Today, Technology Can Help Stop Whaling Email Attacks

by Steven Malone - Director of Security Product Management

Today we launched the world’s first service designed specifically to stop whaling (CEO fraud) attacks.

Since previewing it at the RSA Conference in March, we’ve had a lot of interest in Impersonation Protect. And, as part our commitment to continuous email security updates, Mimecast would like to announce that all Targeted Threat Protection customers will get the new service for free.

Whaling attacks are designed to trick key users, often in the finance team, into making fraudulent wire transfers or other financial transactions to cybercriminals by pretending to be the CEO or CFO in a fake email conversation. Some also target those responsible for sensitive employee data, payroll information, which could be used for identity theft or to claim fraudulent tax refunds.

These malware-less attacks have been growing around the world as cybercriminals change their attacks to try and circumvent traditional email security techniques such as anti-virus, real-time URL checking and attachment sandboxing.

Growth in whaling (CEO fraud) attacks

  • According to the FBI, whaling email scams alone were up 270% from January to August 2015. The FBI also reported business losses due to whaling of more than $1.2 billion in little over two years, and a further $800 million in the six months since August 2015.
  • A recent report from the UK City of London Police’s National Fraud Intelligence Bureau (NFIB) shows that from July 2015 until January 2016 there was a marked increase in CEO-fraud with a total of 994 reports being made to Action Fraud.
  • According to Mimecast’s own research, since January 2016 67% of firms have seen an increase in attacks designed to extort fraudulent payments and 43% saw an increase in attacks specifically asking for confidential data like HR records or tax information.

Just in the last few months, a large number of organizations have confirmed their employees have been the victim of these attacks. Many losing millions of dollars or highly sensitive data to cybercriminals.

Even the smartest employee can fall victim to these malware-less attacks. Employee education and rigorous business processes do play an important role but at Mimecast we believe smarter technology can play a larger role in identifying social-engineering attacks.

Advanced pattern recognition

The content of these messages isn’t spammy. Whaling emails are carefully socially engineered and designed to read like a real email and are highly targeted to each recipient.  With no spammy content and no attachment or link to click, it’s highly likely that other security defenses will not detect these mails as dangerous.

Mimecast can already detect traditional spoofing using frameworks like Sender Policy Framework (SPF). Other custom Mimecast policies can check for both envelope and header spoofing. To add further dedicated protection from increasingly common “domain similarity” attacks, Impersonation Protect allows detection of similar domains to a customer’s genuine domains as one of its threat indicators.

How it works

Impersonation Protect identifies combinations of key indicators of attack (IOA) in an email to determine if the content is likely to be suspicious, even in the absence of a URL or attachment.

  • As email passes through the Mimecast Secure Email Gateway, Impersonation Protect examines several key components of the message.
  • Impersonation Protect examines typical IOAs in the email, such as the email’s display name, domain name, domain age and the body of the message to determine if the email could be a social engineering attack, like whaling or CEO-fraud.
  • If the email fails a combination of these tests, administrators can configure Impersonation Protect to bounce the message.
  • Or, alternatively quarantine or even notify end users the email is suspicious.
    Impersonation Protect identifies combinations of key indicators of attack (IOA) in an email to determine if the content is likely to be suspicious, even in the absence of a URL or attachment.
    Impersonation Protect identifies combinations of key indicators of attack (IOA) in an email to determine if the content is likely to be suspicious, even in the absence of a URL or attachment.

 We recently explained in a little more detail how Impersonation Protect works by applying advanced pattern recognition to these malware-less emails. This new service can defend on-premises, hybrid and pure cloud email deployments including Microsoft® Exchange and Office 365™.

Previously there was little you could do to protect your organizations from whaling attacks. It largely came down to education and hoping your colleagues wouldn’t be duped by a well targeted, social engineered attack. But with Impersonation Protect we have changed that – you now have technology to protect you alongside training.

We look forward to hearing feedback on Impersonation Protect as it continues to evolve.


We should welcome the move by Obama’s administration to go after more funding – defending the nation from the growing threat of cyberattacks has to be a priority for any world government. 

The focus on more money for improving private, public and international collaboration is particularly important. The threat we face, after all, is universal and international, like the Internet itself: a threat on private companies is a threat on the economy, an attack on the public sector will impact the private. We should all hope his call is heard and acted on by Congress, too – cybersecurity of national infrastructure, and the public and private sector, is too important to be a victim of partisan politics.

