At a glance
Whaling scams are subtle, low-tech attacks on senior people in a business that can cause significant financial loss. They aim to trick an unsuspecting employee, often a high-profile person in the company, to transfer money or send sensitive business data.
The term “whaling” refers to the seniority of the victim, and in a typical whaling scam, a CEO receives an email that appears to be from the CFO, asking the CEO to approve a large invoice or provide banking details.
In reality, the scammer has infiltrated the accounting firm’s IT system and taken over the CFO’s email account. To the CEO, however, it looks like a genuine request.
Cybercrime scams cost business
Data from cyber security firm Trend Micro shows Australia was one of the top two countries for business email compromise attempts in October 2018. The research also found CEOs and managing directors – the whales – continue to be the top two positions cybercriminals impersonate in these scams.
“The accounting industry can be a lucrative target for whaling and business email compromise scams, given the level of sensitive financial data it holds,” warns Mick McCluney, technical director, Trend Micro ANZ.
“An organisation’s best defence is to educate executives and employees at all levels of the business on how to identify these scams and make sure formal processes are in place to report scams once they are suspected. These systems are essential when authorising banking details on invoices, for instance,” he adds.
McCluney says whaling scams are often hard to detect because the emails usually do not have an attachment or URL link, which employees are trained to recognise as being suspicious.
Here are six tips to help all staff from falling prey to a whaling attack.
1. Show people what a scam looks like
Refer to resources such as the Australian Competition and Consumer Commission’s Scam Watch website to find out about the latest scams.
“Remind staff to be vigilant when scrutinising any invoice they may receive. Staff are often very familiar with certain regular payments or account details. So be aware if an invoice comes through that has unfamiliar information on it,” warns Kevin Tran, a director of ethical hackers Trustwave SpiderLabs APAC.
Picking up the phone and calling the party named on the invoice is another way to ensure it is bona fide.
2. Stage simulations to help prevent an attack
Phishing simulations should test employees on how to spot these scams and avoid attacks. This allows the business to check how susceptible staff are to paying invoices when they shouldn’t, or revealing sensitive business data.
“Also, double check any change of details with suppliers,” says McCluney.
3. Use a multi-pronged approach to prevent an attack
Smaller accounting firms are popular targets for scams such as bogus invoices, payroll fraud and whaling attacks because they hold sensitive data and have access to client funds, says Craig McDonald, CEO of email security firm MailGuard.
McDonald says proper password protection is essential.
“Understand who has access to passwords and how you manage them, especially if staff leave. Use a reputable password safe to store and generate secure passwords,” he suggests.
4. Don’t forget to update patches
On the technology side, one of the best ways to protect the business from whaling attacks is to apply patches and regularly update software, says Tran.
“A common failing point is businesses not updating their applications. Out-of-date software exposes the company to a higher likelihood of being hacked because there’s a window of opportunity for someone to exploit,” he says.
Tran says businesses often don’t update their patches because they think they can’t afford the downtime on their systems to do regular updates.
This is a false economy. The cost to a business if it experiences a whaling attack is far greater than the downtime associated with turning off applications, applying the patch, restarting the system and making sure everything is working.
5. Use tools designed to stop whaling
Take advantage of features in software programs that help prevent business emails from being compromised. For instance, Microsoft’s Office 365 has a one-time password feature, so that even if a hacker tricks a staff member into giving up his or her username and password to get into the system, the fraudster cannot perform financial transactions unless he or she is in possession of a one-time password sent to a device such as the real user’s smartphone. This one-time password is only able to be used within a very short time frame, such as 60 seconds.
6. Properly resource the business
Many smaller accounting firms don’t have a dedicated IT person in-house. In this situation, it’s a good idea to invest in an externally-managed security service that reports to a senior manager in the business. Work out a plan for updating software, applying patches and reporting cyberattacks so the business is fully informed on a regular basis of any attempts at whaling or other attacks on its IT system.