How to Protect Employees from Whaling Email Attacks

Whaling, CEO Fraud and Business Email Compromise pose many risks to organizations around the world.

These email attacks use simple social engineering with eloquent affect to trick employees into handing over critical data or into making fraudulent financial transactions. Cybercriminals use similar sounding domain names or free email addresses to pretend to be business executives. The disguise is that no malware links or attachments are usually included so they evade traditional email security techniques.

According to the FBI, $800m was reported stolen in just the last six months, with whaling increasing overall by 270% in 2015. Additionally, US technology company Ubiquiti Networks lost $46.7 million, Austrian aircraft industry supplier FACC ($54 million) and Belgian Bank ($75.8 million).

The trend continues with Snapchat revealing one of their payroll department was tricked into sharing employee data by a scammer impersonating their CEO. Fraudsters are now armed with sensitive data in order to launch secondary attacks against Snapchat employees.

How do we identify and block these fraudulent emails using technology?

The best approach is to include pattern recognition that has been used for decades in the classification of spam. Mimecast’s new Targeted Threat Protection service – Impersonation Protect uses new algorithms to measure and compare a range of identifiers to provide a probability score that a target email is either safe or malicious.

Some of the key whaling “identifiers” in inbound email are:

  • Is the name of the person sending the mail the same as one of my user names?
  • Is the domain sending the email “like” one of my domains?
  • Is the domain “new”?  i.e. has it been seen on the internet passing valid traffic, or has it been registered recently, specifically for the attack?
  • Does the email contain common whaling keywords?  E.g. wire transfer, bank payment, bank transfer etc.

In isolation, each one of these identifiers is not an indicator of threat.  For example, if the CEO’s name is Bob Smith, a mail from another “Bob Smith” is not necessarily bad.  After all, there is more than one Bob Smith in the world!  But…. an email from Bob Smith from a domain that is one letter away from the company’s email domain is suspicious.  And if the mail contains the phrase “wire transfer”, that’s even more suspicious.

The more matches, the more likely the mail is to be bad.  By default, any two indicators matched should classify the mail as suspicious.

Mimecast data centers around the world process approximately 180 million emails per day so we have a wealth of patterns to examine and help train our recognition algorithms.

With Impersonation Protect, admins can choose a range of actions to take if an email is categorized as suspicious. From most to least aggressive:

  • Bounce the email.  Don’t deliver it.
  • Hold the message for admin, moderator or even user review.
  • Mark the message as suspicious in any/all of these areas:  subject line, message body, SMTP header.

Additionally, ANY mail originating from an external source (suspicious or not) can be marked as being received from an external sender.

Only by checking for combinations of key whaling identifiers can these emails be successfully stopped or marked as suspicious.

At RSA Conference this week, Mimecast is previewing Impersonation Protect which is our new addition to our Targeted Threat Protection service that currently offers protection against spear-phishing attacks with malicious links and weaponized attachments.

Impersonation Protect is a first of its kind service to tackle this damaging attack and gives organizations and employees critical protection from whaling or CEO fraud emails.

FILED IN