Do You Know the Five Phases of a Whaling Assault?

by David Hood - Director, Technology Marketing, Mimecast

It’s no secret that social engineering attacks, like phishing, spear-phishing and domain spoofing have grown from being a nuisance to a colossal problem. But, perhaps the most colossal problem of the moment is Business Email Compromise, otherwise called CEO fraud or whaling.

Whaling attacks can cost companies millions in financial losses. In fact, according to the U.S. Federal Bureau of Investigation, whaling attacks led to more than $2.3 billion in losses over the last three years. Cybercriminals are able to pull off these deceptive scams by posing as a CEO, or other executive, sending an email asking the unsuspecting target to initiate a wire transfer or send payroll and other sensitive data.

It’s time to protect your organization from whaling attacks. This means you must get to know the ‘5 Phases of a Whaling Assault’ so you can both educate your employees and increase your technology defenses. They are:

  1. In the Crosshairs: In the first stage of an assault, fraudsters use social media networks to gather intel on their target.
  2. The Domain Game: Next, armed with just enough detail, they register a domain similar to the actual domain for the target company.
  3. Gone Phishing: An employee receives the phishing email, but doesn’t notice the subtle warning signs that it’s fraudulent.
  4. Victim’s Assistance: The target follows the call-to-action in what appears to be an authentic email from someone familiar.
  5. On the Money: But, it’s not authentic. The attacker now moves the funds from the fraudulent bank account or has sensitive employee information like W-2 forms and social security numbers that are used in a larger scam.

Are you ready to take action against whaling? Download: “Whaling: Anatomy of an Attack” to learn more, including why whaling works, examples of recent high-profile attacks, and ways to defend against whaling fraudsters.


Another Tax Year. A New Email Scam to Watch out For

by Steven Malone - Director of Security Product Management

This time, the threat is not from an African prince but your own CEO or CFO.  

The 2016 tax season has been marked again with the expected number of spammy cyberattacks – the bad guys taking advantage of the time of year to target taxpayers by pretending to be the U.S. Internal Revenue Service (IRS). In fact, the IRS reported seeing a 400 percent “…surge in phishing and malware incidents so far this tax season.” And in the UK, the same is true with warnings out about the number of spam emails claiming to be from Her Majesty’s Revenue and Customs (HMRC).

The 2016 tax season has been marked again with the new email cyberattacks
The 2016 tax season has been marked again with the new email cyberattacks

But this year things have taken a dangerous turn - we have seen a new attack being widely used that specifically targets employees within companies called CEO fraud or whaling. In response to this specific threat, the IRS has given clear warnings to HR and payroll professionals to watch out for this threat. In the UK, Action Fraud has issued a similar warning and has also seen a marked increase in reports of CEO fraud – 1000 between July 2015 and January 2016.

Mimecast’s research reflects this trend – 67% of companies we surveyed said they had seen an increase from January to March this year of whaling emails after money, and 43% saw an increase in those seeking data.

And the very bad news is this attack is working. A large number of organizations have already reported that they have been the victim of attacks that have resulted in confidential information that can be used for serious identity theft being leaked to criminals unwittingly by employees. Not to mention financial losses from fraudulent wire transfers.

Now, as other countries enter their tax season, organizations of all sizes (and their employees) can expect to also be the target for cybercriminals intent on stealing data. Employees who have access to confidential information on customers, the company or employees should be particularly vigilant.

These whaling attacks target named individuals and use email to manipulate employees to send over confidential information like tax records or personal information. Often they specifically target HR or finance professionals. The attacker pretends to be the CFO, HR director or even the CEO and uses a fake email address to make their approach look authentic. Often engaging in a number of email exchanges before making their request to build up trust.

So if you run an HR or finance team (or look after their email) now is the time to be extra careful. Ensure employees understand the threat from whaling and remind them of the importance of checking directly (and not over email as this may have been compromised) with their bosses that the information (or money) they are being asked to share is really as a result of a legitimate request from them.

Now technology can help too. Mimecast just announced the first technology service to tackle this threat. Our new service called Impersonation Protect is designed to stop these attacks – we scan all incoming email and warn employees and the IT team if it looks like it is a potential whaling attack. 

So this tax season, don’t become the victim of a well architected whaling attack. Up your guard and defenses. But remember the attackers won’t limit themselves to going after your data just once a year. Make the changes now to your processes, employee security awareness and technology to protect yourself all year round.  


Avoid getting caught in a spear-phishing net

by Giulio Magni - Director, Sales Enablement

You may be thinking your firewall, desktop antivirus and anti-spam gateway are protecting you, but is your organization really safe from hackers, crackers and cyber-criminals? 

There is always one huge gap in your security strategy you’re overlooking – your users! Cyber-criminals know that the weakest link in any organisation is the human; the person at the other end of the screen who is fallible and susceptible to their sophisticated and wily ways.

Cyber-criminals and hackers are making use of sophisticated social engineering techniques in email and instant messages to trick your staff. They research their targets with meticulous accuracy, picking key individuals and apparent soft touches in your business; sending those people cleverly convincing emails, otherwise known as spear-phishing. The hackers have used your personal information, social media presence and publically available information to target you.  

