In recent months we have seen a growth in a new form of targeted attack in email specifically aimed at defrauding CEOs and CFOs, and duping their teams into wiring cash to cyber-criminals and hackers. These Business Email Compromise (BEC) or so-called ‘whaling’ or ‘CEO fraud’ emails are becoming widespread impacting organizations of all sizes.
The criminals are not stealing petty cash either - this can be a multi-million dollar fraud. Just ask aerospace component manufacturer FACC that admitted a massive fraud of $55 million in January. The FBI’s Internet Crime Center of IC3 reported in August last year that attacks were growing – an increase of 270% in victims since the beginning of the year. They reported complaints from over 8000 victims globally representing a potential loss of nearly $800m. They estimate that when you add in cases reported by international law enforcement agencies the total is over $1.2 billion. The FT then went on to report that losses in the last six months were accelerating and another $800m had been reported stolen.
The crime isn’t limited to the U.S. either of course. The 2015 official Crime Survey of England and Wales included ‘CEO fraud’ (or whaling) for the first time with over 5.1m cases. Now these frauds do also include attacks on credit cards or over the phone but online is only set to grow as the favored, and largely anonymous and hard to police, attack of choice.
In fact, Mimecast’s own research in December showed that 55% of the respondents of the 442-company survey had seen an increase in whaling attacks in just the last three months of 2015.
And this fraud is not just grabbing press headlines. World governments are prioritizing tackling it. In the last week alone the British Government has announced a new multi-agency fraud taskforce to look at this and other fraud attacks.
But success here is not just about law enforcement and email security.
New technical defenses are needed and there is a significant education effort to do. Whaling is just another form of targeted email attacks. Highly targeted but still designed to exploit your greatest security weakness – your people.
So, how does it work? Disturbingly simple, really. An email is sent to a target individual (often with a spoofed or similar sounding domain name) pretending to come from the CEO or CFO and usually to someone in the finance team asking them to make a wire transfer. The emails will be very convincing and use relevant information gained through extensive research of the target. They are the product of considerable effort – they will look right, they will sound right, and they will be carefully targeted and tailored. And ultimately they rely on our obedience to hierarchy, particularly our discomfort challenging our bosses and perhaps most disgustingly, our inherent desire to help others. Cyber-criminals will often place a telephone call to their victim too, for added authenticity and persuasion.
Research from Verizon’s Data Breach Investigation Report in 2015 tells us that a traditional phishing email attack will dupe 23% of people who receive it and 11% of those will go on to open a link or attachment. A concerted ‘campaign’ of attack emails will be even more successful – 10 emails will have a 90% chance of hooking at least one victim. These numbers show us that any social engineering- based attack using email is likely to be successful.
And remember, these figures are for attacks that are not highly targeted at an individual employee. So it is safe to assume the hit rate for a highly targeted email purporting to come from the CEO is going to be much more successful – and potentially damaging.
So, what can you do about it? We have written about this in more detail before here but in summary:
Technology can help – we announced a new capability this week for Mimecast Targeted Threat Protection called Impersonation Protect that gives you protection against whaling attacks and you can find out more here. You can also use email stationary that marks external email to make it obvious to the recipient that the email originated from the outside world. Register all available top-level domains (TLDs) you can that are direct or ‘near’ in name to your own to make it harder to spoof you. Subscribe to domain registration services so you get an alert when someone is creating one that might resemble yours.
Education is key – remember this is largely an attack on people not technology. So educate senior management, or those perceived to be ‘at risk’ (finance, HR, IT) about this specific attack. Help them to recognize its characteristics. Review your finance standard operating procedures to take into account this new type of attack. Then test your team. Conduct regular fake attacks to learn from your mistakes.
The incidents of these attacks are only set to grow. They are relatively easy for the criminals to conduct. They are hard to protect against just using traditional security technologies. They work and the pay day is very tempting.
It doesn’t matter how experienced or senior you are – you are still likely to fall for a well-crafted targeted attack. So assume you and your team will be duped, and plan accordingly.