Whaling Scams Are On the Rise

Updated 10/01/2019


The President of a talent agency called us in a panic. His bank had just called him to confirm the transfer of $1.5 million to an overseas vendor, a request he never made. “The hackers sent an email from my email address and to my bank. How could this have happened?” Luckily, the bank officer thought something was amiss and called him to confirm the transfer before proceeding.

This scam was two-fold, first the bank was the target of a Whaling scam. As the name suggests, it’s a phishing scam meant to target the C-suite or the “big fish.” For example, an executive gets an email resembling a trusted source, usually an overseas vendor, with a request to send money to a new account. The second part of this scam involved hacking the President’s computer. Earlier that month he’d been traveling overseas and used the hotel wi-fi without a Virtual Private Network (VPN). The hackers were able to view his traffic and obtain his banking information and passwords.

A 2018 analysis of over half-a-billion emails shows that email attacks involving CEO impersonations are on the rise . American businesses are under siege. According to the FBI, Business Email Scams, “…are among the fastest growing Internet fraud schemes and cost American businesses hundreds of millions of dollars in losses every year.”

These scams target business of all types and sizes, from non-profits to manufacturing. In fact, the 2018 Data Breach Investigations Report conducted by Verizon warns business owners and executives to “ignore the stereotype of sophisticated cybercriminals targeting billion-dollar businesses. Most attacks are opportunistic and target not the wealthy or famous, but the unprepared.” This report also found that sadly people are still falling for phishing attacks.

Why Are Whaling/Phishing Emails So Effective?

Phishing emails are fraudulent emails that use social engineering (psychological manipulation) to trick the recipient to:

1. Give up sensitive financial information.

2. Transfer large sums of money to criminals.

3. Install a malware virus such as ransomware on your company’s network.

Hackers are also counting on you and your employees to be under-prepared and overwhelmed.

The Average Office Worker Receives 125 Emails Per Day

Cyber criminals are counting on you and your employees to be busy at work, and they are betting that at any given time, you will assume that the email you received from a trusted vendor requesting payment to a new bank account is legitimate. These emails look exactly like the invoices you’ve received in the past and contain enough information about your relationship with the vendor to appear credible (See the attached documents for examples of phishing emails). Without the proper training and systems, it is likely that anyone would follow the instructions in a fraudulent email.

Here’s what you can do today to protect your profits, reputation, employees, and vendors:

1. Be on alert! Know that every day you go to work, someone is trying to “break-in” to your business via the internet.

2. Share the information in this email with your employees today. It’s important to start a conversation with them about phishing email scams, engage in regular training sessions to help them spot a phishing email, and put a reporting mechanism in place so your IT department is made aware of the issue.

3. Beef-up your firewall with Unified Threat Management (UTM) that includes:

o Intrusion Prevention Service o WebBlocker o Gateway AntiVirus o Reputation Enabled Defense o Network Discovery o SpamBlocker

4. Don’t allow your employees to shop, visit social media sites, or check their personal email from any devices that are on your network. This includes laptops, mobile phones, or tablets.

5. If you get a request for payment from a vendor to a new bank, call the vendor to confirm (but don’t use the phone number given in the email or respond directly to the email).

6. If the CEO of your company sends you a request to pay a consultant that you’ve never met, then call the CEO to confirm.

7. Have a third-party data and network security assessment completed. You may have potential security risks that you’re not aware of. Consilien provides security assessments free of charge.

8. Make sure that you have a business continuity plan in place that includes instant recovery of your data, files, network, applications, and server.