We have warned many times about the dangers of “phishing” scams. Cyber criminals try to trick people into revealing key personal or financial information or into clicking a link that will take them to a malware site where their system can be compromised and accessed to allow the hacker access to all sorts of valuable personal or business information.
Phishing accounts for approximately three quarters of all socially-based attacks. Taking this scheme one step farther, when hackers go after the “big fish” in your company, we call that whaling.
Whaling could mean applying the same phishing tactics to try to trick an executive into revealing login information or personal details that could be used to gain further access into a company’s systems. But, more often, social engineering scammers are preying on the good intentions of conscientious employees, pretending to be an executive asking for something (usually money, sometimes information).
The FBI warned companies to be vigilant following a dramatic recent increase in such schemes. You may also see officials refer to this tactic a “business email compromise scam” (BEC). The FBI reports received from 17,642 victims in a six month period at the end of 2015 and beginning of 2016. These crimes resulting in more than $2.3B in losses to targeted companies.
Recent, Costly Examples of Big Fish Targeted
FACC Lost 40 Million, CEO Lost His Job
After serving as CEO for 17 years, Walter Stephan was fired by the Board following an email scam in which thieves impersonated him in an email instructing someone within his company’s Finance Department to transfer money to a fake account for a made up acquisition project. With no process in place to verify the authenticity of the request and, at the time, no reason to question it, the money, in excess of the company’s net profits for the entire year, was essentially dropped into the fraudster’s lap.
New Zealand CFO Believed a Fake Request from Her CEO
The Chief Finance Officer of New Zealand’s largest universities transferred more than $100,000 to Chinese-based social engineering scammers following the instructions in a fake email she believe to be from her CEO. The CFO has since resigned.
Snapchat Employee Disclosed Personal and Financial Employee Data
In another recent case of executive impersonation, a payroll employee at Snapchat released detailed personal information for current and former employees to someone they believed to be the CEO. The leaked data included social security numbers, banking information, and salaries.
Victims Found in Large and Small Companies Around the World
Examples of executive email fraud have been reported all over the world in recent months. While we have seen several large companies hit for huge amounts of money, smaller companies throughout the US have also been victims. The recent FBI warning points specifically to a rash of such scams in Arizona costing smaller companies between $25,000 and $75,000.
Companies of all sizes in any industry should take notice. If your company does not already have a policy and a process for verifying large or non-routine financial or data requests from executives, you should be working to implement such a policy and to be sure employees understand the risks and how they should respond, verify the questionable communications, and report any attempt to impersonate a company official or even an important vendor.
Four Ways to Share These Tips
Everyone within your company needs to be aware of this current threat. Executive email fraud most often targets those in your finance, human resources, and IT teams. But, depending on how transactions are processed and information is shared within your company, others may need the same training. Begin by sharing our latest Security Tip…
- SOCIAL MEDIA: Share this tip! pace
- EMAIL: Share this article with your colleagues.
- PRINT: Post this tip in your break room for employees to see.
- NEWSLETTER: Download this full image to be included in your next internal employee newsletter. There is also a smaller image here that may fit better in your newsletter format.
We only ask that you use the images intact and unaltered. Thank you.
For more sharable security tips, click here.