There's a new threat in cybersecurity and it's aimed at the business world's biggest targets. The FBI estimates that Business Email Compromise (BEC) – CEO fraud or "whaling" - increased more than 270%.

The FT reports total potential global losses increased by $800 million in just six months. Also, Mimecast research found that 55% of companies experienced increased whaling attempts. Companies ranging from Ubiquiti Network to Snapchat have publicly admitted losing millions to these scams. What psychological and cultural factors make employees vulnerable to whaling and what can you do to prevent them?

Cyber criminals use sophisticated social engineering backed by meticulous research. It's easy to find information: Company websites provide executive names and biographies. Internal reporting relationships can be mapped on sites like LinkedIn.
Cyber criminals use sophisticated social engineering backed by meticulous research. It's easy to find information: Company websites provide executive names and biographies. Internal reporting relationships can be mapped on sites like LinkedIn.

How Do Criminals Conduct Their Research?

During whaling scams, a finance employee receives an email spoofed to look like it's coming from the CEO or CFO. The email requests a wire transfer and provides instructions for how to send it – usually confidentially or on short notice. An executive receives a request for information from a colleague that plays to their expertise. The requests look routine and convincing.

Cyber criminals use sophisticated social engineering backed by meticulous research. It's easy to find information: Company websites provide executive names and biographies. Internal reporting relationships can be mapped on sites like LinkedIn. Publicly traded companies sometimes even include bank names in their annual filings. Hackers' ability to put together a complete picture of the executive – including mining published articles and social updates for clues about communications styles – results in a very convincing portrayal.

The Employee-Side Psychology

Confusion and pressure: Confusion and pressure make employees more vulnerable to whaling scams. Requests from senior executives with confidentiality requests and short timelines don't leave room for follow-up. Considerable pressure – such as multiple emails and phone calls in a short time – amp up an employee's stress during the event.

Hierarchy and unwillingness to question authority: A cultural emphasis on efficiency and hierarchy leaves employees feeling like they'll get in trouble for verifying requests. Mid-level employees are often unwilling to challenge a request from the C-suite, especially when the request has been carefully targeted to look authentic.

The optimism bias: Harvard researcher Daniel Kahneman outlined a phenomenon called the optimism bias. People believe – despite knowing the risk – that they're less likely to be victims of a crime. Optimism leads you to believe the world is more benign than it really is, so when something looks fishy you chalk it up to non-harmful causes instead of asking questions.

Self-importance and ego: Whaling attacks geared at getting an executive to reveal information may play on ego and self-importance. From the desire to help to take pride in your expertise, flattery and genuine-sounding appeals for help play into your emotional vulnerabilities.

The Impact of Whaling Scams

Cybersecurity breaches don't just endanger your data. Beyond the financial impact, internal and external trust is eroded when your company falls for a whaling scam. There's the loss of money and brand damage to the public. An executive's reputation can be harmed. Employees who fall for whaling scams can find themselves out of a job; if not, their reputation's damaged, their judgment is questioned and there's always lingering concerns.

One executive who fell victim to a whaling scam noted in an interview with the BBC, "It's like when your house or apartment gets broken into. You feel vulnerable. People get into your life and they know things about you and you have no clue, and they take things from you."

Understanding the psychological factors that contribute to whaling scams can improve your efforts to combat them, from employee training to internal testing. The right tools can also help. Learn more about Mimecast's new Impersonation Protect service and how it can protect employees and financial assets from this type of fraud.


You think you’re prepared to deal with cybersecurity threats. But, what if your organization became the target of a whaling attack, spear-phishing or weaponized attachment? These are just a few methods hackers and cybercriminals use to steal confidential data, employee information and even cash. Are you confident that your corporate email can protect your organization from these insidious attacks?

To ensure you really are confident to cope with email-based attacks, you need to get in touch with your true IT security self. This can help you find out how much of an impact past experience with email attacks has on future preparedness, and whether or not your organization is dedicating enough of your IT budget to cybersecurity.

Don’t worry: we can help. Mimecast recently surveyed hundreds of IT security pros across the globe to get to the bottom of how they felt about email security preparedness. Those responses identified the gaps between how prepared they think their companies are against email threats, and how prepared they actually are. Based on this insight, we spotted five security “personas” of IT security pros, or ways of helping you self-identify with a group that shares your values:

  • The Vigilant: This is less than one-fifth of IT security professionals. They demonstrate a high confidence in their ability to handle or defend against cyber threats, despite no experience with email hacks or data breaches.
  • The Equipped Veterans: Approximately one-fifth of IT security professionals – they are confident in their cybersecurity and have dealt with attacks in the past.  
  • The Apprehensive: About one-third of IT security professionals – they have no experience with data breaches or hacks and do not feel confident in their level of preparedness.
  • The Nervous: Less than one-tenth of IT security professionals – they feel completely ill-equipped to cope with the cyber threat.
  • The Battle-Scarred: Just over one-quarter of IT security professionals – these have experienced a history of data breaches or email hacks, but still feel unprepared to defend themselves against attacks in the future.

