Phishing, spear phishing, and whaling are all online cyber attacks that target users and get them to reveal sensitive information for malicious purposes. Attackers often use various techniques to trick employees into making mistakes, as they are usually the weakest link in the security chain.
Business email compromise (BEC) attacks are becoming more frequent and causing more damage. Attackers are using social engineering techniques to manipulate executives. Their trickery and emotional manipulation are causing even senior executives to unsuspectingly fall prey to their attacks. Traditional email security systems have great difficulty detecting such attacks.
Table of Contents
Use of social engineering techniques
Social engineering techniques usually involve some form of psychological manipulation. As they involve the human element, protecting against them can be tricky. The most common form of social engineering attacks come from phishing and can vary with disasters, tax season or current events.
Business email compromise (BEC) occurs when cyber attackers impersonate company owners or executives. When they target high-profile executives, such as a chief executive officer or chief financial officer, it is called a whaling attack or whaling phishing. The term whaling denotes the size of the attack, and whales are usually picked due to their authority within the company. These senior executives often have valuable information or high-level access to confidential data. Attackers use well-researched and sophisticated social engineering techniques to trick them. Perception Point has developed unique algorithms that specifically prevent impersonation techniques, such as CEO fraud.
How a whaling attack works
Ordinary phishing emails often go to large numbers of individuals without knowing how many will succeed. Whaling emails usually target a specific, often high-ranking individual. The attacker may send the victim a critical business email that seems to come from a trusted source, such as a colleague or manager. It usually requires urgent intervention by the victim.
The email is often highly customized and personalized. Attackers may use the name of the victim, a job title and other relevant information gleaned from various sources. They often use social media platforms like LinkedIn to gather personal information about victims. This is why such an attack is so difficult to detect.
By targeting executives, like chief executive officers (CEOs), attackers may get them to approve fraudulent wire transfers. In some cases, the attacker impersonates a CEO or other corporate officers to convince an employee to carry out a wire transfer.
Whaling attack examples
In 2016 a high-ranking employee at Snapchat received an email from an attacker. The email appeared to come from the CEO. The employer gave the attacker employee payroll information. Eventually, the FBI investigated the attack.
In 2018 a European cinema company lost a huge amount of money when attackers emailed the CEO and CFO with a fraudulent request for a highly confidential financial transaction. It appeared to come from high-ranking employees, and so they transferred the money.
Cyber attacks using AI
In 2019 there was an unusual attack where cyber criminals used artificial intelligence-based software to impersonate the voice of a German chief executive officer. The caller demanded a fraudulent transfer to a Hungarian supplier and said it was urgent. Traditional cyber-security tools can’t spot spoofed voices. It is hard to predict whether there will be an uptick in cyberattacks using AI, but it is likely to be used more if it makes attacks more successful and more profitable.
Who is at risk?
Pretty much anyone who has access to confidential data is at risk of a cyberattack. Busy executives don’t want to have to worry about cyber attacks, but they need to internalize that they could be targets. Attackers have the luxury of time, stealth and use many different platforms – all of which work against the natural behavior of senior executives. It is natural for them to want to receive up-to-date information. This need can make them too eager to address and take action on what appears to be an important email message. They may also commingle security requisites onto a single device which can be a disaster just waiting to happen.
Rather than relying on executives to operate in a secure manner, organizations need to have certain technological controls in place. For instance, an email server should make it mandatory for smartphones to have password lock and encryption enabled for access to the corporate email. If any executive disables a password lock, this should automatically remove email access.
In some cases, limitations don’t work with executives. They resist having digital boundaries of any kind. The only way to stay ahead of threats is for them to modify their behavior to ensure safety online. This means that they need to be trained to identify fake email addresses, nefarious links and other tell-tale signs of a cyber attack. Whaling attacks historically have a high success rate and result in a data compromise at a company level. Senior executives need to take this seriously and learn how to avoid such attacks where possible.
Secure use of email is a priority
There are frequent and increasingly sophisticated email attacks on senior executives. It can help organizations to have policies in place whereby certain emails are verified with a sender either face-to-face or on the phone. Companies should test executives at times to make sure they are adhering to such policies.
Organizations also need security guidelines and check-out and check-in procedures for electronic devices that senior executives use when visiting other countries. When digitizing company documents and giving executives remote access to them, it should always be over a secure channel. On return, devices should go through a routine wipe before re-use or connecting to a corporate network.
Having strong security programs and procedures in place can reduce damage from cyber security attacks against executives. It helps to start with the critical information assets the business needs to protect, and this will naturally lead to assessing individuals who may be vulnerable to cyberattacks. Whichever area of security is being addressed, security controls need to be appropriate to the assets and the users.