Do You Know the Five Phases of a Whaling Assault?

by David Hood - Director, Technology Marketing, Mimecast

It’s no secret that social engineering attacks, like phishing, spear-phishing and domain spoofing have grown from being a nuisance to a colossal problem. But, perhaps the most colossal problem of the moment is Business Email Compromise, otherwise called CEO fraud or whaling.

Whaling attacks can cost companies millions in financial losses. In fact, according to the U.S. Federal Bureau of Investigation, whaling attacks led to more than $2.3 billion in losses over the last three years. Cybercriminals are able to pull off these deceptive scams by posing as a CEO, or other executive, sending an email asking the unsuspecting target to initiate a wire transfer or send payroll and other sensitive data.

It’s time to protect your organization from whaling attacks. This means you must get to know the ‘5 Phases of a Whaling Assault’ so you can both educate your employees and increase your technology defenses. They are:

  1. In the Crosshairs: In the first stage of an assault, fraudsters use social media networks to gather intel on their target.
  2. The Domain Game: Next, armed with just enough detail, they register a domain similar to the actual domain for the target company.
  3. Gone Phishing: An employee receives the phishing email, but doesn’t notice the subtle warning signs that it’s fraudulent.
  4. Victim’s Assistance: The target follows the call-to-action in what appears to be an authentic email from someone familiar.
  5. On the Money: But, it’s not authentic. The attacker now moves the funds from the fraudulent bank account or has sensitive employee information like W-2 forms and social security numbers that are used in a larger scam.

Are you ready to take action against whaling? Download: “Whaling: Anatomy of an Attack” to learn more, including why whaling works, examples of recent high-profile attacks, and ways to defend against whaling fraudsters.


Mimecast Wins Big at MES East

by Achmad Chadran - Product Marketing Manager, Marketing

MES Event                   Stop me if you’ve heard this one: my first week at Mimecast went so well that my manager sent me to Indianapolis for the state’s presidential primary.

Full disclosure: Indiana’s presidential primary happened to coincide with the 2016 Midsize Enterprise Summit (MES) East. MES East is The Channel Company’s largest-ever independent gathering of midmarket CIOs and senior executives, and a great opportunity to catch up on new market developments, services, and products.

We’re big fans of MES events (we’ll be at MES West in Austin this September), both as a vehicle to learn what IT executives are focusing on, and to share our updates with them. So while there was plenty of side chatter about the race for the White House, at no point did it distract from the urgent business matters at hand.

This year’s theme, “The Big Shift,” was well suited to the discussions Julian Martin, Mimecast’s VP of Product Marketing, led in our Boardroom Sessions. Why? Because companies are now faced with an unprecedented mix of reward and risk as they migrate to the cloud. And, we seem to have reached a critical inflection point in that migration.quote

The vast majority of execs we met are committed to their cloud transformations. We heard the same goals over and over again: to streamline operations, shift from capex to opex, and improve scale and agility. But, they tell us, it’s no cakewalk. Our Boardroom and expo booth guests shared plenty of war stories, many related to email.

Email is usually the first platform organizations move into the cloud. It’s the business application that IT departments are most comfortable relegating to a third party to maintain. Yet it’s also the ultimate Killer App, a vital conduit – and repository – for business-critical and strategic information. Whether cloud-based or on premises, email data is crucial for closing sales, negotiating, and brainstorming.

It’s no wonder that email has also emerged as the single biggest threat vector for attacks on corporate information.

This was the central message of Julian’s Boardroom Sessions: it’s just as important to deploy a layered security solution for cloud-based email as it is when your email servers are in your data center. Cybercriminals have demonstrated boundless creativity in their efforts to exploit technology and human nature to breach corporate firewalls, access sensitive data, and steal billions of dollars. Even as email attacks appear with alarming frequency in news headlines, these exploits continue to grow bolder and more numerous over time.

The good news is that our guests were completely on board with Julian’s message. Several IT execs recounted their own personal experiences of phishing, whaling, and impersonation attacks. If you were among them, we thank you for validating our observations. And, special thanks to Mimecast’s customers who were willing to share your ideas, your views on how our services have helped secure your operations, and what you’d like to see on our roadmap over the coming months.

Finally, a huge note of thanks for nominating Mimecast in the Vendor Best in Show and Best Solution categories! We were blown away by your recognition, and grateful for all of the feedback you provided. We’re excited that Donald Trump and Bernie Sanders weren’t the only winning candidates in Indiana last week.

We hope you can join us this coming Fall in Austin for MES West. Until then, if you want to stay abreast of email security happenings, please visit our Security Center and sign up to receive our Security Advisories. 


Related Content

The Rise of Cybercrime-as-a-Service

Cybersecurity and Psychology of Whaling

IT Security is a Team Sport


The answer to email cybersecurity threats isn't simple. The email threat vector is complex, and your company's on-premises and DIY security solutions aren't always enough against the determined and advanced cybercriminal.

Achieving truly proactive protection could require the adoption of predictive big data analytics at the security vendor level, using a mix of vendor and client data, open source data (OSINT), and email meta-data to try and predict the source and outcome of the next big hacking or spear-phishing attempt.

Achieving truly proactive protection could require the adoption of predictive big data analytics at the security vendor level, using a mix of vendor and client data, open source data and email meta-data.
Achieving truly proactive protection could require the adoption of predictive big data analytics at the security vendor level, using a mix of vendor and client data, open source data and email meta-data.

Email malware attacks remain high, and Verizon’s 2016 Data Breach Investigations Report revealed 30% of phishing messages were opened, up 7% on last year.  A further 13% of those who opened the message, also opened the attachment leading to malware deployment. . Educating your staff to act as a "human firewall" against threats is critical, but it's not foolproof.