Ready to find out your true IT security persona? Take our IT Security Persona Test now. Learn about your distinct personality type and tips to boost your confidence.


Mimecast Welcomes Email Privacy Act

by Peter Bauer - CEO and co-founder

Mimecast welcomes a new bill designed to protect emails and other electronic communications.   

Can you remember the world in 1986? Aliens, Top Gun and Labyrinth were on at the movies and brick phones weighed the same as a bag of sugar.

The Electronic Communications Privacy Act was also enacted by the United States Congress. This ancient legislation allows law enforcement to search through emails, instant messages and photos stored in the cloud once they are 180 days old.

Back then, emails stored on a third party server for six months were considered by the law to be abandoned. This allows law enforcement agencies to obtain the data with just a written statement certifying that the information is relevant to an investigation, without judicial review.

Thirty years later and business archiving requirements, cloud technology and public opinion has moved things on considerably.

Today, we are proud that approximately 16,200 organizations and millions of their employees from around the world have entrusted their email and data to Mimecast. We process more than 180 million emails per day and our customers look to us to protect them from cybercriminals, outage and unwarranted government snooping.

The new Email Privacy Act (H.R. 699), passed unanimously by the U.S. House of Representatives, will require the government to get a warrant from a judge before obtaining private communications and documents stored online.

Email has gone from being just a communication platform to probably the greatest single repository of corporate knowledge any organization holds. Almost all corporate activity, discussion or ideas touch email at some point.

Due process should apply in digital world now more than ever before.

Our customers use Mimecast to improve the security, reliability and archiving capabilities of their own email servers or primary cloud email service. We take our responsibility to protect their email and the petabytes of business information this includes very seriously.

Public opinion is on the side of fair and reasonable control of law enforcement and government in this regard to protect the right of the individual to privacy.

This is a clarion call for governments around the world to continue to modernise law-making in wake of the unstoppable rise of cloud computing services. Laws written in the analogue and desktop computing age need rethinking for the cloud era. 

Email is the bedrock of modern day communication and deserves up-to-date protection enshrined in legislation. This bill is a step in the right direction to further protect citizens’ private historical data held in the cloud from unreasonable intrusion.


Trust Matters at Mimecast

by Elizabeth Ruhl - Director, Governance, Risk and Compliance at Mimecast

Mimecast recently announced it has completed two important security tests: the Health Insurance Portability and Accountability Act (HIPAA) Security Compliance Assessment and Service Organization Control 2 Type 1 (SOC 2 Type 1) Independent Service Audit. Both third-party reports affirm the security, availability and integrity of Mimecast’s operations and applications, and reflect Mimecast’s commitment to making email safer for business.

Trust is the foundation of our business, and security, privacy and data protection are built into everything we do. This is why we regularly update and maintain certifications and audit reports, which allow us to be transparent to our customers and partners.

Transparency in reporting.
The SOC Reporting Framework allows companies to communicate how their products and services achieve the ‘Trust Principles of Confidentiality, Availability, Integrity, Privacy or Security.’ This is a meaningful way for companies to describe their internal controls to their customers, potential customers and partners through an internationally accepted independent audit. Mimecast understands the importance of these trust principles to our customers, partners, shareholders and investors. These reports are intended to meet the needs of a broad range of users that must understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy. This expands our ability to demonstrate trust, transparency and meaningful controls beyond our Information Security Management System (ISMS), already certified through ISO 27001 (information security management system) and ISO 27018 (controls for the protection of personally identifiable information in the public cloud) to the service environment provided by Mimecast to our customers.

Protecting confidential customer healthcare data.
The HIPAA Privacy, Security and Breach Notification Rules, as updated by the HIPAA Final Omnibus Rule 2 in 2013, set forth how certain entities, including most healthcare providers, must protect and secure patient information. The Health Information Technology for Economic and Clinical Health (HITECH) Act (HITECH) directly regulates Business Associates (BAs) and directly imposes the same privacy and security obligations required for Covered Entities (CEs). Mimecast is a Business Associate for several customers, and we sign Business Associate Agreements (BAAs) with those customers. This means the company has legal, regulatory and contractual obligations to protect Mimecast customer information, including electronic Protected Healthcare Information (ePHI). Mimecast’s HIPAA/HITECH Security Compliance Assessment Report is available on request to prospects that sign the appropriate NDA and to existing customers under service agreement confidentiality.

Interested in learning more? Contact us for additional information about our certifications and audit reports.