Today, Technology Can Help Stop Whaling Email Attacks

Today we launched the world’s first service designed specifically to stop whaling (CEO fraud) attacks.

Since previewing it at the RSA Conference in March, we’ve had a lot of interest in Impersonation Protect. And, as part our commitment to continuous email security updates, Mimecast would like to announce that all Targeted Threat Protection customers will get the new service for free.

Whaling attacks are designed to trick key users, often in the finance team, into making fraudulent wire transfers or other financial transactions to cybercriminals by pretending to be the CEO or CFO in a fake email conversation. Some also target those responsible for sensitive employee data, payroll information, which could be used for identity theft or to claim fraudulent tax refunds.

These malware-less attacks have been growing around the world as cybercriminals change their attacks to try and circumvent traditional email security techniques such as anti-virus, real-time URL checking and attachment sandboxing.

Growth in whaling (CEO fraud) attacks

  • According to the FBI, whaling email scams alone were up 270% from January to August 2015. The FBI also reported business losses due to whaling of more than $1.2 billion in little over two years, and a further $800 million in the six months since August 2015.
  • A recent report from the UK City of London Police’s National Fraud Intelligence Bureau (NFIB) shows that from July 2015 until January 2016 there was a marked increase in CEO-fraud with a total of 994 reports being made to Action Fraud.
  • According to Mimecast’s own research, since January 2016 67% of firms have seen an increase in attacks designed to extort fraudulent payments and 43% saw an increase in attacks specifically asking for confidential data like HR records or tax information.

Just in the last few months, a large number of organizations have confirmed their employees have been the victim of these attacks. Many losing millions of dollars or highly sensitive data to cybercriminals.

Even the smartest employee can fall victim to these malware-less attacks. Employee education and rigorous business processes do play an important role but at Mimecast we believe smarter technology can play a larger role in identifying social-engineering attacks.

Advanced pattern recognition

The content of these messages isn’t spammy. Whaling emails are carefully socially engineered and designed to read like a real email and are highly targeted to each recipient.  With no spammy content and no attachment or link to click, it’s highly likely that other security defenses will not detect these mails as dangerous.

Mimecast can already detect traditional spoofing using frameworks like Sender Policy Framework (SPF). Other custom Mimecast policies can check for both envelope and header spoofing. To add further dedicated protection from increasingly common “domain similarity” attacks, Impersonation Protect allows detection of similar domains to a customer’s genuine domains as one of its threat indicators.

How it works

Impersonation Protect identifies combinations of key indicators of attack (IOA) in an email to determine if the content is likely to be suspicious, even in the absence of a URL or attachment.

  • As email passes through the Mimecast Secure Email Gateway, Impersonation Protect examines several key components of the message.
  • Impersonation Protect examines typical IOAs in the email, such as the email’s display name, domain name, domain age and the body of the message to determine if the email could be a social engineering attack, like whaling or CEO-fraud.
  • If the email fails a combination of these tests, administrators can configure Impersonation Protect to bounce the message.
  • Or, alternatively quarantine or even notify end users the email is suspicious.
    Impersonation Protect identifies combinations of key indicators of attack (IOA) in an email to determine if the content is likely to be suspicious, even in the absence of a URL or attachment.
    Impersonation Protect identifies combinations of key indicators of attack (IOA) in an email to determine if the content is likely to be suspicious, even in the absence of a URL or attachment.

 We recently explained in a little more detail how Impersonation Protect works by applying advanced pattern recognition to these malware-less emails. This new service can defend on-premises, hybrid and pure cloud email deployments including Microsoft® Exchange and Office 365™.

Previously there was little you could do to protect your organizations from whaling attacks. It largely came down to education and hoping your colleagues wouldn’t be duped by a well targeted, social engineered attack. But with Impersonation Protect we have changed that – you now have technology to protect you alongside training.

We look forward to hearing feedback on Impersonation Protect as it continues to evolve.

FILED IN