Beyond Phishing: What You Need to Know About Whaling

Monday, June 13, 2016

Dan Lohrmann

1fec6881fe864bc30369edb548ea22b1

First, there was phishing…

Then came spear phishing…

Now there is whaling — and other new sophisticated social engineering techniques. The bad guys are quickly modifying their deceptive practices and here’s what you need to know.

You're Gonna Need a Bigger Boat

Just when you thought you had seen it all regarding online phishing scams, along comes a new round of deceptive emails, phones calls, instant messages and even traditional printouts from your fax machine. And these revamped social engineering approaches are working — fueling a continuing surge in cybercrime.

For companies and for individuals, the stakes online remain very high. Phishing impacts are affecting brand reputation, personal careers and the financial bottom line. What’s scary is that the bad guys are often using hijacked email accounts and other legitimate business channels. The goal: to trick efficiency-minded professionals into carrying-out their online crimes.

So what’s new?

Several recent “whaling” stories have emerged that don’t involve employees clicking on links or becoming infected with malware. Rather, first the criminals conduct extensive surveillance and gain the required internet credentials. Then a highly targeted end user is tricked into making a fund transfer or authorizing a pending transaction based on an email from their CEO’s personal email account.    

For example, this recent story about Alpha Payroll shows how an employee complied with a request that appeared to come from Alpha Payroll's CEO. The fake email requested: “Copies of all the 2015 W-2 forms produced by Alpha Payroll on behalf of its customers.”

Here are some additional details:

“Later, on April 8 after an Alpha Payroll customer reported their staff had fraudulent tax returns filed under their Social Security numbers — an internal investigation discovered the successful phishing attack...

Several experts have reached out to suggest that an internal policy against sharing W-2 data was at play here, which could be the reason for the (the employee’s) termination.” 

In April 2016, the Phoenix Division of the FBI formally warned businesses about the dramatic increase in business email compromise scams (BEC).

According to the FBI press release:

"The schemers go to great lengths to spoof company email or use social engineering to assume the identity of the CEO, a company attorney or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy.

There are various versions of the scams. Victims range from large corporations to tech companies to small businesses to nonprofit organizations. Many times, the fraud targets businesses that work with foreign suppliers or regularly perform wire transfer payments.

  • Law enforcement globally has received complaints from victims in every U.S. state and in at least 79 countries.
  • From October 2013 through February 2016, law enforcement received reports from 17,642 victims.
  • This amounted to more than $2.3 billion in losses.
  • Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss.
  • In Arizona the average loss per scam is between $25,000 and $75,000."

A Quick Tutorial from Phishing to Whaling

Online phishing scams are evolving rapidly. We all need to take note and not let our guards down.

Before offering some practical tips, I like to quickly recap the different types of phishing attacks that are ongoing — many of which have been around for several years.

Please note that phishing can be delivered in a variety of forms (or channels). While most people focus on email phish, text messages, faxes, Facebook or LinkedIn updates or even traditional phone calls are commonly used channels to deliver phish. The message will ask you to take an action such as clicking on a link, calling a phone number or performing some other transaction.  

First, we have traditional phishing. According to Security Mentor, phishing, like its namesake “fishing,” uses bait to lure a target into getting hooked. In phishing, the bait is a clever message and you are the fish. We fall for the phishing bait, because the phishers are masters of disguise. The bad guys play on our emotions and desires.

Most phishing scams cast a wide net that tries to get a reaction from as many people as possible. They do this by imitating trusted brands such as Walmart, PayPal, eBay, Google or Microsoft (or others) in their messages. 

Second, the wide net cast by phishing campaigns became more sophisticated and “spear phishing” started to become more common. Spear phishing is similar to phishing, except the attack is more targeted, sophisticated and often appears to be from someone you know such as a company colleague, your bank, a family member or a friend. The message may include personal information like your name, where you work, and perhaps even a phone number or other related personal information.

Spear phishing has become a huge challenge for global enterprises to defend against. Clicking on these links can open an organization up to malware leading to data loss, identity theft and even ransomware, which can encrypt system data until a ransom is paid to the attacker.

Over the past few years, spear phishing has become a preferred method for cybercriminals to infiltrate organizations, with numerous large breaches that began by gaining user credential via spear phishing. This blog lists 10 top spear phishing attacks, calling spear phishing the secret weapon in the worst cyberattacks. The same blog also points to a study of 300 firms in the US and UK — reporting that 38 percent of cyberattacks in the past 12 months came from spear phishing.

Third, we have the new trend which many are now calling “whaling,” since the bad guys are going after the biggest of fish in super-sized spear phishing attacks. As the FBI press release mentions above, the goal is: “to assume the identity of the CEO, a company attorney or trusted vendor.” This can happen in a variety of ways, including the use of company insiders who provide access to sensitive people, process or technology needed to succeed in the fraud.

How Can Enterprises Prepare?

So what can be done to lower the risk of whaling and other new social engineering techniques, which are sure to arise over the coming few years?

Here are five strategies to consider:

  • Train on security awareness and train staff again. Ensure that you have a comprehensive security awareness training program in place that is regularly updated to address both the general phishing threats and the new targeted cyber threats that are emerging. Remember, this is NOT just about clicking on links.
  • Provide a detailed briefing “roadshow” on whaling and the latest online fraud techniques to key staff. Yes — include senior executives, but don’t forget anyone who has authority to make wire transfers or other financial transactions. Remember that many of the true stories involving fraud occur with lower-level staff who gets fooled into believing an executive is asking them to conduct an urgent action — usually bypassing normal procedures and/or controls.
  • Review existing processes, procedures and separation of duties for financial transfers and other important transactions such as sending sensitive data in bulk to outside entities. Add extra controls, if needed. Remember that separation of duties and other protections may be compromised at some point by insider threats, so risk reviews may need to be reanalyzed given the increased threats.
  • Consider new policies related to “out of band” transactions or urgent executive requests. An email from the CEO’s Gmail account should automatically raise a red flag to staff, but they need to understand the latest techniques being deployed by the dark side. You need authorized emergency procedures that are well-understood by all.
  • Review, refine and test your incident management and phish reporting systems. Run a tabletop exercise with management and with key personnel on a regular basis. Test controls and reverse-engineer potential areas of vulnerability.

Yes — you should test staff with occasional phishing exercises, but don’t just measure clicking of links. The bad guys know that links set off alarms for many, so many of the biggest whaling incidents do not include clicking on links.

The enemy wants to gain staff trust, and they often include a combination of techniques to get employees to eventually take action.

Ask your staff: “What would you do if you were an outsider trying to gain access?”

Final Thoughts

As we develop new protections and alerts, the bad guys will adapt again and again. This is an ongoing cyber battle. In my view, whaling is “phishing 3.0.” There will be a 4.0 and a 5.0, to attempt to infiltrate organizational processes.

Are you prepared?

Do you have an ongoing security awareness training program?

The main thing is to continually educate staff to understand these new cyber threats and evolving risks faced every time we go online. The huge ongoing challenge is to continue to guide and enable staff to innovate, increase efficiency and reduce bureaucracy, while at the same time demonstrate a healthy, well-informed view of risks and online fraud. They also need to know what to do if they suspect inappropriate actions or a scam.

As Abraham Lincoln said in a letter written back in 1848: “You cannot fail in any laudable object, unless you allow your mind to be improperly directed.

Note: An earlier version of this article was published on Government Technology.

Possibly Related Articles:
17741
Enterprise Security Impersonation Phishing Phreaking
Phishing Social Engineering spear-phishing whaling
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.