Cyber security experts have seen an increase in whaling attacks—also known as business email compromise (BEC)—whereby a cyber criminal impersonates a colleague by email. The cyber criminal uses the relative seniority of the colleague—the ‘whale’—to phish the employee and achieve their end; often a bank transfer to an unsanctioned recipient.

Over recent years we’ve seen plenty of evidence for the increasing sophistication of criminally motivated cyber attacks, with attacks becoming more targeted; involving more research, but with a much higher success rate.

While these scams look simple, they can be highly profitable. The attack on Ubiquiti last year reportedly saw $46 million in losses, resulting from a carefully crafted email campaign. The USA’s FBI recently stated that the average loss per reported whaling attack is nearly $100,000. The reported successes of these attacks seem to be triggering their increase.

How a whaling attack is carried out:

1. Attacker researches organisation:

The cyber criminals identify who their targeted organisation’s CEO is, and the members of the organisation who work in the finance department. This open source information typically found on corporate websites and online services such as LinkedIn.

2. Attacker registers similar domain name:

Once the information has been gathered, the attacker may register a domain that is visually similar to their target’s brand. For example, if attacking a company that owns ‘organisation.com’ they may register ‘orqanisation.com’.

3. Attacker sends fraudulent email:

The attacker may craft an email to finance staff pretending to be the CEO and using the domain they have registered. The email is typically well-structured, including the CEO’s correct name, spelling and telephone number, making it more difficult to identify its illegitimacy.

4. Finance staff tricked by email:

In a successful attack, the victim believes the email is genuine and cooperates with the attacker. The attacker will continue pretending to be the CEO and ask for a transfer to be made to a specific bank account.

5. Bank transfer initiated:

Unaware of the scam, the finance staff use the information given by the attacker to create a bank transfer, typically through a BACS transfer. The attacker will target individuals with single sign off approval for financial transactions so the process can be completed quickly. If the attack is not noticed within the next few days, then recovering the funds may be impossible.

The attacker does not need any malware, technical expertise or significant understanding of financial systems. Hence, the barrier to entry for such activity is low.

These attacks can be highly successful. Many organisations are unprepared for, and unaware of the risks of such scams, and the losses can be significant. 

How to prevent a ‘whaling’ attack:

  1. Educate senior management and financial employees so they can spot phishing emails and have reporting procedures in place for suspicious mail. Regular phishing exercises can be used to increase awareness.
  2. Technology, which can automate a warning messages at the top of an email to alert users when an email originates from outside of the corporate network, can also be introduced.
  3. Services that offer domain registration alerts should also be considered, alerting the business when domains are created closely resembling their business’ domain. Registration of spoofed domains may be an early warning of an imminent attack.
  4. Companies may also wish to review payment authorisation procedures, for example tightening the checks on newly added recipient accounts, particularly those overseas.

Organisations need to look to their own defences to mitigate the risks associated with whaling attacks. While perpetrators continue to succeed at eliciting significant funds from the ‘big fish’, the tactic will only become more common.