Puns aside, we have all become accustomed to receiving emails asking us for assistance to release the millions of dollars stashed away by various princes or ex-members of parliament, the so-called 419 scams. But in the last year or so there has been an interesting twist on this. What the email senders have realised is that rather than ask individuals for cash, or attempting to infect/encrypt their machines to extort a ransom, they can just go bigger by asking companies to pay false invoices or make bank transfers.
This is in itself an extension of phishing which was the attempted extraction of financial or personal details appearing to come from a trustworthy source. On occasions, the sender address was faked and the target was one specific individual in a company, so-called spear phishing.
With whaling scams, the email appears to come from a higher level manager or board member, and is directed to a named individual often in the ‘same’ company. The tone of the email is ‘managerial’ and meant to mimic normal intra-company mails with some level of informality to fool the recipient into believing there is an urgent business need to transfer some money. The mail content and style may very well duplicate an internal mail, even down to the use of correct logos etc.
The news is currently full of tales of people duped by whaling scams and of the big losses incurred by business as a consequence (See Beware ‘CEO fraud’ costing British businesses millions or Mattel duped out of $3M in phishing scam, recovers loot). TV news media has covered the story Action Fraud reveals that it receives 8,000 reports of phishing scams every month to show how overwhelmed the UK police service and Action Fraud are with reports of mistaken bank transfers.
Some articles have appeared with US based details (See The anatomy of a spear phishing scam, or how to steal $100M with a fake email or Spear phishing attack nets $495K from investment firm) but let’s have a real-world UK example of a whaling scam so you can appreciate how easy it is to fool an intelligent and wary person into believing they are doing what is legitimately requested by their business (At their request we have anonymised the details, but we thank them for allowing us to use redacted/anonymised screenshots of the actual emails they received. The apparently different font in the screenshots is my poor image editing skills).
Real-world whaling scam targeting a UK business
Some background first.
The company, let’s call them “Victim Ltd”, is a services company in the technology sector.
The two primary directors are “Mark Reading” (MD) and “Ralph Mode” (IT Director), both experienced IT professionals.
The Finance manager is “Tina Blackmore”, an experienced and qualified finance professional, seemingly aware of the risks of scam emails and untoward attachments.
The primary directors were out at a business meeting with an existing client discussing a new large project which involved a meeting over 3 hours with a large number of people. Mark Reading had turned off his phone during the meeting. Ralph Mode was actively engaged in technical discussion.
Tina Blackmore received the following email.
Tina replied to ‘Mark’, and asked whether Ralph knew of this payment.
The phisher then sent a message that appeared to come from ‘Ralph’ authorising the transaction that ‘Mark’ had requested.
A second request came in very shortly afterwards asking for a further payment of £21,200.
This time Tina sent a reply and included Ralph in the reply.
This email went to the real Ralph who immediately replied that it was a forged email (whaling scam) and said he would confirm it by SMS.
The false ‘Ralph’ sent in an email authorising the transfer, but by now Tina had seen the SMS from the real Ralph.
So the second payment was not made. Under Ralph’s instruction and with the approval of the Victim Ltd bank (Lloyds), Tina played along with the second request to try and delay the phisher. But investigations showed that the original payment had already been siphoned out of the recipient bank account (Nationwide).
Tina reported the payment to Action Fraud, who stated that thousands of people were currently falling victim to this sort of whaling scam, so much so that it would be three weeks before they would be able to provide a crime number.
To date, the money has not been recovered, and the business has moved on to assume that they will not get it back. Nationwide would not deal with Victim Ltd because they were not a customer. Lloyds stated that the payment had been made with authorisation from Victim Ltd and therefore it was not liable.
It is easy to be clever in hindsight, and the findings we present are honestly provided without judgement. Each business must decide the appropriateness and effectiveness of financial and IT controls.
Victim Ltd did not employ any spoof email detection. By its very nature, these whaling emails do not look like spam, they look like genuine emails from someone else in the business.
Gmail presented the first email as internal because the phisher spoofed the ‘from’ address, but they had set a reply-to address that showed it was external mail – but this is NOT displayed by Gmail unless you actually go and look for it, you can see it was firstname.lastname@example.org :
Tina, despite being aware of email fraud and whaling scams, accepted the appearance of the icon for Mark, and the ‘iPhone’ banner because that was what she was used to seeing. The language used was very similar to how Mark communicated, albeit that he insisted that he would not have made such a request. It was the opinion of Tina and Ralph that Mark may well have sent just such a message in the past!
Tina did not pick up that the email was sent to ‘email@example.com’ and not the usual format of ‘firstname.lastname@example.org’, this is an easy oversight. The company had provided staff with aliases for their accounts but since they were not in normal use, and their use was frowned upon, they should have been removed.
The phisher acted very quickly to confirm from ‘Ralph’ that the payment was known about and authorised. The format of the email from field for ‘Ralph’ was incorrect (email@example.com rather than firstname.lastname@example.org), again an easy oversight to make but staff should have been made aware of checking the FROM/TO fields.
We advised the company that sticking to the default iPhone signature and the default Gmail “gingerbread man” icon had lulled them into a false sense of security and it would be better to alter these so they were company or person specific.
In speaking to Tina it was clear she had felt physically ill at what had occurred, and it is to their credit that the directors had accepted it as a genuine mistake and one that they would simply have to chalk down to experience. Had Tina not asked Ralph directly for confirmation on the second payment, the loss could have been much worse.
The company has been able to survive the hit to their finances, and with new authorisation and IT email scanning procedures in place, they believe they have learnt their lesson the hard way.
We found no basis to believe that either Mark or Ralph’s email accounts or calendars had had unauthorised access. The original email just appeared to arrive at a time when both were out of the office in a situation that reduced their ability to communicate.
Summary – Lessons learnt from whaling scam
A real company, with a real loss. To their credit they told their staff about the successful phishing scam and used it to act and enforce good practice – albeit after the ‘horse had bolted’.
There are things that can be done (Simple precautions can help keep CEO fraudsters at bay) and there are in-cloud mail filtering systems that increase your chances of avoiding such whaling attacks.
For those of you who still think this will have no real impact on you –