Whaling Scam Targets Organization’s Biggest Fish

Imagine going through your Monday morning work routine of coffee and email when you receive an urgent message from your company’s president, asking you to immediately take care of a task that is directly related to your job function. After doing what was requested, you discover the request was a scam and you cost your company thousands of dollars in lost funds.

This type of scam, known as business email compromise (BEC) or “whaling” because the targets are generally an organization’s “biggest fish,” is on the rise. The FBI identifies BEC as the number one emerging threat over the 2016-2018 timeframe. Losses in 2017 are estimated to be more than $4 billion.

Unlike phishing, which casts a wide net, BEC scams are highly targeted and rely almost entirely on social engineering to trap victims. Scammers often target companies that are likely to be involved in electronic money transfers and payments to overseas partners or suppliers.

Scammers use public and private information about organizations, their employees, internal procedures and organizational structures. Public information is readily available via Internet searches and LinkedIn profiles. The scammer’s next step is to take over an executive’s email account, which is often accomplished through spear phishing, a more personalized phishing attack that steals login credentials. Once the executive’s account is compromised, scammers will lie low and observe emails to gain information on procedures and organizational relationships before they strike.

The scam generally starts with an email crafted from gathered information. It may reference employee names, partners and suppliers to give the email legitimacy and will appear to come from an executive or a lower level employee with an email trail that appears to originate from an executive. There will usually be a request for urgent action that involves some method of electronic money transfer. Everything in the email is carefully crafted to be believable and convince the victim to act without second guessing it.

The requests are always evolving but usually follow one of these templates:

A request to immediately wire money to take care of a legitimate-sounding business transaction.
A request to pay a supplier with a different account number or updated payment information.
A request to pay a law office or consulting firm for work related to a recent event (these can be related to real-life events like acquisitions, mergers or settlements).

In Hawaii, companies and individuals in the real estate industry in particular are targets due to the frequent and large amounts of money that change hands.

So, now that you know more about the BEC threat, how do you combat it? Address these three areas: procedures, technology and training.

First, procedures can be put in place to require special approvals for transfers to new accounts or when changes are made to existing accounts. The approvals can require confirmation over the phone or in person.

Secondly, technology solutions can detect and block phishing attempts to thwart email account takeover. When emails come from outside the company domain, these solutions can help to identify domain spoofing and other BEC characteristics.

Lastly, train your employees to be on the look-out for phishing and BEC emails. After you train your team, test them periodically by using fake phishing and BEC emails. If you don’t have the staff and expertise to create the content, train and test your users, reach out to your technology partner to discuss as there are a variety of services available for a reasonable cost. By pairing the right technology solutions with education and best practices, you can effectively combat this rising threat.

Ken Van Orman is senior product manager of data center, cloud and managed services at Hawaiian Telcom. Reach him at Ken.vanorman@hawaiiantel.com.

Visit this article in the Star-Advertiser