A clever variant of phishing scams is proliferating among enterprises, forcing CIOs to up their game even as they are still refining their cybersecurity practices to contend with various zero-day attacks. Called whaling, the social engineering grift typically involves a hacker masquerading as a senior executive asking an employee to transfer money.
Jay Wessland, CTO of the Boston Celtics.
"We have seen a few of those," says Jay Wessland, CTO of the Boston Celtics. He says atypical example he's seen involves someone pretending to be CEO or CFO who emails a high-level employee in the finance department to wire money or W2 tax forms. He says whaling attacks, a form of business email compromise also known as "CEO fraud," have increased over the past few months.
FBI says whaling becoming big trend
Whaling is becoming a big enough issue that it's landed on the radar of the Federal Bureau of Investigation, which last week said that such scams have cost companies more than $2.3 billion in losses over the past three years. The losses affect every U.S. state and in at least 79 countries. The FBI said that it has seen a 270 percent increase in identified victims and exposed losses from CEO scams since January 2015. For example, Mattel lost $3 million in 2015 to one CEO fraud scam, while Snapchat and Seagate Technologies also fell prey to similar schemes.
Unlike typical phishing or spearphishing scams, in which an attacker typically includes a malicious URL or attachment, whaling is a pure social engineering hack targeting relationships between employees, says Steve Malone, director of security product management at Mimecast. Whaling fraudsters either gain access to an executive's email inbox, or email employees from a fake domain name that appears similar to the legitimate domain name. They ask the intended recipient to take some action, such as moving money from a corporate account to an account the fraudster has set up, Malone says.
Often, the language and phrasing of the email request are designed to sound similar to those that might come from CEOs, CFOs and finance staff. The note may begin with a simple greeting, such as "Hello, how are you," and inquire if the recipient is in the office, a seemingly natural query. Then they'll ask the potential victim to trigger a money transfer, issue a bank payment, or email a W2 or some other sensitive document. "There's no way to spy that as bad," Malone says. "The content is human-written so a spam filter won't pick it up and it's hard to detect because there are no links or attachments."
Sign up for CIO Asia eNewsletters.