s email address. If you use photo thumbnails in your emails a picture of your CEO will be displayed at the top of the email. The email will arrive in your inbox and will not be captured by your spam folder. The email signature will even be identical to the CEO’s. These are all things that can be spoofed relatively easily.
- Appropriate language
A request from a CEO will naturally get attention and create a desire to act quickly and it will usually apply pressure and make the recipient feel a sense of obligation. The language will be such that it places an expectation that a resolution is expected before the weekend. The request will usually ask for something to be actioned as soon as possible and provide a strong reason why it should be acted upon. The attacker will be proficient in writing the email in the style of language you would expect from a CEO.
This is only one example of a Whaling attack however attacks can take many, increasingly sophisticated forms but they all have a common objective of extorting monies or sensitive information from their victims.
What can a business do to mitigate the risk of Whaling attacks?
The first line of defence is to educate your team to ensure they are always alert to the possibility of being a target of a Whaling attack. Encourage your team to maintain a healthy level of suspicion when it comes to unsolicited contact especially when it pertains to financial or sensitive information.
- Verify any unusual requests through an independent channel
Call the person to verify the legitimacy of the request. If this is not possible then forward the email and enter their email address from the company address book to confirm the request.
- Increase privacy on social media channels
Social media channels are a goldmine of information for cyber criminals and it is recommended that senior executives enable privacy settings to restrict access to this information.
- Implement two step authorisation procedures
Ensure your online banking system requires separate users to setup and authorise payments.
- Invest in reputable cyber security software
Ensuring your communications software has multi layered cyber security protection will help to mitigate the risk of attack. In particular, the anti-phishing layer of protection will help to protect you against these types of attack.
The above process should be included as standard as part of your cyber management process. Cybercriminals work hard to circumvent your cyber security software, by adding in these steps and raising awareness throughout your organisation you will reduce the risk of being a cyber-attack victim.