Steven Malone

June 29, 2016

 The FBI has issued a stark warning about a rapidly-growing and downright brazen new email attack technique: simply asking employees for your critical data. Mimecast is urging organizations to think broadly about expanding new email security training to all employees.

Business Email Compromise (BEC), also known as whaling or CEO fraud, traditionally involves tricking members of the finance team to make payments to cybercriminals. But, while these attacks are still taking scalps, hackers are already evolving tactics to target others members within your organization. Financial teams are now getting wiser but many different departments within organizations have access to valuable data. HR, R&D, sales – anyone is potentially a target.

This new Public Service Announcement (PSA) highlighted there has been a 1,300% increase in these email attacks since January 2015. Since October 2013 hackers have attempted to send $3.1 billion (£2.2 billion) in 22,000 separate cases. The majority of cases have involved attempted wire-transfers to banks in China and Hong Kong. It’s worth noting that not all attempts were successful but the FBI said about one in four of the US victims did send money.

The PSA detailed the new scenario (Data Theft) involving ‘the receipt of fraudulent emails requesting either all Wage or Tax Statement (W-2) forms or a company list of Personally Identifiable Information (PII). This scenario does not always involve the request for a wire transfer; however, the business executive’s email is compromised, either spoofed or hacked’.

The data-focussed attacks also create a great deal of uncertainty around any potential cyber insurance coverage. Mimecast research recently found that just 43% of firms with cyber insurance are confident that their policies would pay out for whaling financial transactions. Putting a value on lost IP or data can be almost impossible.

Mimecast launched a new service in April designed to help stop these social-engineering attacks. Named Impersonation Protect and part of Mimecast Targeted Threat Protection, I explain how some of it works in the previous post. However, although technology can play an important role, it must be coupled with user awareness and robust processes.

To that end Mimecast email security experts have created the following guidelines to help you start planning today:

  • Conduct a review of which employees have access to valuable IP and data across the organization
  • Educate senior management, key staff and employees on this specific type of attack – make sure they know how it works and are extra vigilant
  • Review data protection procedures and consider revising how data transfers to external third parties are authorized
  • Update data loss prevention (DLP) keywords to identify and halt unwarranted data transfers
  • Consider inbound email stationery that marks and alerts employees to emails that have originated outside of the corporate network
  • Subscribe to domain name registration alerting services so you are alerted when domains are created that closely resemble your corporate domain
  • Look into solutions specifically designed to extend email security to guard against targeted threats in email, including whaling attacks

We’ll continue to monitor how these threats evolve but would also love to hear from you if you spot a new attack in the wild. Get in touch with your local Mimecast representatives if you would like to hear learn more about how to protect your organization from these email security threats.

Related Content:



Cyber insurance uptake is growing quickly but a lack of employee training on the latest email attacks is leaving organizations at great risk of breaking policy terms. These new social-engineering and impersonation attacks could leave leaving firms of all sizes at risk of taking the full financial brunt of crime.

Waves of high-profile breaches and new breach notification legislation is setting the scene for a huge growth in cyber insurance take-up. But while insurers often pay for clean-up fees after a breach, it is important that organizations check that their policies protect them if an employee is tricked into sending a large amount of money to a fraudulent account.

Whaling (CEO fraud) attacks have been growing rapidly in volume and in scale. Mimecast revealed in April that 67% of firms have seen an increase. Then only last month, Austrian aerospace manufacturer FACC sacked its CEO after his apparent mistakes led to the firm being defrauded out of €50 million ($55.8m) in a whaling attack.

Attacks where employees are tricked into sending personal data or intellectual property are even less likely to be fully covered. For example, how would an insurer decide compensation if a set of W-2 tax forms were stolen compared to the secret plans for a new and theoretical product? What about hacks that compromise the integrity of data rather than stealing it? Can insurance ever really fully provide coverage for these data-specific use cases? 

One other concern for insurers is that it can be difficult to separate real crime from potential insurance fraud.

As part of Mimecast’s research into cyber insurance policies, Mimecast questioned 436 IT experts at organizations in the US, UK, South Africa and Australia. The research revealed that:

  • 45% of firms with cyber insurance are unsure if their policy is up-to-date for covering new cyber social engineering attacks, and only 10% believe it is completely up-to-date
  • 43% of firms with cyber insurance are confident that their policies would pay out for whaling financial transactions
  • 64% of firms don’t have any cyber insurance at all

One example of this growing risk is the legal proceeding between Texas-based AFGlobal Corp and Federal Insurance Co., a division of insurance giant Chubb Group. AFGlobal maintains that the policy it held provided coverage for both computer fraud and funds transfer fraud, but insurer denied a claim when scammers impersonating AFGlobal’s CEO convinced the company’s accountant to wire $480,000 to a bank in China.

The rise of whaling has created an attack climate where many insured organizations may not be protected from fraudulent transactions because they fall outside of the coverage scope of when their policies were originally signed.

Mimecast research also found that:

  • 58% of organizations have seen an increase in untargeted phishing emails
  • 65% have seen targeted phishing attacks grow
  • 50% said they have seen social engineering attacks that utilize malicious macros in attachments increase

A survey of risk managers by The Hartford Steam Boiler Inspection and Insurance Co. (HSB) highlighted the primary reasons for not buying coverage. Perceived complexity (44 percent), lack of a sufficient threat (34 percent) and cost (22 percent) were cited.

With the cybersecurity landscape constantly evolving, cyber insurers will have great difficulty keeping their coverage up-to-date. CEO fraud is a prime example how quickly an attack can grow morph. Tomorrow’s threats will almost always comes as a surprise.

