The CEO, CFO, COO of a company: the people in charge, the brains behind the whole organisation. If not totally immune to being a target of fraud, surely they are the least likely to fall for a basic financial scam? Well actually, this doesn't seem to be the case at all, with new reports emerging regularly that another top ranking Exec has fallen victim to online hoaxing of the highest order.
Perhaps the key factor here is these aren't just basic financial scams; these are complex, sophisticated, calculated crimes, targeting the head honchos of the biggest empires whilst bypassing all antivirus software along the way.
In fact, it's become such a concern that security experts have given it a title: "Whaling".
Emerging from the same fraud family as Phishing, Vishing, and Pharming, Whaling is very much the big brother of the family.
Targeting senior execs and anyone else at the top of the business, Whaling emails avoid scam filters by being unique to the intended target. Each email is individually crafted and personalised, with the target's name, title and other such information disclosed thus making the recipient believe it is from a trustworthy source.
Once contact is established and dialogue between the victim and the fraudster has opened, the scammer attempts to get hold of passwords and other confidential information by hacking into their PC, often succeeding.
It's happening a lot...
Thankfully, the media coverage behind Whaling may have raised enough alarm bells for those in the know to wake up to the potential damage this can cause. However, such scams are still continuing to occur at a concerning rate.
In May 2016, it was reported that the CEO of an Austrian parts manufacturer had been relieved of his duties after he was the victim of a Whaling attack... costing the company £31 million.
Just over a year ago, a NASDAQ-listed US broadband equipment manufacturer with a $4bn market cap was scammed for $46.7 million in an employee impersonation case. They ended up transferring the funds from a subsidiary company to a number of third party accounts, in a very global operation. After detecting the fraud, they expected to recover 33% of the missing money, but the rest is probably gone. From a reputation point of view, they had to disclose the matter in their quarterly SEC financial reporting, and the effort required to confirm that their IT systems were not compromised must have cost a significant amount of time and money. Thankfully, the company was able to carry on trading.
Even as recently as August 2016, it was reported that Europe's largest electrical cables manufacturer fell for an online scam which resulted in them paying £40m into the wrong bank account. The company's financial officer received the emails and he had no reason to believe the requests weren't sent by Execs based in Germany. The money was transferred to a bank account in the Czech Republic and, at the time of writing, the scammers are yet to be caught.
Fortunately, there have been occasions where potential disasters were avoided at the last minute. One such incident related to US social media giant, Snapchat, who revealed that payroll details of many of their employees were accidentally disclosed after receiving an email from somebody they assumed to be their CEO. When concerns were raised, they promptly sought help from the FBI and, as a result, no internal systems were breached. NCC Group also recently revealed that they were targeted by a similar scam but were quick witted enough to block it.
All too often Whaling has cost organisations millions worldwide and it soon becomes clear that it'll take a little more than basic common sense and being internet savvy to avoid this happening to your organisation, or, perhaps even worse, to you.
The modern day criminal is an intelligent cyber expert who has opted to use their knowledge of internet security to steal. But this is 2016: we knew this already, didn't we? Maybe so, but despite the security community being on red alert for such scams, Whaling confirms that nobody is really safe.
What are the solutions apart from education? Many articles talk about border prevention (anti-spam, anti-phishing, two-factor authentication, etc.) but maybe the issue has less to do with securing e-mail and more to do with why e-email is used for significant transactions in the first place?
If you need to wire a bank transfer, simply do not use email. Instead, create a form that is only available to authorised users; this can be used to submit a request for a transfer. When a request is made, ensure a number of people are automatically informed and require the form to be approved and digitally signed before being acted upon.
The obvious benefits from this include:
- Traceability: it's easy to follow who did what, and when.
- Visibility: automatic notifications means that those who need to know when money has been transferred will be informed when the cash goes out.
- Security: due to digital signing, this is not something that can be exploited by email.
- Accountability: if you follow the process correctly, you will not be personally liable.
Switching from e-mail to a secure forms-based approach should, we believe, take no more than 10 minutes to set up. That's from designing the form to the moment when the first use is made of the form.
10 minutes versus a potentially £ multi-million fraud loss seems like a very reasonable trade-off. In a follow-up post, we'll look in more detail at what the form might contain, plus some of the process you could put around it.
This post was written by Paul Richards.