Cybersecurity and Psychology of Whaling
There's a new threat in cybersecurity and it's aimed at the business world's biggest targets. The FBI estimates that Business Email Compromise (BEC) – CEO fraud or "whaling" - increased more than 270%.
The FT reports total potential global losses increased by $800 million in just six months. Also, Mimecast research found that 55% of companies experienced increased whaling attempts. Companies ranging from Ubiquiti Network to Snapchat have publicly admitted losing millions to these scams. What psychological and cultural factors make employees vulnerable to whaling and what can you do to prevent them?
Cyber criminals use sophisticated social engineering backed by meticulous research. It's easy to find information: Company websites provide executive names and biographies. Internal reporting relationships can be mapped on sites like LinkedIn.
How Do Criminals Conduct Their Research?
During whaling scams, a finance employee receives an email spoofed to look like it's coming from the CEO or CFO. The email requests a wire transfer and provides instructions for how to send it – usually confidentially or on short notice. An executive receives a request for information from a colleague that plays to their expertise. The requests look routine and convincing.
Cyber criminals use sophisticated social engineering backed by meticulous research. It's easy to find information: Company websites provide executive names and biographies. Internal reporting relationships can be mapped on sites like LinkedIn. Publicly traded companies sometimes even include bank names in their annual filings. Hackers' ability to put together a complete picture of the executive – including mining published articles and social updates for clues about communications styles – results in a very convincing portrayal.
The Employee-Side Psychology
Confusion and pressure: Confusion and pressure make employees more vulnerable to whaling scams. Requests from senior executives with confidentiality requests and short timelines don't leave room for follow-up. Considerable pressure – such as multiple emails and phone calls in a short time – amp up an employee's stress during the event.
Hierarchy and unwillingness to question authority: A cultural emphasis on efficiency and hierarchy leaves employees feeling like they'll get in trouble for verifying requests. Mid-level employees are often unwilling to challenge a request from the C-suite, especially when the request has been carefully targeted to look authentic.
The optimism bias: Harvard researcher Daniel Kahneman outlined a phenomenon called the optimism bias. People believe – despite knowing the risk – that they're less likely to be victims of a crime. Optimism leads you to believe the world is more benign than it really is, so when something looks fishy you chalk it up to non-harmful causes instead of asking questions.
Self-importance and ego: Whaling attacks geared at getting an executive to reveal information may play on ego and self-importance. From the desire to help to take pride in your expertise, flattery and genuine-sounding appeals for help play into your emotional vulnerabilities.
The Impact of Whaling Scams
Cybersecurity breaches don't just endanger your data. Beyond the financial impact, internal and external trust is eroded when your company falls for a whaling scam. There's the loss of money and brand damage to the public. An executive's reputation can be harmed. Employees who fall for whaling scams can find themselves out of a job; if not, their reputation's damaged, their judgment is questioned and there's always lingering concerns.
One executive who fell victim to a whaling scam noted in an interview with the BBC, "It's like when your house or apartment gets broken into. You feel vulnerable. People get into your life and they know things about you and you have no clue, and they take things from you."
Understanding the psychological factors that contribute to whaling scams can improve your efforts to combat them, from employee training to internal testing. The right tools can also help. Learn more about Mimecast's new Impersonation Protect service and how it can protect employees and financial assets from this type of fraud.