Whale phishing is a specific type of attack that targets primarily C-level executives to steal sensitive information from an organization. In many of these attacks, the goal is to manipulate the victim—who typically has greater access to sensitive data—or their subordinates into authorizing high-value financial transfers to the attacker(s).
As CFO of Flagler College in Florida, I am regularly targeted in whale phishing expeditions. Generally, most attempts I receive are not sophisticated and are allegedly from my president. But recently, I was almost a victim of a whale phishing incident using my email address—the best attempt to date that I have seen.
Thwarting an attempt
In April, a teammate with control and authority of banking transactions contacted me regarding an email that was sent from my account, requesting a wire transfer. The email subject line was “Capital Call,” and included the simple message: “Can we please get this paid today? This is for a new capital call distribution.”
This email contained my actual signature line, but with a few errors in writing style. First, the email did not address the two team member recipients personally at the beginning of the message, and it also lacked the personal signature that I always use with a request: “Thanks, Dave.” This email just included my first name, Dave.
The staff member called me to inquire what the email was about. I told her that I did not send a request that day, so we began to investigate. The whale phishing email came from my email account and included an attachment asking for $249,000 and providing the wire instructions to a bank in Hong Kong.
The whale phishing email came from my email account and included an attachment asking for $249,000 and providing the wire instructions to a bank in Hong Kong.
I reviewed my sent and deleted folders and the email was not in either one. Then I contacted the IT department to review the email source and location. We determined that someone accessed my email account and set up a rule that moved the sent email to the RSS folder, where we found the whale phishing email.
It is interesting to note that a week earlier, I sent an email to the same two team members, stating: “Please see the attached capital call that I funded today.” The subject line was: “Capital distribution, wire confirmation for capital call.” It was very similar to the whale phishing email.
Implementing additional controls
The hacker obviously gained access to my email account. All three computers that I use for work-related accounts were scanned for keylogging software and other viruses. No abnormalities were identified, so the hacker was likely able to access the account via my user ID and password. (Note: The password is only used on this account and was changed 30 days earlier; it contained between 12 and 25 characters, including uppercase and lowercase letters, numbers, and symbols.)
While we had sufficient controls to thwart this attempt, we have implemented additional controls over our treasury operations:
- No funds will be transferred or wired without voice confirmation from the requester.
- We added enhanced phishing training for team members who have greater authority over treasury funds.
Along with an already robust technology security protocol that is continually upgraded, these additional controls will help in identifying any future attempts.
Protecting yourself and your institution
Whale phishing has been around for quite some time and is a persistent threat to all organizations and its senior officers. In recent weeks, there has been a significant increase in these coordinated attempts to take advantage of the pandemic as organizations wrestle with moving associates to work-at-home environments and of the potential disruption in traditional chains of command.
These attacks typically use a broad approach referred to as either whale hunting or whaling, where multiple attack vectors are exploited. Hackers use a combination of well-researched, targeted spear phishing campaigns; website spoofing; full-frontal network assaults; and, yes, even text and fax messages in an attempt to compromise executives.
Here are seven ways to protect yourself and your organization now:
- Remain diligent. If you are not a target now, you likely will be in the near future.
- Consider following the common practice of tagging all emails originating from outside the organization as “external.”
- Ensure that all staff understand what is considered to be the normal behavior of your organization and that all “non-normal” requests should be verified.
- Make sure that the chain of command for transferring money remains intact.
- Continue to provide cybersecurity training for all staff; if this is typically done on an annual basis and is not due to be completed now, consider changing the schedule so that the training is provided during this critical time.
- Work with your CISO and your cyberthreat prevention team(s) to identify high-value targets in your organization so that traffic patterns can be monitored. Any significant increase in traffic volume directed at these individuals could be an early warning indicator of potential malicious activity.
- Be aware that money lost to a successful whale phishing attack may not be covered by cyber insurance, as the “fraud does not involve forgery of a financial instrument.” You may want to check with your insurance carrier to verify the terms of your policy.
Remain vigilant, and live by the mantra: “Trust but verify.”
David Carson is vice president for Business Services and CFO at Flagler College in Florida. Harvey Gannon is co-founder and CEO of CampusGuard.
UB’s coronavirus page offers complete coverage of the impacts on higher ed.