Whaling Warning Signs

Here are some red flags to look for in an email that should make you suspicious that it could be a whaling attack. You receive an email from a senior member of an organization or someone in authority over you with some type of urgent, unusual request, such as a transfer of funds for personal or for personal employee information. My daughter-in-law works in finance for a nonprofit organization, and she received an email from their financial officer to pay an invoice. Fortunately, she realised she had already paid that organization, and asked him about it. And she verified that it was, indeed, a whaling attack. And she managed to avoid it. Take note of some common characteristics of a whaling attack.

In this email, you can see the sense of urgency in the subject line. And it does have to do with a financial transaction. You can also see that, in this case, unlike a general phishing attack, it is addressed to a specific person. It purports to be from someone in a position of authority over the recipient, and there is an attachment that the recipient is directed to download. In whaling attacks that are trying to direct someone to complete a wire transfer, you won’t always see attachments. So this attack could involve both fraud and the introduction of some type of malware into the recipient’s network. Note, in this example, the attacker’s asking the recipient to complete some type of financial transaction.

And again, there is a sense of urgency. Also notice the subtle difference in the URL for the email address, with the extra S at the end of the address. It is very easy and inexpensive for attackers to register a new domain name that is subtly different from the company they’re attacking, a small investment that could result in a huge payoff if they’re successful. This is another example of an urgent financial transaction, with the addition of the purported sender being unavailable to call, which is a common tactic. Once again, note the subtle differences in the email address.

In this example from 2015, Snapchat admitted that employee details were accidentally sent to a scammer after a staff member fell for phishing email that purported to come from the CEO. So a classic whaling attack. The incident underlines the growing trend among scammers to send emails appearing to come from senior employees to functions such as HR, payroll, and accounting in an attempt to get requests responded to quickly and without question. Fortunately for Snapchat, none of their internal systems were breached, and no other user information was accessed. Snapchat alerted the FBI to the incident, and contacted those employees who could be affected to offer free identity theft insurance and monitoring. The company also improved efforts to train their staff about this threat.

Another example from the same year was what happened to Mattel. The cyber criminals behind the attack had been hiding in Mattel’s computer networks to study the corporation’s internal procedures, protocols, corporate hierarchy, supplier information, employee personalities, et cetera, prior to launching their final whaling attack. They learned the business’s activities, turnover, fluctuations in various regions, and most importantly, the top management’s business decisions. They waited for the right moment, which came when Mattel appointed a new CEO, Christopher Sinclair. The attackers chose a high-level executive as the recipient of this whaling email. They drafted the email using the identity of Christopher Sinclair and asked the recipient for joint approval of payment to a Chinese supplier of Mattel.

The payment of $3 million was to be transferred to a bank in Guangzhou, China. According to Mattel’s internal money transfer protocol, such a payment would require authorization from two high-level managers. The recipient qualified, and as the request had supposedly come from the new CEO, which signified the other authorization, she made the transfer. Several hours after the transaction had been made, the concerned manager reported to Christopher Sinclair about the job. He had never sent such an email. The corporation went into panic mode, and immediately asked for assistance from the bank and the FBI. Unfortunately, the money was gone. It had already been transferred to China. However, Mattel got lucky in this case.

The money happened to be sent on the 30th of April, which was the eve of a holiday in China. Mattel contacted Chinese police in time to freeze the concerned bank account prior to the start of bank service after the holiday, and the money was ultimately returned. So they got very lucky. So what can you do to prevent whaling attacks? First, double check the email address. As you can see from the examples I showed, the email may appear to be from a legitimate source. But after careful inspection, there may be additional letters, numbers, or different email providers. Next, train your employees. Provide training for your staff about whaling attacks and how to identify phishing emails.

A lot of companies carry out phishing testing. You can test your staff with fake phishing emails to see how many believe an email is legitimate, how many click on links, or reply to the email, and then provide them with the results and additional training if they need it. Use multi-step verification and enable multi-step verification for all requests for sensitive data or wire transfers. Follow up with a phone call. If you’re not sure about an email, speak to the colleague or customer who sent it, like my daughter-in-law did with her financial officer. Don’t reply or use the contact information from the email, because that’s part of this scam. Do not click links in email. We’ve already talked about this.

If you want to check your account on the website that the email is referencing, open it in your web browser separately. Do not click links in the email, as they usually are followed by a fake website that’s designed to steal your data as you try to log in. And of course, report it report the phishing email to your IT department. This may be one in 100 emails that have been sent to your organization, and other employees may not realise that it is not genuine. In conclusion, you’ve learned what whaling is, what objectives attackers are aiming for in whaling, and who is at risk for whaling.

We discussed many red flags and warning signs of a whaling attack, and went over several examples, as well as what you can do to protect yourself and your organization from a whaling attack. In the next video, we’ll discuss smishing a special type of phishing that uses text messages to deliver the attack. I look forward to seeing you there.