Decoded: Whaling

Whaling, or CEO fraud, has become a serious threat for companies. The latest in our Decoded series explains the threat and helps you recognise the signs.

By Jo Best

Mon 11 Sep 2017 @ 11:43

I've heard about whaling – should I be worried?

Also known as imposter fraud or CEO fraud, whaling is a type of attack typically aimed at unsuspecting finance staff.

It usually begins with a targeted email purportedly sent from the CEO (or other very senior figure) asking for money to be transferred in order to complete an urgent business task while they are out of the office – such as fulfilling an order or paying a client.

The member of the finance team that receives the email may think they're helping the CEO out by wiring money to a business partner but in reality the cash ends up in the hands of a scammer.

How is whaling different to spear-phishing?

Whaling, spear-phishing and common-or-garden phishing represent different strands of the same classic email scam.

With phishing, a scammer sends a generic email to as many people as possible. The email may claim to be a message from a user's bank, a receipt for an online shopping order or some other innocuous communication. When the user opens the seemingly benign email, they may be duped into giving away their financial credentials or downloading malware, both of which can be used to defraud the victim.

Phishing emails are sent to millions of addresses: if even a small fraction of recipients fall for the scam – and reports say far more than a small fraction usually open a phishing email – the scammer can make a handsome profit.

Spear-phishing is not as indiscriminate. The aim of the scam is the same to get individuals to divulge financial and other details that can be used to carry out fraud but the recipients are more carefully selected and the scammers' message more tailored. For example, a spear-phishing campaign may involve the criminal finding an email for a company's sales department, then writing a scam email that appears to relate to an invoice that needs paying. Unsuspecting staff may end up sending the requested funds, leaving a large hole in their finances, or downloading malware or ransomware, with much the same result.

Whaling is the next level up. The cyber criminals will have spent more time researching their potential target and crafting the attack email that goes with it. By finding out the CEO's personal email address and the company's business partners or suppliers, a fraudster can construct a whaling email that appears to come from the CEO. The scammers will send their emails from addresses that bear a very close resemblance to target company's CEO only different by a single letter or hyphen – at a time when the CEO is known to be out of the office.

Given the discretion CEOs have, the scammers’ payday can be much greater, with companies potentially defrauded out of millions. Indeed, the term whaling comes from the fact that this kind of fraud makes use of a 'big fish' in a company, rather than targeting a larger number of 'small fry'.

If whaling is also called CEO fraud, does that mean only the credentials of CEOs are exploited in this way?

No, any sufficiently high-up executive can be used by fraudsters to create a whaling scam.

Whaling attacks will generally target those in finance as they're used to seeing emails requesting payment and have the ability to transfer large sums from company accounts. As a result, their defences may be that bit lower than in other departments: if someone is used to authorising several legitimate and urgent payments every day, one more legitimate-seeming invoice may slip through unnoticed.

However, it's not unknown for fraudsters to use a similar approach to obtain personal or corporate data for nefarious purposes.

Do people fall for whaling attacks?

Sadly, yes. There have been a handful of high-profile victims of whaling in recent years.

In 2016, around €50m was wired by an Austrian aircraft parts maker to scammers, although 10m of the fraudulent funds was later recovered. A Belgian bank is also thought to have fallen victim to a whaling attack last year, losing 70m as a result.

Whaling victims have not just been confined to Europe either: Google and Facebook were also reportedly caught out by whaling emails, losing $100m between them.

Is whaling on the increase?

It's very likely. Recent research found more companies are on the receiving end of attempted whaling attacks, with 67 per cent of those surveyed reporting an increase in scams designed to engineer fraudulent transfers.

According to an FBI alert from 2016, there has been a "dramatic rise" in what it calls 'business email compromise' (BEC), where execs are duped into sending funds to scammers. BEC scams rose by 270 per cent year-on-year, the agency said, with $2.3bn lost in the preceding three years.