usa dollar |
These are unfortunate statistics for business owners of all sizes. A survey from IBM found that 66% of surveyed business owners who were hacked weren’t confident that they could recover from it. And the fact is, some businesses don’t recover at all, proving that breaches can be crippling.
Whaling is a type of phishing attack that involves the impersonation of a high-profile employee, like CEO or business owner. These types of attacks are targeted, and usually with the goal to extract money from the company by sending fake emails to staff that permit money transfers or data exchanges. Whaling is so effective because the end recipient believes the email is legitimate and proceeds to follow instructions. Here’s what you should know about this growing hacking strategy:
Whaling is on the Rise
More and more companies are falling victim to hacking attacks. In fact, the dramatic rise of whaling attacks prompted the Phoenix division of the FBI to issue a warning to business owners regarding these business email scams.
“The schemers go to great lengths to spoof company e-mail or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor,” the statement reads. “They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy.”
Even big companies have fallen victim. In a blog post published by Snapchat, the company admitted to compromising employee data after one staff member in the payroll department fell for a whaling scam that involved an email supposedly sent from the CEO. And in London, many startups were targeted in a series of phishing scams that impersonated CEOs.
Social Media Plays a Role
Social media can be a phenomenal foundation for a successful whaling attack. As previously mentioned, a high level of research goes into executing an attack of this caliber. Social networking sites are particularly useful for this case. Remember, whaling isn’t automated: it’s carried out by sophisticated hackers who learn the intended victims enough to pull it off. Platforms like LinkedIn are also used to obtain additional details about a person. For this reason, it’s important for you to discuss social sharing rules with your team, decreasing the chance of revealing information that a hacker could potentially leverage.
Difficult to Detect
One of the reasons why whaling is a go-to tactic for hackers is because the target is heavily researched, and this personalized level of hacking can go pretty far for unknowing recipients. In fact, one McAfee quiz presented visitors with 10 email messages, which included a mix of real emails and phishing emails. Eight percent of participants could not detect at least one out of seven.
Knowing that whaling is an increasing hacking strategy, it’s important for business owners to set up standard practices that help employees identify potential threats—even if the email appears to be coming from the CEO. Security awareness training and mock phishing tests are musts.
Companies that Wire Transfer Are at Higher Risk
To be clear, whaling can happen to any business—startups, non-profits, and corporations have all been targeted in the past. However, businesses that regularly conduct wire transfers, such as businesses that deal with many foreign suppliers, are at a higher risk for whaling fraud. This level of fraud has amounted to roughly $2.3 billion in losses.
Case in point: in March 2015, a finance executive at Mattel was scammed into wiring $3 million to a bank in China. Although wire transfers require two signatures, the first signature had been provided by the faux CEO, and the executive provided the second for approval. As you can see, the level of research had to be top-notch for a sophisticated execution. Hackers researched how payment operations at Mattel work, and took to social media to identify high-ranking executives to target.