IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Beyond Spear Phishing: How to Address Whaling and More

First, there was phishing … then came spear phishing … and now there is whaling — and other new sophisticated social engineering techniques. The bad guys are modifying their deceptive practices. Here’s what you need to know.

whale shutterstock.jpg
credit: Shutterstock/Bildagentur Zoonar GmbH
Just when you thought you had seen it all regarding online phishing scams, along comes a new round of deceptive emails, phones calls, instant messages and even traditional printouts from your fax machine. And these revamped social engineering approaches are working — fueling a continuing surge in cybercrime.

For companies and for individuals, the stakes online remain very high. Phishing impacts are affecting brand reputation, personal careers and the financial bottom line. What’s scary is that the bad guys are often using hijacked email accounts and other legitimate business channels. The goal: to trick efficiency-minded professionals into carrying-out their online crimes.

What’s new? Several recent “whaling” stories have emerged that don’t involve employees clicking on links or becoming infected with malware. Rather, first the criminals conduct extensive surveillance and gain the required internet credentials. Then a highly targeted end user is tricked into making a fund transfer or authorizing a pending transaction based on an email from their CEO’s personal email account.    

For example, this recent story about Alpha Payroll shows how an employee complied with a request that appeared to come from Alpha Payroll's CEO. The fake email requested: “Copies of all the 2015 W-2 forms produced by Alpha Payroll on behalf of its customers.”

Here are some additional details:

“Later, on April 8 after an Alpha Payroll customer reported their staff had fraudulent tax returns filed under their Social Security numbers — an internal investigation discovered the successful phishing attack. ...

Several experts have reached out to suggest that an internal policy against sharing W-2 data was at play here, which could be the reason for the (the employee’s) termination.” 

In April 2016, the Phoenix Division of the FBI formally warned businesses about the dramatic increase in business email compromise scams (BEC). According to the FBI press release:

"The schemers go to great lengths to spoof company email or use social engineering to assume the identity of the CEO, a company attorney or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy. ...

There are various versions of the scams. Victims range from large corporations to tech companies to small businesses to nonprofit organizations. Many times, the fraud targets businesses that work with foreign suppliers or regularly perform wire transfer payments.

  • Law enforcement globally has received complaints from victims in every U.S. state and in at least 79 countries.
  • From October 2013 through February 2016, law enforcement received reports from 17,642 victims.
  • This amounted to more than $2.3 billion in losses.
  • Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss.
  • In Arizona the average loss per scam is between $25,000 and $75,000."
A Quick Tutorial from Phishing to Whaling

Online phishing scams are evolving rapidly. We all need to take note and not let our guards down. Before offering some practical tips, I like to quickly recap the different types of phishing attacks that are ongoing — many of which have been around for several years.

Please note that phishing can be delivered in a variety of forms (or channels). While most people focus on email phish, text messages, faxes, Facebook or LinkedIn updates or even traditional phone calls are commonly used channels to deliver phish. The message will ask you to take an action such as clicking on a link, calling a phone number or performing some other transaction.  

First, we have traditional phishing. According to Security Mentor, phishing, like its namesake “fishing,” uses bait to lure a target into getting hooked. In phishing, the bait is a clever message and you are the fish. We fall for the phishing bait, because the phishers are masters of disguise. The bad guys play on our emotions and desires.

Most phishing scams cast a wide net that tries to get a reaction from as many people as possible. They do this by imitating trusted brands like Walmart, PayPal, eBay, Google or Microsoft (or others) in their messages. 

This video shows typical phishing examples:



Second, the wide net cast by phishing campaigns became more sophisticated and “spear phishing” started to become more common. Spear phishing is similar to phishing, except the attack is more targeted, sophisticated and often appears to be from someone you know such as a company colleague, your bank, a family member or a friend. The message may include personal information like your name, where you work, and perhaps even a phone number or other related personal information.

Spear phishing has become a huge challenge for global enterprises to defend against. Clicking on these links can open an organization up to malware leading to data loss, identity theft and even ransomware, which can encrypt system data until a ransom is paid to the attacker.

Over the past few years, spear phishing has become a preferred method for cybercriminals to infiltrate organizations, with numerous large breaches that began by gaining user credential via spear phishing (also called spearphishing by some as one word.) This blog lists 10 top spear phishing attacks, calling spear phishing the secret weapon in the worst cyberattacks. The same blog also points to a study of 300 firms in the US and UK — reporting that 38 percent of cyberattacks in the past 12 months came from spear phishing.

