Whaling 101 - What You Need to Know About CEO Fraud Email Attacks

Written by

Have you ever received an email out of the blue advising your parcel has “experienced an exception” or alerting you that you’re due a refund from your phone company and asking you to click a link?

If so, you probably already know that you’ve been the target of an indiscriminate phishing campaign designed to trick you into divulging personal details that can be used to defraud you later.

But as the public – and traditional email security gateways – have become more aware of the phishing risk, scammers been evolving their techniques.  Rather than spamming out relatively easily detected mass email campaigns, they’re spending time identifying targets, learning about them and setting up a bespoke con to trap them. 

Their new target is senior executives with authority to make large payments for their company and they are prepared to put time and effort into deceiving them. The ubiquity of social media makes it easy for scammers to learn the who’s who of an organization, mimic and perfect their writing style and follow their movements.

Once these phishing elite have researched their target, they set up a sting. A carefully written email, sent at just the right time, pretending to be another exec requesting an urgent payment or a download of some sensitive company information. There’s no malware attached, no dubious web link leading to a hacked web server – just a brief, text-only email ‘from one exec to another’ asking for assistance. 

Data under threat

Company funds aren’t the only target. Whaling scams often target sensitive personally identifying information (PII) that can be used to perpetrate wider fraud. For example, human resources databases carry all the sensitive details needed to commit identity theft on staff.

Once a scammer has each employee’s full name, home address, date of birth, email address and so on, they’ll be perfectly equipped to open up fraudulent credit cards, create loans and other types of accounts their names.

Where customer details are involved, loss of business and reputational damage may be significant. Staff and customers may find that phone and internet services are set up in their name then used to defraud others – the chain reaction may be exponential once a high quality database is on the black market.

Cleaning up this kind of identity theft risk can be publicly embarrassing and damaging to workforce and public relations. Regardless of the fact that the information disclosure was triggered by a scammer, a company may be held liable for failing to protect employees’ details, and inappropriately emailing sensitive, personally identifying information.

Every boss has a boss

According to the FBI, CEO fraud has shot up by 270% since January 2015 and has cost businesses around the world at least $3bn (£2.3bn) over the past three years. Whaling scams typically target “C” level executives with authority to avoid time-consuming processes and make direct electronic funds transfers, or direct staff to download sensitive information.

But unlike some kinds of honest mistake, losses from whaling scams may not be able to be explained away. Nobody felt this more acutely than the former CEO of Airbus and Boeing-supplier FACC, Walter Stephan, who was removed from his 27-year tenure by the company’s board.

The company didn’t mince its words when it issued a public statement saying Mr Stephan had “severely violated his duties” after being tricked by a whaling scam that saw the company transfer $60 million to a con artist who had used whaling emails to impersonate the company’s president. The company’s CFO, Minfen Gu, was also terminated.

Look outside the email: How to detect whaling

The right software is key, as detecting whaling on sight is far trickier. Intelligent email security needs to examine every part of an email – not just its content – to gather hints about the legitimacy.

Key areas that need to be assessed include the age of the sender’s domain and similarity to the sender’s genuine domain. One of whaling scammers’ favorite tricks is to substitute one or two letters in a company domain for similar-looking letters, the right email security needs to be able to pick this up.

Dictionary analysis which monitors for certain words within the email is vital. Like “Viagra” was a giveaway in the early days of spam, there are common phases associated with whaling scams including: pay invoice, tax details and wire transfer.

Finally, has the sender specified a different reply-to address for the email? This may be designed to disguise fraud and ensure email replies end up with the scammer, not a staff member.

What’s hot on Infosecurity Magazine?