Cyber attackers have gained sophistication, capability and bravado over the recent years, resulting in some complex and well executed whaling attacks.
Last year a California-based networking technology firm, Ubiquiti Networks lost $46.7 million and Belgian Bank Crelan, lost over €70 million due to whaling scams. The FBI issued a warning last year and reported that companies around the world lost around $1.2 billion from 2013-2015 due to whaling and other associated types of email fraud with an increase of 270% from January to August 2015.
Previously, emails were sent to hundreds of potential victims contained unfailingly polite language describing sob stories with promises of a big payoff in return for sharing bank account information. However, today spoofed emails are sent from executives to carefully selected employees in finance departments requesting large file transfers. These fraud emails come from web addresses almost identical to that of the target company, often when senior executives are known to be away from the office.
This activity is known as "whaling" fraud because it targets "one big fish" as opposed to phishing, which casts out a wider net reaching a larger group of victims.
Employee data is used as ammunition
Whaling fraud emails include carefully researched and crafted messages sent to named senior business people often based on stolen data. Today with titles, phone numbers, and department names available on blogs, and social media sites like LinkedIn, fraudsters can often find some of this information very easily on the web. Firewalls, data loss prevention systems, and secure file exchange systems can’t protect information that is available for free.
Fraudsters can also buy sensitive information from other criminals online, or get it from insiders by using social engineering techniques. For example, they can obtain company information over the phone by impersonating a known company vendor or the IT department. Sometimes fraudsters can get the information they need due to more low-tech methods such as stealing a laptop or cell phone that is left unattended.
Another type of whaling targets employees with privileged access rights to sensitive corporate systems including file transfer systems such as SWIFT. For example many companies have designated employees authorised to request wire transfers and others who are authorised to execute the transfers. By taking control of employees PCs using malware embedded in a spoof email, fraudsters can gain direct access to identify information and authorisations for these privileged users. Kaspersky revealed that an international criminal syndicate was able to steal credentials of IT officers at over 100 banks to net as much as $900 million in stolen funds.
Strategy for prevention
Perhaps the most important deterrent of whaling fraud is employee education.
Companies should train their staff to resist the knee-jerk reaction to respond to an email that requests personal or confidential information even when the message appear authentic and is urgent. For example, if they are told to update their personal information because someone is trying to take over their e-mail account, or if there is a request to install a security patch or to upgrade their Microsoft Office software.
If there is any doubt about the legitimacy of the source or the message, the employee should forward the message to the sender directly to confirm its authenticity. If the email is urgent but something looks fishy, they should pick up the phone and not act until they are certain the email is real.
It is also recommended that security officers be proactive and regularly test employees with fake emails to test their reactions. By experiencing firsthand how easy it is to be duped employees can be convinced to take the necessary precautions.
Using technology to prevent attacks
Technology can also be used to minimise the risk. One approach is to use a heuristics product to determine if an email is fraudulent. The success rate of these solutions is mixed. They filter out many of the obvious scams, but leave the more cleverly designed emails intact. Whaling is endlessly adaptable and therefore more and more difficult to detect.
Another strategy for preventing these scams is to protect sensitive data and prevent hackers from getting the ammunition for whaling attacks in the first place. Continuous monitoring of who is accessing what data, and how often, can prevent leaks of sensitive data. A solid baseline of monitoring will provide a normal range to determine when sensitive information is being accessed in unusual and suspicious ways.
These systems should also detect when insiders are leaking data. It’s important to not only know when data has been added or changed, but noting even when it has been viewed is equally important. Today data can be stolen simply by taking a picture of a computer screen using a camera on a cell phone.
Whaling attacks are harder to detect especially as fraudsters use more sophisticated social engineering techniques. There's no obvious trigger, such as seeing hundreds of copies of a phishing email enter your server. Employee education and monitoring to detect suspicious behavior can be the best way to keep whaling attacks at bay.
By Hagai Schaffer, Cyber Fraud and Risk Management VP Product Management and Marketing, Bottomline Technologies.