Whaling email attacks – a form of phishing attack which is targeted at senior executives and other high profile people in a business – are on the increase.
In whaling attacks, fraudsters often use legitimate executive names and email addresses to fool company employees to provide them with sensitive information, or even transfer money to them.
The whaling attacks typically involve highly targeted emails, where the cybercriminal tries to trick the employee with a well-crafted email or web page, with content related to his role in the company.
The attackers often use a legal subpoena, customer complaint, or executive issue as the content of the email.
The source of the email is also spoofed (faked) to make it look like it is coming from a legitimate source or business authority.
Who is targeted in whaling attacks
A recent Mimecast survey, done in partnership with MyBroadband, showed that fraudsters typically pretend to be the CEO, financial managers, or sales people.
The survey results further showed that the source email address (the @domain) is often spoofed to look legitimate.
Here are some of the prominent findings of the Mimecast whaling attack survey.
- Whaling attackers typically pretend to be the CEO, financial manager, or from the sales department.
- In 39% of whaling attacks the email domain (@domain) was faked (spoofed).
- Most South African companies face regular whaling attacks.
- Some companies have reported significant losses caused by whaling attacks.
Big increase in whaling email attacks
Whaling email attacks have become so prevalent that the FBI is warning companies about the risk of this cybercrime.
“The schemers go to great lengths to spoof company e-mail or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor,” the FBI said.
The fraudsters research employees who manage money, and use language specific to the company they are targeting, the FBI said.
The FBI has provided the following tips for businesses to avoid falling victim to whaling attacks.
- Be wary of e-mail-only wire transfer requests and requests involving urgency
- Pick up the phone and verify legitimate business partners.
- Be cautious of mimicked e-mail addresses
- Practice multi-level authentication.