Digital world is not only filled with advantages, but also brings in a bit of negatives along with it. Going with this notion ahead, email phishing or fraud is now the thing of past. “Whaling” is found to be the new threat in corporate environments. Also called ‘Business email compromise (BEC)’, this type of social engineering attack strategically targets and hijacks the email accounts of CEOs and other big heads (whales) of the business.
According a warning issued by KerbsOnSecurity, more than 7K US businesses fell victim to BEC scams between October 2013 and August 2015, loosing nearly $750 million total. And the cost when accounted to the global economy is estimated to be more than $1.2 billion.
As per the FBI’s Internet Crime Complaint Center report, Business Email Compromise schemes can be of the following forms-
- The Supplier swindle scandal- A fraudster or a cyber criminal sends a spoofed email to a vendor, asking for invoice payment. The email looks similar to that of the emails received by the CEO in general. As a result the CEO wires the funds to a fraudulent account.
- CEO Fraud- Hackers are always on prowl of those email and social media accounts which earn them something big in return. In this case, a fraudster hacks the email accounts of high level business executives and uses those accounts to send wire-transfer requests to internal employees in charge of handling finances. If the employee misses the originator’s details, then he will send the payment which will reach the wrong hands.
- Payback frauds- A fraudster sends requests for invoice payments to clients and customers seeking services. The wired funds are sent to a fraudster-controlled bank accounts.
- Workweek or workday payment frauds- A fraudster identifies himself as a legal representative and then pressures victims into transferring “time-sensitive” funds into a fraudulent account. These attacks often occur toward the end of the workday or workweek.
How CEOs can defend themselves from such whaling scams?
- The only way to defend is to go through a training module which helps in recognizing and responding to the different styles of BEC attacks. Here are some bullet points-
- Carefully scrutinize all emails. Be wary of irregular emails that are sent from C-suite executives, as they are used to trick employees into acting with urgency. Those emails that request transfer of funds should be re-checked.
- Verify any changes in vendor payment location by using a secondary sign off by company personnel.
- Keep a track on customers’ habits of payments and if necessary check via phone the reason behind the sudden payment.
- Confirm requests to transfer of funds when using phone verification as part of two-factor authentication, use known familiar numbers, not the details provided in the email requests.
- If a CEO gets suspicious that he/she has been targeted by a BEC email, they can report the incident immediately to law enforcement or file a complaint with the IC3.gov website.
DNF can help in bailing you out of such “whaling scams” troubles. It offers tools, software, systems and skilled human capital to tackle such scams with ease.
Call 510.265-1122 or click on DNF web page