Big data analytics hold the potential for organizations to identify emerging threats in real-time. With sufficient access to data, it's possible to discover patterns in attacks against organizations by location, size, industry, or any number of other firmographic factors. With the help of truly forward-looking analysis, security vendors can adjust their defense methods before cyber criminals click "send" on malicious email messages. While this may sound farfetched, the technology exists today to detect attacks a soon as they are launched. We are only a matter of milliseconds away from advancing this detection to being before the attack is launched.

Leveraging Big Data to Predict Cyber-Attacks: How It's Possible

Fortinet predicts as a future filled with malware designed to "bypass advanced security protection systems," including state-of-the-art on-premises solutions. Ultimately, the issue with DIY threat protection is something everyone learned in their first coding class: garbage in, garbage out. Your organization's security data asset aren't garbage, but they're not big enough to notice an increase in risk based on global or industry-wide patterns. Data sets must be big enough to reveal definitive, real-time conclusions about emerging threats.

Large-scale cybersecurity companies will need to step up to the plate. A combination of big data, OSINT and email metadata can be used to predict, with accuracy, patterns in email attacks by region, industry, or company. A global view will be critical to identify probability of email threats, as well as DDoS and IP-based attacks. Predictive analytics is the art of identifying emerging patterns, such as a spike in abnormal traffic patterns in a category of IP addresses, or a sudden surge in malicious traffic that's targeting mid-sized businesses in the finance industry.

Why Security and Cloud Providers Must Step Up

The idea of strength in big data for effective prediction is the basis of open threat exchanges. However, the issue here isn't with the strength or volume of information gleaned from threat exchange, it's with the ability to execute. The idea of global predictive analytics could perform best if it's led by security providers who deal in cloud services.

Vendors must join forces to get in front of the quickly-evolving email threat landscape. When the "good guys" work together to share intelligence data and provide secure services, there's a remarkably high potential for results. With a combination of provider data, customer insights, and open-source resources, collaborative multi-vendor could actually result in a strong front against criminals.

Security pros know the value of taking a proactive, not reactive, approach to protection. However, if your on-premise options aren't sufficient and your data isn't broad enough to reveal patterns, your predictive analytics may just be capturing the shadows of threat patterns. Protection in the future could shift squarely into the hands of security and cloud services vendors, who have the access and ability to act as the ultimate firewall against threats that are emerging in real-time. 


There's a new threat in cybersecurity and it's aimed at the business world's biggest targets. The FBI estimates that Business Email Compromise (BEC) – CEO fraud or "whaling" - increased more than 270%.

The FT reports total potential global losses increased by $800 million in just six months. Also, Mimecast research found that 55% of companies experienced increased whaling attempts. Companies ranging from Ubiquiti Network to Snapchat have publicly admitted losing millions to these scams. What psychological and cultural factors make employees vulnerable to whaling and what can you do to prevent them?

Cyber criminals use sophisticated social engineering backed by meticulous research. It's easy to find information: Company websites provide executive names and biographies. Internal reporting relationships can be mapped on sites like LinkedIn.
Cyber criminals use sophisticated social engineering backed by meticulous research. It's easy to find information: Company websites provide executive names and biographies. Internal reporting relationships can be mapped on sites like LinkedIn.

How Do Criminals Conduct Their Research?

During whaling scams, a finance employee receives an email spoofed to look like it's coming from the CEO or CFO. The email requests a wire transfer and provides instructions for how to send it – usually confidentially or on short notice. An executive receives a request for information from a colleague that plays to their expertise. The requests look routine and convincing.

Cyber criminals use sophisticated social engineering backed by meticulous research. It's easy to find information: Company websites provide executive names and biographies. Internal reporting relationships can be mapped on sites like LinkedIn. Publicly traded companies sometimes even include bank names in their annual filings. Hackers' ability to put together a complete picture of the executive – including mining published articles and social updates for clues about communications styles – results in a very convincing portrayal.

The Employee-Side Psychology

Confusion and pressure: Confusion and pressure make employees more vulnerable to whaling scams. Requests from senior executives with confidentiality requests and short timelines don't leave room for follow-up. Considerable pressure – such as multiple emails and phone calls in a short time – amp up an employee's stress during the event.

Hierarchy and unwillingness to question authority: A cultural emphasis on efficiency and hierarchy leaves employees feeling like they'll get in trouble for verifying requests. Mid-level employees are often unwilling to challenge a request from the C-suite, especially when the request has been carefully targeted to look authentic.

The optimism bias: Harvard researcher Daniel Kahneman outlined a phenomenon called the optimism bias. People believe – despite knowing the risk – that they're less likely to be victims of a crime. Optimism leads you to believe the world is more benign than it really is, so when something looks fishy you chalk it up to non-harmful causes instead of asking questions.

Self-importance and ego: Whaling attacks geared at getting an executive to reveal information may play on ego and self-importance. From the desire to help to take pride in your expertise, flattery and genuine-sounding appeals for help play into your emotional vulnerabilities.

The Impact of Whaling Scams

Cybersecurity breaches don't just endanger your data. Beyond the financial impact, internal and external trust is eroded when your company falls for a whaling scam. There's the loss of money and brand damage to the public. An executive's reputation can be harmed. Employees who fall for whaling scams can find themselves out of a job; if not, their reputation's damaged, their judgment is questioned and there's always lingering concerns.

One executive who fell victim to a whaling scam noted in an interview with the BBC, "It's like when your house or apartment gets broken into. You feel vulnerable. People get into your life and they know things about you and you have no clue, and they take things from you."

Understanding the psychological factors that contribute to whaling scams can improve your efforts to combat them, from employee training to internal testing. The right tools can also help. Learn more about Mimecast's new Impersonation Protect service and how it can protect employees and financial assets from this type of fraud.