In previous years, the first clue that your corporate email has been compromised would be a poorly-spelled and grammatically incorrect email message asking you to send thousands of dollars overseas. While annoying, it was pretty easy to train staff members to see these as fraud and report the emails. Today’s cybercriminals are much more tech-savvy and sophisticated in their messaging, sending emails that purport to be from top executives in your organization, making a seemingly-reasonable request for you to transfer funds to them as they travel. It’s much more likely that well-meaning financial managers will bite at this phishing scheme, making CEO and CFO fraud one of the fastest-growing ways for cybercriminals to defraud organizations of thousands of dollars at a time. Here’s how to spot these so-called whaling schemes that target the “big fish” at an organization using social engineering and other advanced targeting mechanisms.
Phishing emails are often a bit more basic, in that they may be targeted to any individual in the organization and ask for a limited amount of funds. Whaling emails, on the other hand, are definitely going for the big haul, as they attempt to spoof the email address of the sender and aim pointed attacks based on information gathered from LinkedIn, corporate websites and social media. This more sophisticated type of attack is more likely to trick people into wiring funds or passing along PII (Personally Identifiable Information) that can then be sold on the black market. Few industries are safe from this type of cyberattack, while larger and geographically dispersed organizations are more likely to become easy targets.
What is particularly troubling about this type of email is that they show an intimate knowledge of your organization and your operating principles. This could include everything from targeting exactly the individual who is most likely to respond to a financial request from their CEO to compromising the legitimate email accounts of your organization. You may think that a reasonably alert finance or accounting manager would be able to see through this type of request, but the level of sophistication involved in these emails continues to grow. Scammers include insider information to make the emails look even more realistic, especially for globe-trotting CEOs who regularly need an infusion of cash from the home office. According to Kaspersky, no one is really safe from these attacks — even the famed toy maker Mattel fell to the tactics of a fraudster to the tune of $3 million. The Snapchat human resources department also fell prey to scammers, only they were after personal information on current and past employees.
The primary method of protection is ongoing education of staff at all levels of the organization. Some phishing or whaling attacks are easier to interpret than others and could include simple cues that something isn’t quite right. Here are some ways that you can potentially avoid phishing attacks:
There are no hard and fast rules that guarantee your organization will not be the victim of a phishing attack. However, ongoing education and strict security processes and procedures are two of the best ways to help keep your company’s finances — and personal information — safe from cyberattack.