Financially Motivated Whaling Attacks

In a previous blog post, a colleague discussed a wire transfer fraud attack aimed at a company’s CFO. He stressed the importance of having the proper people and process control strategies in place to help protect your organization and laid out important tactics you can add to your policies to prevent fraud. It was stated that you should not rely solely on technology to protect your organization, which is true, but it is an important component.

On any given day, many people receive hundreds of emails. But when an employee receives an email from their CEO, CFO or another senior executive, they are more likely to notice and respond. Unfortunately, this natural human behavior is exactly what malicious actors are exploiting in the latest “whaling” attack.

Whaling is a focused phishing email targeted against senior executives of a company, or those with special access to information (aka the “big fish”). Recently we have seen an uptick in a type of whaling attack targeted against individuals in finance. An individual (e.g. the CFO or head of accounting) who is authorized to handle money receives an email from an attacker (posing as a senior executive) looking to steal money by asking to initiate a wire transfer. If the individual takes the bait, the impact of a successful attack is obvious in the monetary loss to the company.

While the list is long, there are some key things that can be done from a technology perspective to mitigate this social engineering threat.

1. Whitelist your domain with trusted applications. It is important to make sure your company’s domain can only be used to send emails with a special list of providers. These include third-party applications that you use to conduct business and need to send out alerts to employees.
2. Tag emails coming from outside of your organization. We ask a lot from our employees and security is not always remembered. To help your employees you can implement an email rule that tags any external emails sent to employee inboxes. Receiving this notification triggers employees to exercise more caution than they normally would with an internal email. Communicating the change to employees and explaining how they should handle external emails differently than internal emails is key.
3. Monitor brand and domain infringements. You should have strategy in place to handle domains similar to your company’s. This can include a combination buying the domains, blocking them, or monitoring them for suspicious activity. You should also be prepared to send cease and desist letters for those who attempt to impersonate your brand and take additional legal action if necessary.

Fraud is not new, however, it is continuously evolving. Even this latest attack has been evolving over the last few months. It started out targeting domestic operations, but we have seen the strategy shift to target international employees that handle back office authorizations for money transfers. This is why it important to implement company-wide security strategies that include all three components: people, process and technology.