Cyber criminals imitate the CEO and persuade fellow employees to make an unapproved financial transaction – which goes straight into the pockets of cyber criminals. How do they do it? With very little difficulty.
Sometimes you can spend billions of dollars on IT services and IT security but cyber criminals will find a way through the back door and manage to complete their objective of extracting money from the company. The frustratingly low-tech approaches that some cyber criminals take are usually more sinister and conniving as former CEO of Austrian aerospace parts maker, Walter Stephan, found out. The company were scammed out of 50 million euros when they fell victim of a successful whaling attack. Also known as CEO fraud or a fake president incident, whaling attacks involve a criminal posing as a C-suite executive to persuade an employee to make an unapproved financial transfer.
In fact, similar scams targeting CEO’s have cost businesses close to AU$4 billion in the past three years – and those are only based on the reported cases, with many likely to have gone unreported to authorities. The reward of success is lucrative and with the right planning and time investment, cyber criminals usually take the following steps in reaching their goal:
- They gather information about the company’s structure and hierarchy – knowing who reports to who and their contact details. Priceless details especially about those members of staff who have a strong social media presence.
- LinkedIn may reveal that the target(s) is a speaker at an upcoming event.
- Twitter could suggest the target(s) is flying out of Sydney on a Sunday night and returning on Wednesday morning.
- Instagram could show what other companies they are dealing with and who the target(s) is rubbing shoulders with at the said event.
- With the bait set and enough intel on the targets acquired, the cyber criminals go about sending a simple email – with no attachments and in plain text, similar to the below:
The characteristics of a typical whaling email:
- Simple, plain text, and contains no attachments (to bypass any email filters).
- Contains a personal greeting (e.g. Hi Michael) and ‘Sent from my mobile’ suggesting that the target is out of the office and unable for immediate verification.
- States that they are currently busy (and un-contactable) suggesting that the request is urgent and to proceed without any verification.
- Often sent when there are not many people at the office or sent outside office hours to prevent fellow employees from communicating with each other.
Why does it work so well?
- The email looks authentic.
- It is urgent, puts the recipient on the spot, adds pressure since they think they are dealing with the CEO.
- Does not get filtered by email filters (email address is spoofed and the context of the emails, including headers and footers, do not contain anything out of the normal).
- Low cost with potentially high rewards.
Despite all the IT services your company has, sometimes it is the employee user interaction which unhinges the defences of a company. Some steps you can follow to prevent these attacks include:
- Examine the sender or reply-to address and check that it hasn’t been sent from a similar but recently-registered domain such as example.com instead of example.com.au.
- Be alert for strange sentence structure or phrasing uncommon to the apparent sender.
- Never sidestep formal processes for payments. If in doubt, ring the apparent sender. If they’re not available, wait until they are. A money transfer is better to arrive late than to be lost without a trace to an overseas cybercriminal.
- Implement scam-proof approval processes for financial transfers such as two-factor authentication, which requires two employees to sign off on wire transfers
If your company isn’t fully equipped to fend off cyber criminals, then get in touch with us so we can discuss your options. Call us on 1300 768 779, email us at info@intellitek.com.au, fill out the web form, or have a Live Chat with us below.