Whaling - targeting the big fish

February 10, 2016

A scam that looks so simple you would think staff won't fall for it. But they can, and in many organisations, they have.

CEO and CFO targeted attacks are on the rise in 2016 - up 55% in the past few months.

Whaling is essentially another email scam to get money, but instead of infecting a computer with a virus or malware and holding your data to ransom, Whaling uses social engineering techniques to trick your business execs into giving it away. 

How does it work?

Anyone can perform a simple online search to find out who the CEO and CFO are at most organisations. Armed with this information and using a technique called 'spoofing', an attacker will generate an email which appears to come from inside your organisation - more often than not, the attacker masquerades as the CEO. 

The attacker's email (which can sound very convincing) is sent to the CFO or a senior member of the finance team and instructs the recipient that an urgent payment needs to be made. The email might also end with "sent from my iPhone" which can explain why the corporate email signature is missing. Human behavior becomes part of the scenario because lets face it, if you get an email from the CEO which says "this wire transfer needs to be made immediately" your normal decision making process could be affected. After all, this email is from the CEO!

You might think this all sounds so obvious and that your staff would never fall for it, however large organisations such as Ubiquity have already lost millions to this type of attack. 

What can you do?

While ensuring your Anti-Virus, Anti-Malware and Email Content Filtering systems are up to date and well managed is important, Whaling attacks circumvent these traditional defences as the email appears legitimate as it does not contain attachments or URL's which would otherwise have caused the email to be blocked.

  • Awareness and Education. In particular, make sure your Accounts, Finance and Executive teams are aware of this type of threat and what to look for. 
  • Review your internal controls. For example, all payment requests and approvals sent by email should be verbally approved.
  • Technology. Email systems can be configured to notify users when responding to an email which has originated from outside of your organisation. E.G. "This email contains external recipients".

Technology is always improving and content filtering systems are blocking hundreds, thousands, tens of thousands, hundreds of thousands of emails daily which are identified Spam, Phishing, Virus, etc.

It's the targeted attacks we need to be aware of as they rely on human error rather than breaking through your technology defences.


Other articles


 

Top of Page


 Back to News




IN THIS SECTION:


Rob Southwell

Sydney

Managing Partner and Partner – Private Clients Group


> View profile

John Brazzale

Melbourne

Chairman - Pitcher Partners Association Partner/Executive Director - Tax Consulting


> View profile

Michael Minter

Newcastle

Managing Partner


> View profile

Bryan Hughes

Perth

Chairman


> View profile

Tom Verco

Adelaide

Managing Principal


> View profile

Ross Walker

Brisbane

> View profile



Partnership fraud

SUCCESS

Paperwork and independent advice saves partnerships from fraud

Discover more

Kia Ora Horse Stud

CASE STUDY

Pitcher Partners fills a Financial Manager gap to keep the business on track

Discover more

Fuel Injection Company Administration

LEADERSHIP

A fuel injection company began life as an Australian public company before being acquired by a UK publicly listed company while in the research and development stage of a “green...

Discover more



@PitcherPartner RT : .Paul Ostrowski CEO kicks off Healthcare Briefing on Consumer Directed Care… https://t.co/33DwssT8TM