The OPM, FBI, State Department and Whitehouse hacks when combined with Sony, Target, Anthem and the many others show us that cybercriminals are making significant progress against our best traditional defences.
The OPM, FBI, State Department and Whitehouse hacks when combined with Sony, Target, Anthem and the many others show us that cybercriminals are making significant progress against our best traditional defences.

2016 is an election year, so the danger is that Obama’s successor is likely to want to just build a bigger wall around whatever needs protecting, and while that might be reassuring for voters, it’s a representation of how we’ve classically thought about the security of our assets. But, it’s 2016 and the wall, perimeter, LAN and the defences we used to rely on are all DOA today. The breaches we see every day show they are clearly not protecting us well enough. We need to see a strategy rethink. Many organizations are not updating their spending patterns for cybersecurity to fit with the modern threats they face – that can be very damaging.

If you needed a letter from the President to get budget prioritized for cybersecurity projects, chances are, you’re way behind the security curve and are likely going to be spending on remediation rather than protection.

Cybersecurity has become the issue of 2015 and 2016; there’s enough evidence out there that the government, large corporations and consumers have been dramatically hurt by hacks and cybercrime. The OPM, FBI, State Department and Whitehouse hacks when combined with Sony, Target, Anthem and the many others show us that cybercriminals are making significant progress against our best traditional defences.

If you’re only now waking up to the issues of cybercrime, cyber warfare and hacking because of Obama’s political promises, then it’s likely you’re already being badly burned both organizationally and personally. Even if you don’t know it yet.

The enormity of the threat should not be new to us, should it? We’re several decades on from the invention of the first technologies that gave us viruses, Trojans and polymorphic files. We’re coming up to the fifth anniversary of the ground-zero hack for enterprises through email – the RSA Security hack of 2011 – yet we’re still seeing our corporate and personal lives affected  by cyber-nefariousness.

I’m constantly hearing from CISOs and IT Managers: “We’ve just updated our security ‘a couple of years ago’ so we’re doing just fine.” This is their defence for not changing strategy, asking their executives for additional budget or modernizing a security solution. And, this worries me – here’s why: First, because anything that ends in “doing just fine” usually means you’re not fine, or you’re about to find out the hard way. And, second, when you look at how advanced the cyber-threat landscape has become (and how quickly it moves), over the last two years, anything you added to your security stack a few months ago could  already be out of date.

So, if it was a letter from the President you needed to motivate you to deliver up-to-date protection for your network, now you have one. There should be no more excuses. Get it done. It’s your civic and corporate duty. Modernizing your cybersecurity protections, updating your processes and educating your people is a necessity you cannot delay any longer. Unless, of course, you fancy being the next organization in the headlines or explaining a breach to your bosses.


IT Security Is a Team Sport

by Ed Jennings - Chief Operating Officer

It seemed clear to a lot of the speakers and delegates at the recent RSA Conference that protecting organizations from cyberattack is not just the responsibility of the IT security team. Shared responsibility is the expression on everyone's lips.

Many of the sessions and speakers talked at length about how the changing nature of the attack, and the significant damage they are now causing, means the executive leadership of every private or public organization, big or small, needs to take the threat seriously.

I bet if you found the CEOs or CFOs of the many companies that have suffered a high-profile attack – Sony Pictures, Target, SnapChat, etc. they would all agree that a hack, data breach, ransomware or whaling attack is a big deal. They cost money to fix. They damage reputations. They disable organizations. Employees care, shareholders don't like them and regulators or law enforcement are very concerned. Nobody wants to be the next CIO reporting a breach to their board.

But, amazingly, our own research  shows that despite the high-profile damage attacks are causing, a surprisingly small number of executives are taking IT security seriously. According to IT pros surveyed, only 15 percent of C-level executives are extremely engaged in email security, and 30 percent are somewhat engaged. Confidence plays a major role in this equation: confident IT security managers are 2.7 times more likely to have a C-suite that is extremely or very engaged in email security; they are also 1.6 times more likely to see C-suite involvement in email security as extremely or very appropriate.

The most confident were also most likely to feel they had good security resources. It is no surprise to me that executive support also leads to the proper investment. If the problem is understood and taken seriously, money and resources will follow.

