First, there was phishing, then spear phishing. Now, a new term has taken hold as cyber thieves aim their harpoons at even bigger catches.
The result is whaling, where hackers’ bait is the highest positions of authority in a company, masquerading through email as a senior executive to attempt to fool an employee or supplier into releasing money, procurements or sensitive information. In June, the FBI announced that such schemes have led to more than US$3 billion in losses for companies in at least 80 countries in the previous three years.
The whaling security risk drew attention again in October, when aerospace and advanced technology giant Lockheed Martin sent a memo to suppliers, warning them to be aware of fraudulent requests. The memo stated that suppliers received urgent emails and phone calls from someone claiming to be an executive at the Bethesda, Maryland-based company.
“They were trying to spoof Lockheed Martin, trying to drive action to have something shipped or a financial action done,” says Jim Connelly, chief information security officer and vice president, corporate information security at Lockheed Martin.
Suppliers and supply management professionals are natural targets for whaling attempts, says Timothy Hall, president of Azorca Cyber Security, LLC, in Mesa, Arizona.
“People in supply management are often in a position to send money out of the company,” Hall says. “While a chief engineer could be targeted for release of intellectual property, many of these whaling attacks are designed to get people to transfer funds out of the company. And once the money is gone, it’s gone. You can’t get it back. The odds are high of supply management practitioners being targets or impacted by these scams.”
The Lockheed Martin memo states of the whaling attempts: “Alert staff members who handled the emails took correct actions and prevented something bad from happening.” Not all companies are as fortunate. Mattel lost $3 million from a CEO impersonation scam in 2015. Earlier this year, a finance department employee at wire and cable manufacturer Leoni AG fell for a fake email claiming to have come from a senior executive, requesting money to be transferred from a company account.
The cost of the employee’s mistake was severe: Leoni was swindled out of 40 million euros (about $44 million), and its stock dropped 7 percent after the cyberattack was announced.
Smaller Companies: Easier Targets
While most phishing scams involve use of a malicious URL or attachment, whaling involves impersonation. This is done by gaining access to an executive’s email account, or emailing with a domain name that closely resembles the company’s domain and often goes unnoticed by a casual glance.
While international companies being victimized garners the headlines, Hall says, that’s not an accurate picture of who most whalers target.
“People think it happens only to the Lockheed Martins, Microsofts or IBMs, the big companies. That’s not accurate,” Hall says. “This is more successful on medium-sized companies. Why? Because those companies often don’t have the tools in place that could combat it. They are easier targets. Why target Bank of America that has a very sophisticated infrastructure? I’ll go after someone little.”
Software can help combat whaling. For example, domain-name trackers alert a company at the creation of a similar domain, which can then be place into an email blocker. However, these tools are usually too expensive for smaller companies, Hall says. Also, cyber thieves continue to make their attacks more sophisticated and harder for software to catch.
What’s the most effective defense for companies of any size?
“Training, training, training,” Hall says.
What — and Who — To Train
The best thing about training, Hall says, is that it doesn’t have to cost anything. However, training loses value if the “who” is not emphasized as much as the “what.” And among the most critical phishing- and whaling-mitigation trainees are those highest in a company.
“Who is the least trained in the company on cybersecurity? The executives,” Hall says. “They are making sure that everyone else is trained. It’s easier to get an executive to click on a bad link than anyone else.”
Hall says, “Make sure you have policies and procedures in place that address how (payments and transfers) are handled and provide training. Don’t write policies down and put them on a shelf someplace, where nobody knows what’s going on. You have to train people on it, because the way (a fraudulent email) is set up, it looks like something from the CEO. It has to be acted on right away, and nobody is going to go look in the manual for the policy. The employees have to know.”
Lockheed Martin does have sophisticated cybersecurity software, Connelly says. However, that technology was not what saved the day.
“In our case, it was a success story where the suppliers, using their own internal practices and procedures, realized that the language in the email was not consistent with the way Lockheed Martin operates,” Connelly says. “Our executives demanding an immediate shipment or actions is not the way our procurement practices work. The supplier notified their leadership, who let Lockheed Martin know. This had occurred with multiple suppliers, and it became evident that we needed to let our entire supply chain know (through the memo).”
Note the tone: Lockheed Martin’s memo emphasized paying attention to the language of a request. For example, vague or unusual circumstances suggesting that normal processes cannot be followed, non-disclosure or secrecy, and threats or intimidation.
Train and test: Lockheed Martin regularly tests employees by sending its own fraudulent correspondence of its own, with such red flags as altered domain names or unusual language.
Know your coverage: Companies should check their cybersecurity insurance to know what is and is not covered. Some phishing or whaling monetary losses are not covered, Hall says.
Update and repeat: If whaling is phishing 3.0, there will be a 4.0. Cyber thieves are always adjusting to new technologies, so a company’s mitigation policies and training must evolve as well.
“Employees are often the last line of defense, and a robust security education plan is a critical help,” Connelly says. “For a company like ours, suppliers are also important, and we work with them just as closely. Cybersecurity must be integral to everything you do, and you have to be proactive about it with your suppliers, partners and employees.”