Usually, spear-phishing emails will goad you into clicking a compromised link that leads to a malicious website, or tricks you into divulging some login credentials. From there, the hackers gain access to you or your organization’s sensitive information. Incidences of spear-phishing are on the rise across the world, including South Africa, as it becomes the tool of choice for cyber-criminals looking to break into businesses.

If you’re not careful, you might fall prey to these types of spear-phishing hackers. There’s the Crafty Colleague, who uses a disguised email address or domain to appear as one of your co-workers. Then the Dubious Banker, who kindly asks to see that your bank account details comply with regulations such as FICA, RICA and POPI.

We also can’t forget the Tricky Taxman, who acts like they are from the government and informs you of a tax-back pay-out and asks for your banking details or to open a malicious attachment. The Social Media Stalkers constantly monitor your social media accounts to learn what you personally like and use that against you in the form of a fake subscription to a hobby-related or lifestyle magazine, a voucher for a discount on something they know you’ll want or even an opportunity to trial something for free – all in the name of gaining your personal information, credit card details or access to your system. Lastly, there are the Mafia Mailers, who will exploit your fear of a cyberattack by pretending to be protected payment services that need you to update your password or financial details.

In South Africa and throughout the globe, every day people fall for attacks from each of the crafty spear-phishing hackers mentioned above, due mostly to a lack of basic security awareness. Most organizations take a reactive approach to security, only plugging gaps after details of some new exploit has hit the news or worse yet, their own network gets “popped”. National awareness programmes don’t exist, which means users simply don’t know or engage in basic security practices. As a result, at Mimecast we feel that education is hugely important and the first step on the long journey to increase our users’ security awareness.

What needs to happen for to stand a chance against cybercriminals? Locally, companies need to automate their security measures where possible and make security simple for the average user by taking the complexity out of their hands and putting it in the background, as well as making sure that users are made aware of the risks associated with things like links in emails

It takes only one click on a malicious email link for a company’s entire network to be compromised and their intellectual property to end up publically available on the Internet. Therefore, users need to be empowered to make safe choices. By bringing together education, automation and technology, companies can rest assured they’re safe behind the best technological protection available as well as an effective human security system we call the ‘human firewall’. The human firewall is the pinnacle of enterprise security, and one we should all aim for.

To help protect your business from falling victim to cyber-attacks attend the Mimecast Human Firewall Event on 10 September in Johannesburg. Register on If you can’t make it to the event, be sure to check out this on demand human firewall webinar.  


In tennis, you never want to commit an unforced error. These are the worst kind of point-costing blunders a player can commit – the completely avoidable, self-inflicted ones that have nothing to do with the skill of the opponent or the excellence of their shot.

Losing to an exceptional opponent is not (really) something a tennis player can control, but losing because of an untimely, unforced error, or a series of them, is a different story.

If you've ever worked in information security, you can probably see the parallel.

Every day, you fight talented opponents of your own – sophisticated cyber-criminals who constantly evolve their methods to exploit any and all vulnerabilities you may have. And every day, you and your peers are losing battles to these criminals, who can exploit both your unforced errors – self-inflicted failures of your cybersecurity technology – and create clever schemes that trick your users.

These attackers have a strong track record – more than half of U.S. small businesses now say they have been victims of a cyber attack, according to the National Small Business Association (NSBA). And an overwhelming majority of these attacks – 91 percent – begin with email-based phishing and elaborate, highly targeted spear-phishing schemes.

These attacks are so effective because of the simple fact an IT department can't completely control all of its users, all the time – they're too unpredictable, and it only takes a mistake by one user for a breach to be successful. However, what an IT department can control is the technology it uses to protect its email systems from spear-phishing attacks. Failure to do so is an unforced error that could cost you.

You certainly wouldn't be alone. Secure Mentem President Ira Winkler, speaking at RSA Conference 2015 in San Francisco, said that even though users get the blame following a successful spear-phishing attack, it's usually a failure of technology that allows the socially engineered email bait to arrive in their inboxes in the first place.

Technology should be your first – and second, third and beyond – line of defense. If a malicious email is neutralized by your spear-phishing defenses long before it even reaches your employees' inboxes, they won't even have a chance to facilitate the attack unknowingly – users can't click on links or download attachments that they never see.

That's where Target Threat Protection (TTP) comes into play. With this technology in place, CIOs, CISOs and IT department heads gain the peace of mind that their users are protected against targeted spear-phishing attacks. Even if – or perhaps, when – a user clicks on the wrong link or downloads the wrong attachment, IT departments will know they have a fail-safe in place to end the attack before it spreads.

As Winkler said during his RSA session, "there is no such thing as a perfect countermeasure," and he's right. But TTP will reassure you that you have the technology you need to create a first line of defense.

To learn more, please see our new whitepaper, "The Spear-Phishing Attack Timeline" which walks through the stages before, during and after a spear-phishing attack and provides a minute-by-minute look at how these attacks can be prevented.