Mimecast is recommending that all organisations review their cyber insurance policies regularly. A comprehensive cyber resilience strategy is only effective alongside regular employee training on the latest threats combined with appropriate technology fail-safes.


*Mimecast will be exhibiting at Infosecurity Europe, 7-9 June, at stand #G100. Mimecast security experts will discuss the top email attack strategies being used against millions of organizations around the world today. 


Infosecurity 2016: A New Frontier of Threats and Countermeasures

by Steven Malone - Director of Security Product Management

This will be the second Infosecurity Europe since its return to Olympia last year. We've been regular exhibitors at the premier European security show for years and been part of an era of fundamental changes in the security industry. Let’s take a look at some key things to watch at this year’s Infosec 2016. I’ll cover patterns in the program, speakers to watch for and some highlights of what to look for in the Mimecast booth!

Patterns in the Program

A quick glance at the speaker programme shows that this year, a pattern is already emerging - a widening of the description of a cybercriminal. What once was just the traditional hacker in a darkened basement has changed to a completely different variant, urging all those who control the security of their companies to think ahead of the next hack.  Attacks can now come from governments (think Stuxnet), from bored teens (Talk Talk) or from anyone with a credit card and the motivation to rent a botnet.  Cybercrime is big business and the continuing upward spikes in ransomware (complete with support helpdesks to assist with payments) highlights how criminals are adopting legitimate business practices to increase their effectiveness.

Jessica Barker

Speakers to Watch

Speaker slots I'm personally looking forward to include 'Profiling the Connected Cybercriminal' by Mikko Hypponen from F-Secure, who has recently published some interesting posts on the Infosecurity Europe blog, and 'How to Hack a Human; Anatomy of a Social Engineering Attack' by Dr Jessica Barker.


Mikko Hypponen

Highlights & Prizes

I'll also be at our ‘Making Email Safer for Business’ stand (#G100) talking about the growing threat of spear-phishing and email impersonation attacks. On our stand, everyone can walk away with RFID protection cards and ‘Snap out of it’ swirly glasses. We’ll also have regular stand presentations from Microsoft Exchange and Office 365 MVP J. Peter Bruzzese – where he’ll be exploring the risk factors you’ll need to consider when moving to Office 365. Plus, we’ll be running through demonstrations of our services on the stand - to book a demonstration with one of our technical team, you can request one here.

Also, you can enter your details into our draw to have a chance to win a pair of Ray-Bans (T&Cs here) and if you publish selfies with our #AddMimecast frame you can be in with a chance to win an iPad Air 2.

Or if you fancy a more informal setting, we’ll be serving drinks at our stand between 4:00-5:30pm on Tuesday, the 7th of June. In addition, on Wednesday the 8th of June between 5:00-7:00pm we’ll be hosting a CIO & IT Professionals drinks reception in the Millennium Gloucester Hotel, London – registration is available on this microsite.

I for one can’t wait to see all of my peers, colleagues, partners and customers this year – it looks set to be a pivotal event for the Infosecurity world again - see you next week!


Another Tax Year. A New Email Scam to Watch out For

by Steven Malone - Director of Security Product Management

This time, the threat is not from an African prince but your own CEO or CFO.  

The 2016 tax season has been marked again with the expected number of spammy cyberattacks – the bad guys taking advantage of the time of year to target taxpayers by pretending to be the U.S. Internal Revenue Service (IRS). In fact, the IRS reported seeing a 400 percent “…surge in phishing and malware incidents so far this tax season.” And in the UK, the same is true with warnings out about the number of spam emails claiming to be from Her Majesty’s Revenue and Customs (HMRC).

The 2016 tax season has been marked again with the new email cyberattacks
The 2016 tax season has been marked again with the new email cyberattacks

But this year things have taken a dangerous turn - we have seen a new attack being widely used that specifically targets employees within companies called CEO fraud or whaling. In response to this specific threat, the IRS has given clear warnings to HR and payroll professionals to watch out for this threat. In the UK, Action Fraud has issued a similar warning and has also seen a marked increase in reports of CEO fraud – 1000 between July 2015 and January 2016.

Mimecast’s research reflects this trend – 67% of companies we surveyed said they had seen an increase from January to March this year of whaling emails after money, and 43% saw an increase in those seeking data.

And the very bad news is this attack is working. A large number of organizations have already reported that they have been the victim of attacks that have resulted in confidential information that can be used for serious identity theft being leaked to criminals unwittingly by employees. Not to mention financial losses from fraudulent wire transfers.

Now, as other countries enter their tax season, organizations of all sizes (and their employees) can expect to also be the target for cybercriminals intent on stealing data. Employees who have access to confidential information on customers, the company or employees should be particularly vigilant.

These whaling attacks target named individuals and use email to manipulate employees to send over confidential information like tax records or personal information. Often they specifically target HR or finance professionals. The attacker pretends to be the CFO, HR director or even the CEO and uses a fake email address to make their approach look authentic. Often engaging in a number of email exchanges before making their request to build up trust.

So if you run an HR or finance team (or look after their email) now is the time to be extra careful. Ensure employees understand the threat from whaling and remind them of the importance of checking directly (and not over email as this may have been compromised) with their bosses that the information (or money) they are being asked to share is really as a result of a legitimate request from them.

Now technology can help too. Mimecast just announced the first technology service to tackle this threat. Our new service called Impersonation Protect is designed to stop these attacks – we scan all incoming email and warn employees and the IT team if it looks like it is a potential whaling attack. 

So this tax season, don’t become the victim of a well architected whaling attack. Up your guard and defenses. But remember the attackers won’t limit themselves to going after your data just once a year. Make the changes now to your processes, employee security awareness and technology to protect yourself all year round.