According to a survey Mimecast published in December 2015, 55% of respondents stated that whaling attacks have increased in frequency in the past three months. This increase of whaling attacks could mean losses in the millions of dollars for victim companies because these attacks are highly lucrative for attackers. Whaling is a specific form of phishing, where attackers target senior executives (“whales”) of a company rather than any user (“phish”).
A recent whaling attack occurred in March 2015. An employee at a mid-sized business in Ohio received an email from her boss, the CFO, who was out of town. The email directed her to wire transfer $315,000 to China. She had received similar emails from her boss, requesting amounts much higher. She put in a request to the finance department and the request went through. However, something about the email struck her as odd and she was able to cancel the transaction. After scrutinizing the email, she found that the domain name of the email was similar to her company’s domain name but not an exact match.
Not all whaling attacks end on a happy note like this story did.
A similar whaling attack hit Ubiquiti in August 2015, but the attackers got away with $46 million.
Whaling attacks are a global problem threatening all businesses. The FBI stated that businesses worldwide have lost more than $1.2 billion to whaling attacks.
Mitigating these attacks is difficult due to the basic, yet effective, tactics. Whaling attacks are characterized by the following attributes.
Requires Extensive Research
The success of a whaling campaign hinges on gaining the target’s trust. If the recipient doesn’t trust the whaling email, then the scam won’t work. To gain a recipient’s trust attackers do extensive research about individual target’s using social media. They also leverage information found on a corporate website to make the email sound and appear more legitimate.
Uses a Compromised Account or Spoofed Domain
After the researching phase, attackers do one of the following to further gain the target’s trust.
- They use phishing emails in an attempt to compromise a CEO’s email account.
- Or they create a spoofed domain name that looks similar to the company’s domain name (e.g., example.com as opposed to examp1e.com).
Attackers then send emails from the compromised email account or the spoofed domain. If the email appears to come from someone the recipient trusts they are less likely to be suspicious of it and more willing to do what the email says, especially when the email appears to come from the CEO. This is the case in 72% of attacks.
Uses Specific Targets
Whaling campaigns target specific individuals or small groups within a company. This can range from only a handful of people to a thousand. In the first example, the group targeted was the finance staff. As Under the guise of the CEO or CFO attackers target employees who have access to money and are familiar with these types of requests.
Lack of Links and Attachments
In the past, whaling emails contained links or attachments and instructed recipients to click on them, thereby infecting the recipient’s computer with malware. Although attackers still use links/attachments in their attacks, in this latest iteration of whaling, Mimecast found that the whaling emails have not contained links or attachments. The lack of links and attachments combined with the well-written nature of the emails mean that they can slip past spam and phishing filters easier.
Requests a Wire Transfer
Whaling emails request finance employees to wire transfer money to the attacker’s account. As was the case with the Ohio-based company and Ubiquiti, an employee may feel confident in the legitimacy of an email from the CEO and transfer money wherever the email directs.
How to Avoid Whaling
Whaling attacks are basic but costly. As with all social engineering attacks, education goes a long way to helping strengthen security, but there’s no reason to stop there. Below are a few tips for avoiding whaling attacks.
- Use two-factor authentication for email to avoid accounts becoming compromised.
- Establish a verification process for transferring funds, such as face-to-face verification or verification over the phone. When using email for requesting wire transfers, teach employees to scrutinize domain names.
- Utilize an email filtering system for inbound emails that flags emails sent from similar-looking domain names.
- Use mock whaling attacks against employees to teach them how easy it is to be tricked.
- Monitor all domain names for names that are similar to the company’s domain name such as DigiCert’s Certificate Monitoring.
- Use Client Certificates to ensure as another to verify the legitimacy of inbound emails.
Whaling attacks are only effective because of human error. Educating yourself as well as other employees, and implementing the right security measures will greatly decrease the chances of an enterprise falling victim to a whaling attack.