Phishing and Whaling: The Art of the Cyber Con
You just received an email from your CEO with instructions for an urgent wire transfer from your company’s account.
Quick – what’s your next step?
Over $1.2 billion has been swindled in the past 12 months from businesses by con artists using this kind of scam. Business email compromise (BEC) can occur in several ways, but usually ends with a misdirected wire transfer of funds.
BEC is successful because the emails appear to be sent from individuals who are in a position to make legitimate requests for wire transfers, or who have the authority to approve such financial transactions. Gathering information about C-level executives of a company, or others with that capacity, can be gleaned from business filings and social media websites. Cybercriminals may also take over a company’s email server and monitor traffic to watch for payment-related emails so they can create a convincing forgery or use a counterfeit domain that resembles the targeted victims email address or website. This is a form of phishing known as whaling, because the criminals are targeting top executives and gathering as much information as possible to make the swindle seem real.
However, creating a convincing fake is only part of the equation – we are the other. Social engineering, or knowing how to hack the human and exploit our weakness, is what clinches the con. Sometimes it’s our desire to help others that leads us into trouble; why else would we want to help a Nigerian prince transfer money to save his country, or wire money to a friend who is travelling abroad and lost all their cash even though we know he has never set foot outside his Granny’s flat? Peoplealso tend to follow the herd, succumb to fear, loneliness, greed, or hubris. Any of these emotions can be successfully played upon by a cyber con artist.
Recognising a con can be difficult, and that’s why it’s critical to have processes in place to stop the con before someone can unwittingly put their company at risk.
Businesses should examine the controls they have in place and make sure these are adequate to prevent this type of scam. For example:
- There should be two or more people required to approve any wire transfers.
- Accounting staff should engage new vendors in two-way communications to verify they are legitimate.
- There must be a set of rules regarding urgent requests for information or wire transfers. Even if it appears as though the CEO is sending you a direct email ordering you to take immediate action, you must escalate the request up your chain of command.
- Make sure everyone in your organization feels confident about their role in preventing this type of fraud. When the helpdesk is asked for a password reset, they should ask a series of questions that only internal employees will be able to answer to verify the caller’s identity. When the front office receives an urgent call purportedly from an executive, they should be able to explain why they are not able to comply with that request, and can remind the ‘executive’ that they should know the procedures too!
That said, we can all do our bit. Individuals should:
- Remember that con artists are trying to gain your confidence, to establish trust and get you to divulge information that can be used to compromise your security. Don’t overshare with strangers.
- Stay alert – if you receive a phone call or email that includes a plea or demand for assistance or information, tell the caller you don’t accept phone solicitations – ever – and hang up. Don’t respond to emails, delete them.
- If you are unsure – always err on the side of caution and don’t respond.
It can sound tough, but with cyber crime you have to take a hard line. With businesses like Ubiquiti Networks falling victim to cyber thieves who ran a BEC scam to the tune of scammed of nearly $47 million, we cannot be too careful. Have you or your colleagues been targeted by such a con?