And third, we have the new trend which many are now calling “whaling,” since the bad guys are going after the biggest of fish in super-sized spear phishing attacks. As the FBI press release mentions above, the goal is: “to assume the identity of the CEO, a company attorney or trusted vendor.” This can happen in a variety of ways, including the use of company insiders who provide access to sensitive people, process or technology needed to succeed in the fraud.

More Details on Whaling

I’d like to point you to several excellent articles that dive into recent whaling examples.

Whaling: Why Go After Minnows When You Can Catch a Big Fish — “A recent McAfee quiz presented 10 email messages, which were a mixture of genuine messages and phishing campaigns to test business users’ ability to detect online scams, and a whopping 80 percent of participants failed to detect at least one of seven phishing emails. When armed with real information, these types of attacks are extremely difficult for the uneducated user to detect.”

Whaling: Cybercriminals Are Now After the Big Phish — “The attackers may take months to research the company and find out as much as possible about the target in order to craft the email in a way that seems totally legitimate to the recipient. A successful attack depends on convincing the target of the message’s authenticity. The email message will have a reasonable rationale and will build trust by including relevant and specific information that seems confidential. In reality, this information is usually obtainable through public sources such as business directories.”

Snapchat Hit By CEO Email Scam as “Whaling” Attacks Increase — “Snapchat has admitted that employee details were accidentally sent to a scammer after a staff member fell for a phishing email that purported to come from the CEO.”

7 things to know about whaling, the emerging cybersecurity threat — “While other cyberattack tactics generally involve sending spam emails with malicious links — often sent in mass batches — whaling is a targeted attack. Hackers create email addresses that closely mimic those of company executives, and they research companies to mirror the language used to sound like the leader they are impersonating.

"On the surface, business email compromise scams may seem unsophisticated relative to moneymaking schemes that involve complex malicious software," according to a Krebs on Security report. "But in many ways, CEO fraud is more versatile and adept at sidestepping basic security strategies used by banks and their customers to minimize risks associated with account takeovers."

How Can Enterprises Prepare?

So what can be done to lower the risk of whaling and other new social engineering techniques, which are sure to arise over the coming few years? Here are five strategies to consider.

  • Train on security awareness and train staff again. Ensure that you have a comprehensive security awareness training program in place that is regularly updated to address both the general phishing threats and the new targeted cyberthreats that are emerging. Remember, this is NOT just about clicking on links. Review the tips and recommendations offered in these previous blogs on phishing, ransomware and improving end-user awareness programs.
  • Provide a detailed briefing “roadshow” on whaling and the latest online fraud techniques to key staff. Yes — include senior executives, but don’t forget anyone who has authority to make wire transfers or other financial transactions. Remember that many of the true stories involving fraud occur with lower-level staff who get fooled into believing an executive is asking them to conduct an urgent action — usually bypassing normal procedures and/or controls.
  • Review existing processes, procedures and separation of duties for financial transfers and other important transactions such as sending sensitive data in bulk to outside entities. Add extra controls, if needed. Remember that separation of duties and other protections may be compromised at some point by insider threats, so risk reviews may need to be reanalyzed given the increased threats.
  • Consider new policies related to “out of band” transactions or urgent executive requests. An email from the CEO’s Gmail account should automatically raise a red flag to staff, but they need to understand the latest techniques being deployed by the dark side. You need authorized emergency procedures that are well-understood by all.
  • Review, refine and test your incident management and phish reporting systems. Run a tabletop exercise with management and with key personnel on a regular basis. Test controls and reverse-engineer potential areas of vulnerability.
Yes — test staff with occasional phishing exercises, but don’t just measure clicking of links. The bad guys know that links set off alarms for many, so many of the biggest whaling incidents do not include clicking on links. The enemy wants to gain staff trust, and they often include a combination of techniques to get employees to eventually take action. Ask staff: “What would you do if you were an outsider trying to gain access?”

Final Thoughts

As we develop new protections and alerts, the bad guys will adapt again and again. This is an ongoing cyber battle. In my view, whaling is “phishing 3.0.” There will be a 4.0 and a 5.0, to attempt to infiltrate organizational processes. Are you prepared? Do you have an ongoing security awareness program?

The main thing is to continually educate staff to understand these new cyberthreats and evolving risks faced every time we go online. The huge ongoing challenge is to continue to guide and enable staff to innovate, increase efficiency and reduce bureaucracy, while at the same time demonstrate a healthy, well-informed view of risks and online fraud. They also need to know what to do if they suspect inappropriate actions or a scam.

As Abraham Lincoln said in a letter written in 1848: “You cannot fail in any laudable object, unless you allow your mind to be improperly directed.”

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.