Today, Technology Can Help Stop Whaling Email Attacks

by Steven Malone - Director of Security Product Management

Today we launched the world’s first service designed specifically to stop whaling (CEO fraud) attacks.

Since previewing it at the RSA Conference in March, we’ve had a lot of interest in Impersonation Protect. And, as part our commitment to continuous email security updates, Mimecast would like to announce that all Targeted Threat Protection customers will get the new service for free.

Whaling attacks are designed to trick key users, often in the finance team, into making fraudulent wire transfers or other financial transactions to cybercriminals by pretending to be the CEO or CFO in a fake email conversation. Some also target those responsible for sensitive employee data, payroll information, which could be used for identity theft or to claim fraudulent tax refunds.

These malware-less attacks have been growing around the world as cybercriminals change their attacks to try and circumvent traditional email security techniques such as anti-virus, real-time URL checking and attachment sandboxing.

Growth in whaling (CEO fraud) attacks

  • According to the FBI, whaling email scams alone were up 270% from January to August 2015. The FBI also reported business losses due to whaling of more than $1.2 billion in little over two years, and a further $800 million in the six months since August 2015.
  • A recent report from the UK City of London Police’s National Fraud Intelligence Bureau (NFIB) shows that from July 2015 until January 2016 there was a marked increase in CEO-fraud with a total of 994 reports being made to Action Fraud.
  • According to Mimecast’s own research, since January 2016 67% of firms have seen an increase in attacks designed to extort fraudulent payments and 43% saw an increase in attacks specifically asking for confidential data like HR records or tax information.

Just in the last few months, a large number of organizations have confirmed their employees have been the victim of these attacks. Many losing millions of dollars or highly sensitive data to cybercriminals.

Even the smartest employee can fall victim to these malware-less attacks. Employee education and rigorous business processes do play an important role but at Mimecast we believe smarter technology can play a larger role in identifying social-engineering attacks.

Advanced pattern recognition

The content of these messages isn’t spammy. Whaling emails are carefully socially engineered and designed to read like a real email and are highly targeted to each recipient.  With no spammy content and no attachment or link to click, it’s highly likely that other security defenses will not detect these mails as dangerous.

Mimecast can already detect traditional spoofing using frameworks like Sender Policy Framework (SPF). Other custom Mimecast policies can check for both envelope and header spoofing. To add further dedicated protection from increasingly common “domain similarity” attacks, Impersonation Protect allows detection of similar domains to a customer’s genuine domains as one of its threat indicators.

How it works

Impersonation Protect identifies combinations of key indicators of attack (IOA) in an email to determine if the content is likely to be suspicious, even in the absence of a URL or attachment.

  • As email passes through the Mimecast Secure Email Gateway, Impersonation Protect examines several key components of the message.
  • Impersonation Protect examines typical IOAs in the email, such as the email’s display name, domain name, domain age and the body of the message to determine if the email could be a social engineering attack, like whaling or CEO-fraud.
  • If the email fails a combination of these tests, administrators can configure Impersonation Protect to bounce the message.
  • Or, alternatively quarantine or even notify end users the email is suspicious.
    Impersonation Protect identifies combinations of key indicators of attack (IOA) in an email to determine if the content is likely to be suspicious, even in the absence of a URL or attachment.
    Impersonation Protect identifies combinations of key indicators of attack (IOA) in an email to determine if the content is likely to be suspicious, even in the absence of a URL or attachment.

 We recently explained in a little more detail how Impersonation Protect works by applying advanced pattern recognition to these malware-less emails. This new service can defend on-premises, hybrid and pure cloud email deployments including Microsoft® Exchange and Office 365™.

Previously there was little you could do to protect your organizations from whaling attacks. It largely came down to education and hoping your colleagues wouldn’t be duped by a well targeted, social engineered attack. But with Impersonation Protect we have changed that – you now have technology to protect you alongside training.

We look forward to hearing feedback on Impersonation Protect as it continues to evolve.


Today, we launched our new Mimecast Business Email Threat Report 2016. The survey of 600 IT security professionals shows that while 64 percent see email as a major cyber-security threat to their business, 65 percent also feel ill-equipped or too out-of-date to reasonably defend against email-based attacks.

Email continues to be a critical technology in business and the threat of email hacks and data breaches loom large over IT security managers. Consequently, confidence and experience with previous data breaches and email hacks play key parts in determining an organization’s perceived level of preparedness against these threats. Alarmingly, one-third of survey respondents believe email is more vulnerable today than it was five years ago.

