14 DAY TRIAL // Whaling attacks, also known as CEO fraud and Business Email Compromise (BEC), have grown in intensity during 2015, seeing a 55% rise compared to last year.
Business email scams are often carried out by persons that are very familiar with an organization's internal structure. Scammers usually send an email to one of the company's managers, asking them to transfer funds to a bank account, for a specific reason, depending on the target's position.
The FBI has already specifically warned companies about whaling attacks
At the end of August, the FBI issued a public statement announcement regarding the increase in whaling attacks, also describing three of the most common attack scenarios. They also said that, from October 2013 to August 2015, companies across all 50 US states and from 79 countries reported losses of $1.2 billion / €1.07 billion.
According to Mimecast, a cyber-security vendor specialized in email security, the FBI was right in issuing its public warning on this topic, Mimecast also reporting a similar increase in CEO fraud activity, according to their most recent research on the subject.
As the cyber-security vendor reports, besides the 55% increase in whaling attacks, most of the time, scammers targeted the company's CEO (72%) while CFOs where the primary email recipient only in 35% of the cases.
Domain spoofing helps scammers carry out their attacks
In 70% of the cases, the email was sent from a spoofed top-level domain name, registered to look like the one the target company was using or the domain of one of their business partners.
In case the scammers did not use a custom domain name, they used Gmail in 25% of attacks, Yahoo email addresses in 8% of the situations, and Hotmail addresses in 8% of the cases.
Mimecast explains that the proliferation of social media amongst top-level execs has made it very easy for attackers to acquire all the details they need about their targets.
"Cyber attackers have gained sophistication, capability and bravado over the recent years, resulting in some complex and well-executed attacks," said Orlando Scott-Cowley, cyber security strategist at Mimecast. "Whaling emails can be more difficult to detect because they don’t contain a hyperlink or malicious attachment, and rely solely on social engineering to trick their targets."
Companies can protect themselves against whaling attacks through proper employee training, better internal procedures for initiating money transfers, and by subscribing to domain name registration alerting services that tell companies when similar domains are registered.