In January, the CEO of aerospace manufacturer FACC in Europe fell victim to possibly one of the worst cyberphishing acts in history. It was discovered later that €50 million was stolen. That's a whopping amount of dough.
Spear Phishing + Executives = Whaling
If you're unfamiliar, FACC and other organizations that have lost exorbitant amounts of cash have fallen victim to whaling. This growing security threat uses personalized spear phishing attempts targeted specifically to high level executives at companies to gain access to sensitive company data--or in this case, loads of cash. Lewis Morgan of the IT Governance European blog assumed that this spear phishing campaign caused some upper level executive to commit wire fraud. And he's probably right.
Not much information is given about who did what. At the end of the day, nobody needs to name and shame -- the significant damage is already done. What we do know, however, is that the CEO lost his chair on the board. We also know that the employee in the finance department and her supervisor have been canned.
With humans being the greatest threat to security, be it computer security or financial security, thanks to the rise of social engineering, phishing attacks are on the rise, especially those aimed at taking advantage of companies with financial resources to send a hacker into early retirement. Mimecast reported in Q1 of 2016 that among 436 IT experts in the US, UK, South Africa, and Australia, 67% had seen an increase in attacks designated to provoke a company employee to pay for services, and 43% saw an increase in requests for proprietary and highly confidential information.
In fact, let's take a look at some more historical whaling moments:
- In April of 2015, it was revealed that budget airline Ryanair fell victim to a €4.6 million scam with the money going into Chinese hands.
- Xoom, the online wire transfer provider, announced in January of 2016 that it had lost $30.8 million as a result of employee impersonation and fraudulent requests targeting the financial department at the company. Its CFO resigned in response.
- Ubiquiti Networks, a wireless networking company, revealed last summer that it's out $46.7 million thanks to a spoofed email that was distributed to a company executive to initiate an unauthorized wire transfer.
- Mattel was scammed out of $3 million because an overeager new employee wanted to impress his new "boss" who wasn't.
- Snapchat provided employee information when its payroll department was asked for employee payroll information--and they obliged.
It's important to be mindful of each and every email that comes into your inbox. And that means giving appropriate attention to them. If someone asks for a lot of money via email, think twice -- after all, how many people are actually requesting millions of dollars?
So the company punishment for FACC may have fit. You can't fix Stupid but you can fire Stupid. (You can also be sure that Stupid will never do that again, but it may be a little too late!)
With the firing of both the employee and her supervisor, it also sets an important precedent: any type of request for sensitive information or finances, especially of a significant amount, should have an agreed-upon two person approval process. A supervisor should always sign off on such transactions.
If we had Bart Simpson writing on a chalkboard, we'd have him and every employee at these large companies write this on a chalkboard 101 times:
I will never give wire transfer instructions by email without calling you personally.
But we'll have to settle for you saying that out loud to each potential requester--at least twice.
In the meantime, educate yourself and your employees, and while email and online communications are quite a great way to communicate, it helps to talk to people too. But if all else fails, take this phishing test for yourself and see how well you do. If you or your employees fail, invest in training--or fire Stupid.
Photo credit: Chriastiaan Colen (and no, whaling attacks don't give you the decency of a warning like that)