Most people are already wary of phishing, but businesses now find themselves having to defend against a new type of cyber-threat: ‘whaling’.
This scam tactic sees the criminal pretending to be a company boss and sending a spoof message to the finance department, asking for a payment to a supplier to be rushed through while claiming the chief executive, who would normally handle it, is currently out of the office.
Experts have called this trick ‘whaling’ as it involves thieves going after one big sum – the whale – as opposed to phishing, which tends to see criminals targeting lots of smaller amounts; an approach more comparable to line fishing.
The scam may seem a little farfetched but a number of businesses have already fallen victim, with the criminals taking millions of pounds. Among those hit is US tech firm Ubiquiti Networks, which claims to have lost £30 million to whalers.
Security firm Centrify almost followed, with the company’s head of security, Tom Kemp, claiming his company narrowly avoided losing money when a finance director who had been targeted bumped into the manager identified in the initial scam email.
He also said this was just one of many attempts, and that Centrify was at one point being targeted regularly by whaling attacks.
Those who carry out the attacks tend to register a domain name as similar as possible to that of the business they’re trying to scam, and then replicating staff email addresses in the hope that employees won’t notice the slight differences.
One cyber-security expert, Bit 9’s Ben Johnson, explained why the risk increases for some firms: “It’s becoming a big problem; especially for small companies that do not have the bodies to look into all the emails,” he said.
“The bad guys might only be after $100,000, but for a smaller company that’s a lot of money.”