In 2016, the FACC — an aerospace company with Boeing and Airbus as clients — lost more than $ 40 million in a whaling phishing attack. Their CEO had to resign after this incident.
Whaling attacks are an elaborate type of cyber attack: they require a lot of preparation, but the payout for fraudsters can be huge. How do whaling attacks work? How can you protect yourself against them? Read on to find out.
Trustpair blocks the effects of whaling phishing attacks by continuously controlling payments before they’re executed. Any suspicious payment to an unknown third party will be blocked. Contact an expert to learn more!
What is whaling phishing?
A whaling phishing attack is a high-level type of third-party fraud. Cybercriminals target C-suite executives or key employees to get them to:
- Disclose sensitive information, and/or
- To send funds to their bank accounts.
Whaling is akin to CEO fraud. It’s a form of spear-phishing, which means scammers target one specific individual within an organization. It requires preparation, as whaling attacks usually include personalized elements to appear legitimate. They also need to know who holds a position of authority within the company.
The difference between spear phishing and whale phishing is the size of the target: in the latter, attackers try to steal from a “big fish”, i.e. a whale, hence the name.
How does it work?
While every whale phishing attack is going to be different, there are some commonalities in the overall process:
- Gathering information: before any contact, fraudsters need to know who they’re targeting to ensure they have the required access to personal or financial information. Using social engineering techniques, scammers will impersonate someone their victim trusts, like a supplier, client, or another executive of the company.
- Impersonating someone else: scammers then contact their unsuspecting victim pretending to be someone else. Access to online information makes it easier nowadays to commit identity theft through social engineering. They can also use spoofing, misspelling on purpose the sender’s email (firstname.lastname@example.org for instance, with 3 o).
- Including an element of urgency: in their emails, criminals ask their victim for “an urgent favor”, like a transfer to a given bank account to finalize a deal. Scammers can inflate the risks of not obliging, for instance saying the company would be losing a strategic contract, or threatening a lawsuit. These elements contribute to making whaling phishing attacks a “high risk, low effort” situation for the victim, convincing them to minimize damages by complying.
- Requesting funds or confidential information: whaling phishing always includes a request, often needing to be done ASAP. Scammers either ask directly for a money transfer, or sensitive information like your company’s bank account numbers, login credentials, or financial data. Like in traditional phishing emails, they could also ask the receiver to click on a link that’ll direct them to a spoofed website, or download malicious software.
- Transferring funds: once the funds are transferred to the scammer’s account, the stolen money is almost impossible to retrieve. Sometimes, hackers will even commit the same fraud several times, stealing even more money. Wire transfer scams are often only discovered when doing reconciliation or at the end of the financial year.
What are some examples of whaling phishing?
Whaling attacks target companies old and new:
In 2016, an employee from Snapchat’s payroll department received a spear phishing email from someone impersonating their CEO. This whaling attack was successful, and the HR employee disclosed the payroll information (including bank account numbers and social security numbers) of former and current employees. The reputational and financial damage was steep, as Snapchat offered each victim 2-year of identity theft insurance.
Ubiquiti Networks is a 125 years-old US manufacturer. Recently, its financial department was the victim of a whaling phishing attack and an employee transferred $46,7 million to an impostor pretending to be their CEO.
This kind of phishing attack can take different forms:
- Hacking into an established email thread to redirect a bank transfer,
- Sending a link to a Zoom meeting that’ll install malware or spyware on the device,
- Asking to confirm some private information,
- Requesting gift cards to be bought for clients.
Learn all there is to know about payment fraud in our latest fraud report!
How to protect your business against whaling?
Safety measures against phishing whaling attacks
To effectively protect your organization against B2B payment fraud, you first need appropriate security measures:
- Audit and improve your internal processes, so that no one employee carries all responsibilities of key operations (such as authorizing payment campaigns, payroll, or supplier payments). This segregation of duties divides the risk of falling victim to whaling and also reduces internal fraud risks.
- Set up digital defenses: ask your employees to use strong passwords that change regularly. You can also set up two-factor authentication. Installing anti-spam and anti-phishing software on top of your antivirus is also a good move. Your IT department can also flag any external email, so your employees can see at a glance if the sender really is from within your organization.
These defenses are an essential layer of protection, but they’re not enough. You also need to educate your staff on the danger of whaling attacks.
Become a cyber-aware company
Education is key to preventing whaling attacks — and other types of Business Email Compromise (BEC). Your employees need to be aware of the fraud risks and what they look like. Make sure they can recognize a suspicious email as a phishing attempt.
Regular security training helps them recognize different forms of corporate fraud while keeping security awareness high.
Cybersecurity training needs to include contingency plans in case fraudulent attempts are detected. For instance, staff should know to report phishing to the Federal Trade Commission. It’s also important they know how to react if the company’s security has been compromised.
Your management should be careful about what they disclose on social media. A hacker can easily build elaborate schemes out of seemingly innocent information shared online.
The key is really to go beyond a once-a-year training and to become a cyber-aware company. An organization where all employees are aware of the risks, and know your security standards.
Using anti-fraud software
Anti-fraud software like Trustpair protects you against the risk of financial fraud. Our solution automatically and continuously audits your vendor data, matching them against international databases. That ensures that you are sending your funds to the right bank accounts.
In the case of whaling attacks for example, our software would detect the fraudulent attempt because the bank account details given do not belong to a supplier (or whoever the fraudster impersonates), and would block the transaction before it is sent.
Any suspicious attempt is flagged so you can address it directly from your dashboard. It’s a great solution to use alongside the other security measures we’ve just mentioned.
Using Trustpair limits the risk of CEO fraud and whaling attacks, but also other forms like invoice fraud or vendor fraud. The results speak for themselves: we’ve worked with 200 companies, and have had 0 fraud. Contact an expert right away to learn more!
- Whaling phishing attacks are elaborate financial frauds. Fraudsters target high-level executives within your company to lure their victims into sending funds and/or information.
- Tools like Trustpair limits the risk of financial fraud from happening by continuously auditing third-party data.