In January, we published a blog post about a whaling attack that cost Austrian aerospace parts manufacturer FACC around €50 million. We have updates: the board decided to revoke the chairman of the management board for violation of his duties ‘in relation to the “Fake President Incident”’, as reported in this news release. We don’t know which duties he violated, but what we do know is that he is not the only one who lost his job due to the whaling attack: both the employee in the finance department who was caught up in the scam and her supervisor have already been fired.
67% increase of requests for fraudulent payments
As mimecast reported, in the first three months of the year, 67% of companies all around the world saw an increase in attacks designed to extort payments, and 43% in attacks asking for HR records or tax information.
Whaling attacks are becoming more prolific and effective at tricking inattentive employees because:
- Cyber criminals carefully study the target – the more the email looks authentic in terms of branding and style, the more likely it is to push the receiver to act;
- They carefully plan the attack – they usually take advantage of periods of transition, similar to what happened at Mattel last year, or when the CEO (the supposed sender of the fake email) is out of the office and cannot be reached;
- They target top-level staff in key areas, like the finance or HR departments, who don’t require any further permission to wire money or make payments;
- They exploit human desires to make a good impression – no one wants to complain about a request coming from the CEO, even if it’s unusual.
Detect a whaling attack before it’s too late
No matter what technological solutions you have to avoid spam and suspicious emails, a well-designed malicious email can get through anyway. That’s why your ultimate defence against whaling attacks is your staff, because an informed staff is a secure staff. The example above shows how anybody could swallow the bait, and that’s why a staff awareness programme should be implemented throughout the whole organisation.
Here’s a possible course of action:
- Test your staff’s vulnerability to phishing attacks with the Simulated Phishing attack Assess your staff’s ability to detect a malicious email campaign.
- Improve their ability to recognise a whaling attack before it’s too late with the Phishing Staff Awareness e-learning Developed for non-technical staff in non-technical language, it shows how phishing attacks work, the consequences your staff and your company face, and how to avoid the bait.
An informed staff is a secure staff. Invest in your staff awareness e-learning course now >>