Hit enter to search or ESC to close

4 December 2018

Whaling

New Zealand’s businesses are not immune to the ever-increasing threat of electronic crime, no one is.

The latest email phishing scams target high-level business executives and managers. These spear phishing scams are dubbed “whaling” because they target the “big fish”: high-profile figures with access to more information and therefore bigger payoffs for the crooks. Whaling attacks typically use carefully tailored lures: malicious emails that target victims directly with personalised, believable messages. These scammers have done some serious research on your business and what you or your staff do. They will often use social media, such as Facebook, Twitter and LinkedIn, to gather personal information to make the whaling attack more plausible. The emails tend to greet victims by name and can refer to tasks they’re responsible for and even reference co-workers. This level of personalisation makes it difficult to detect a whaling attack.

The scammer’s goal may be for managers and business owners to download malicious code, giving them access to sensitive data such as corporate banking credentials or customer databases, or they may use information obtained elsewhere and specific to your business asking for a payment to be made or personal information to be sent. Attackers also impersonate the CEO or other corporate officers to convince employees to carry out financial transfers.

What does a whale lure look like?

These devious emails are often close to indistinguishable from normal business correspondence. Scammer emails used to have grammar errors all through them. Now phishing emails read and sound professional, which is why they are so successful and the reason that over 75% of targeted cyber breaches start with spear phishing emails.

  • A scammer may send a personalised email to a group of employees or a senior manager from management. The subject of the email is usually about a fake ‘critical’ business matter, such as a customer complaint, or the need for an urgent payment to seal a top-secret, time-sensitive deal, for a new customer or a contract award.
  • The scammer may ask employees to follow a link to a website, usually one well known to staff. At the fake, but convincing website, they will be asked to enter confidential company information or passwords.
  • Fraudster will also hack into your supplier’s system and then send you a change of banking details e-mail.

Even though each scam has its own individual traits, through vigilance and formalised processes, the potential for loss can be mitigated.

How to spot whale hunters

  • You receive an email out of the blue, requesting your urgent attention to a matter outside your normal duties.
  • The sender's address is one you do not recognise or is similar to an address you are familiar with. The email address or domain name don’t quite match the “from” name, for example, the email purports to be from “John Smith” or “The Smith Company” but the email address bears no relationship, such as: whalingscam@theftonline.com or it’s from a generic account such as The Smith Company@gmail.com.
  • The email contains an attachment or a link to a website that looks official. It may have the logos and branding of the legitimate site.
  • You are asked to enter confidential work-related or personal details into a website, or to download software to view an official document.
  • The email looks slightly strange, e.g. unusual spelling or errors in the email address, domain name or grammatical errors.
  • Emails are signed with a generic signature block, such as “Customer Service” rather than an individual’s name, title and other details.

Protect your business

  • Ensure that no one person can authorise a payment without a cross check first – ideally two people within the company should sign off payments.
  • Ensure all accounting staff are made aware that they will not be criticised for double checking emails and payment – ideally, add it to the procedures.
  • Ensure that when suppliers or customers are asking to change their bank details, they are checked back to the company for confirmation. Do not, however, use the contact details supplied in the email. Be particularly vigilant where the bank details are in a different country.
  • In the event of a payment that is believed to be fraudulent, notify your bank and the police immediately.

Cyber risk insurance

Cyber risk insurance protects you against email scams. Our experts can work with you to create a tailored, cost-effective cyber package to cover you against the often enormous costs of a cyber breach. Ask about a Cyber Insurance quote. We have cyber risk management packages for any size NZ business.