But, it’s not just about how much the C-suite is involved in email security decision-making, it’s also about how they prioritize it in the broader business strategy. According to research from ISACA and RSA, 63 percent of respondents say their cybersecurity function (CISO) reports into the CIO and not the CEO. They argued, in a session at RSA, that his can create a conflict of interest, as the CIO is balancing a diverse range of priorities and may inappropriately deprioritize security in an effort to balance the books. The engaged CEO will consider IT security a risk management issue while the CIO will see it as a technology problem. Who the CISO reports to could make all the difference to the level of protection and cultural focus cybersecurity has in an organization.

So, it’s time for both sides to get together and recognize email security is a shared responsibility. The organizations that work together and see the wider relationship between IT security and other corporate risks are better placed to protect themselves from the worse affects of an attack. The problem is part technology, but also commercial, cultural, human and process.

On the IT side, learn to speak the language of the boardroom and show in real terms the risk and cost of the problem. This is not a technology conversation, it is a risk management discussion. On the executive side, take the time to understand the exposure and risk your organization is facing and put IT security higher on the risk management priorities. If you are a shareholder, next time you get the opportunity, ask the CEO or CFO about their IT security strategy. If their answer is ill informed, you might want to reconsider your investment.

Email security is not the responsibility of just the IT team. Everyone across the organization needs to play a role in protecting mission-critical data. It’s up to IT and the C-suite to work together to make email security part of the broader business strategy.


 Protecting yourself from cyber-attack used to be about technology. But I have heard it repeated time and time again this week at the industry’s annual go-to security event, RSA Conference in San Francisco, that this is not enough. 
Spear-phishing in its various guises, and specifically now CEO Fraud or whaling attacks, are the new frontline we need to defend.
Spear-phishing in its various guises, and specifically now CEO Fraud or whaling attacks, are the new frontline we need to defend.

Sure, you need the right technology, but attacks can’t be completely repelled with technology alone. You need to turn your employees into a new line of defense – something we have often called your Human Firewall.

Why?  Well, today it makes much more ‘economic’ sense if you are an attacker to go after people. 

For years now, most organizations have invested heavily on perimeter defenses, and as time passes, the historic security loopholes or open doors in the products we rely on have been closed and the defenses toughened – making it a harder job for attackers to go after your network.  Not impossible, but harder. Requiring more skill, effort, resources and persistence.

Meanwhile, at the same time, we have put more and more technology into the hands of our employees and connected them to the outside world in multiple ways: email, social media, cloud services, mobile. We actively encourage our people to connect with customers, colleagues, contacts and prospects. It’s a part of being a modern organization.

So, an attacker has a choice to make about what strategy to apply, and they are going to look for the path of least resistance – the ‘return on investment’ business case for attacks on people are just too compelling. Because people are, after all, “only human.” For all our great qualities, from a security perspective, we are fallible.  Prone to being tricked, scammed or bamboozled. As Admiral Rogers of the NSA said this week at RSA about employees and their role in cyber security: “… every individual we have given access to a keyboard is a potential opportunity or a threat.”

And, right at the center of all this sits email. Behind every email address is a person. Guaranteed. Sending an email cost next to nothing.  Sending thousands of emails cost next to nothing. And if you invest a little time in social engineering to improve the targeting of your attack, just a few minutes on LinkedIn should do it, research suggests you are almost guaranteed to get a hit.

So, if you are an attacker what do you do? Buy hacking toolkits, invest in people resources, get heavy duty computing power, persistently attack a target over days, weeks or even months or find the CFO or CEO’s assistant’s name, fake an email address to look like their boss and then start an email dialogue?

Spear-phishing in its various guises, and specifically now CEO Fraud or whaling attacks, are the new frontline we need to defend. And, defense requires new technology, employee security training and culture change.

That’s why our Targeted Threat Protection service combines comprehensive technology protection with user awareness capabilities. You need to do both to effectively protect against attacks using malicious URLs, weaponized attachments and now non-malware emails used for whaling. With Mimecast, when you click on a malicious link  we don’t just scan it, we tell you what we are doing so the employee sees the risk they are potentially putting the organization under and learns for next time. Receive an email that looks like it comes from the CEO, but in fact is from a spoofed domain name (even if it looks like your own) - we make that clear to the employee with an alert. And, receive an attachment – we convert it to a safe format before delivering it to you so any potential malicious payload is disabled and we explain why.