We depend on technology, and email in particular, in all aspects of our work and personal lives. So, it’s very disconcerting to see that while we might appreciate the danger, many companies are still taking too few measures to defend against email-based threats. Budget and C-suite involvement were the biggest gaps found between the most and least prepared respondents. Among the IT security managers who feel most prepared, it’s not a surprise to me that their C-suite is most engaged with email security. But the results show that the reality for a large number of them is that their C-suite is only somewhat engaged, not very engaged, or not engaged at all.

As the cyber threat becomes more potent, email attacks will become more common and more damaging. It’s essential that executives, the C-suite in particular, realize they may not be as safe as they think and take action. They need to get engaged with email security planning and preparation, and allocate time, focus and budget.

Those who feel better prepared to handle email-based threats also allocate higher percentages of their IT budgets to email security. We estimate from our research that security confidence is achieved when you assign over 10% of your IT budget to email security.

Finally our research report also identifies five distinct security ‘personas’ we can all learn from inspired by the data. We call them Vigilant, Equipped Veteran, Apprehensive, Nervous and Battle-Scarred. For more information on the differences between these personas – including budget allocations, levels of C-suite involvement and the top attack vectors they worry about, download our E-book summary of the research here.


The Anatomy of a True Partnership

by Bob Fidler - VP, Enterprise Channel Partners

The word “Partnership” is described as an agreement to cooperate and advance mutual interests. It’s a simple term but one that is often overused, and in most cases, unbalanced. As we grow-up and mature into our business lives, having trust in individuals and organizations has helped shape our thinking, personalities and reactions. It’s the level of confidence you place in others that drives the development of a true partnership.

For example, Mimecast is in a partnership with HP, and this week, we see the start of HP Discover in Las Vegas. Every attendee at this show will be in a partnership with HP in some form – a supplier, a task facilitator, or an extension to their existing IT team. The reasons why Mimecast choose to work with HP is to assist our joint customers.

If this sounds like a sales pitch, remember that I don’t work for HP, but I do understand the genuine value they bring as a partner.

The HP-Mimecast partnership is evolving with the market opportunity – for example, you might think that your email is working just fine on that old Windows Server 2003. But you know that Microsoft will no longer be supporting this after July. So now is a crucial time for IT teams to decide which vendors to partner with to make a change. Whether your final destination is Microsoft Exchange 2013 or Office 365, HP is there to guide you through the process, and is best partnered with Mimecast’s 100 percent uptime SLA on email availability and security to protect your company’s essential communication stream.

Regardless of where you are at on your journey, we hope you can drop by Mimecast booth #3533 at HP Discover to find out how we can help reduce your risk and support you when migrating to Office 365 or Exchange and see how we’re working together with HP as true partners.


If you want to succeed in Australia you can’t just commit to a sales and support presence. Putting down technology roots is vital, especially if you aspire to grow government and financial services sectors.

Since opening in Melbourne in July 2013, Mimecast has experienced strong growth in the region and now it’s time for us to put down deeper roots.

So we’re pleased to confirm we’re in the final stages of preparing local data centers in Australia. This investment is designed to help Australian organizations protect email with security, continuity and archiving cloud services while meeting increased customer demand for local data residency.

The two new identical data centers in separate locations in New South Wales will join a global network of ten data centers in five countries around the world currently serving the email security and data needs of over 13,000 customers and millions of their employees.

Like in the rest of the world, email continues to be the most prevalent business communication tool in Australia, used to collaborate and share information around the world. It’s also used as key record of business activities, subject to increasing compliance, legal and e-discovery requirements, including the Australian Privacy Principles. Meanwhile, tolerance for email downtime is almost zero, yet it’s increasingly under constant attack from a wide range of adversaries.

In short, we believe a very high concentration of Australian businesses most valuable corporate data is held within email. Data loss, leakage or security breaches from email have been shown to have devastating effects. These new data centers will support our mission to support customers in reducing the risk, cost and complexity surrounding email and give employees a better experience too.

Cloud services are growing in their popularity with Australian businesses and Microsoft Office 365 is becoming a popular primary email service. We intend to take advantage of this trend with our suite of complementary cloud services for Office 365. Mimecast helps its customers put in place cloud-on-cloud protection that complements their security and archiving capabilities under Office 365, as well as mitigating a potential single vendor exposure they have in the event of service downtime.

If you’d like to learn more about our plans in Australia, why not come and visit us at AusCERT 1st-5th June. Mimecast is exhibiting at booth S36 and I’ll be presenting ‘Email: The New Frontier in the Defence of Corporate Data’ on Thursday, 4th June 15.25-16.05.