A year ago, the general manager of Marketing 4 Restaurants, Tina Eling, received an email from her CEO saying that a payment to a supplier had slipped through the cracks and was now overdue. He asked her to transfer A$25,000 without delay.
It wasn’t a supplier she recognised, but following up with the CEO was tricky because the email had been sent while he on a business trip to Chicago. At the time she sent a reply from Melbourne, she figured he’d be asleep.
What stopped Eling from simply doing as instructed was that the CEO was also her husband. She felt comfortable holding off on the payment until he’d woken up. It was then that they discovered they had narrowly dodged a whaling scam.
“Someone was obviously watching the company’s social media feed and saw that I was at a trade show,” recalls James Eling.“We’ve been on the receiving end of other email scams, but this one was scarier because it came from an email that said it was from me.”
The scammers had created a display name in Outlook that looked identical to the one the CEO uses – it was just that the email address that had slightly different spelling.
The founder of Twynam Agricultural Group and one of Australia’s richest men, John Kahlbetzer, wasn’t so lucky.
His personal assistant was tricked into transferring A$1 million into a fraudster’s bank account in 2017 after receiving an email that appeared to come from her boss.
Since the FBI began tracking whaling scams in 2013, there have been a number of high-profile cases, such as a finance executive from Mattel wiring US$3 million to a bank in China, a Snapchat employee giving away large amounts of employee payroll data, and Belgian bank Crelan losing a whopping €70 million.
In 2016, the CEO and CFO of Austrian aircraft parts manufacturer FACC Operations GmbH were sacked after the company lost €40.9 million.
In Australia last year, 5,800 business compromise scams – a broader category than whaling – cost businesses more than A$7.2 million, according to the Australian Competition and Consumer Commission. The actual figure is likely much higher, as underreporting is an issue.
What is a whaling scam
A typical whaling scam, also known as a C-level fraud or business email scam (BEC), involves a cybercriminal impersonating a C-suite executive over email – that is, phishing for a ‘big fish’. The request is deemed urgent and usually involves transferring funds or disclosing confidential information.
“By mimicking a high-ranking executive, it uses the influence they hold to drive immediate, unquestioning action. Whaling attacks are very much a hack against a human, rather than against a computer,” explains Craig McDonald, CEO of cybersecurity company Mailguard.
Unlike more familiar forms of cybercrime, whaling scams are notoriously difficult to detect because they do not usually contain a malicious attachment or suspicious URL.
A whaling attack often takes place when the CEO is on a business trip. Scammers obtain key travel dates from social media accounts or company media releases.
“If Tina can get out of her seat and come over to me and say, ‘Why am I paying this money to this organisation?’ it wouldn’t work, because I’d immediately say, ‘What organisation?’” explains James Eling. “But if I’m at a conference on the other side of the world and telling her it’s urgent, it’s different.”
According to Nick Lennon, country manager of email cloud services company Mimecast, attacks are becoming more sophisticated, and often include legitimate-looking branding and a series of emails being exchanged over days or months. In this case, scammers may impersonate a senior stakeholder who the subordinate would not ordinarily have day-to-day contact with.
“It paints a much more detailed picture around how that organisation works and who does what. This can allow a far bigger attack to take place,” he adds.
Staff should be particularly vigilant around tax time because scammers take advantage of the fact that requests for sensitive financial information is common around that period.
How to avoid getting whaled
“People often don’t know there’s a solution out there,” says Lennon. “They’re looking at how to manage a whaling scam after the incident, rather than recognising that they can get ahead of these types of threats.”
A suite of tools that helps organisations protect themselves from whaling is called targeted threat protection.
Awareness training for staff is also a vital part of building up a company’s defences. McDonald recommends showing staff actual whaling scam emails and for them to be on the lookout for language that is uncharacteristic of their CEO.
“It requires organisations to look at their business processes because, in many ways, these attacks are exploiting poor processes that might allow a particular individual to have a lot of responsibility without much oversight,” adds Lennon.
CEOs should also be conscious of the way they use social media, he says.
“Ask yourself whether it’s meaningful business content or just personal data that can be used against you. Having a lot of personal data online helps an attacker create an impactful campaign that has a higher probability of getting through.”
For more information on whaling scams, visit the ACCC website.