17th April, 2020

  • Industry Insights
  • Security

Continuing our series of blogs looking at email security, we are going to continue up the food chain again this week and investigate the growing threat of Whaling, also known as CEO Fraud.

Whilst phishing is the casting of a net to catch many people in low revenue scams and spear fishing targets individuals in higher revenue frauds, whaling takes it to a whole new level by targeting individuals, seemingly from someone higher up in the business than the target.

An example may be that you are in the finance department of a legal firm and you receive and email from one of the partners asking you to quickly pay an invoice that has slipped through the cracks.

It’s an invoice from the financial firm that is assisting in a case for one of the companies high-profile commercial clients and we must do everything we can to keep them happy. And that means paying the bill and paying it now! So, you log into your banking app and pay the attached PDF invoice.

Unfortunately, the email wasn’t from a partner, it just looked like it was. And the account you have paid the money into? Not a case assisting financial firm.

So how do we protect against these attacks? It’s a cultural thing more than anything. Encourage a healthy cynicism in your business. This will hopefully lead to staff questioning such requests, with the understanding that they won’t be negatively challenged if they do! If you are a business owner, would you prefer a member of staff questions you over a request, or would you prefer to lose £10k? Give your staff the freedom and confidence to pick up the phone and ask the question.

You may wish to consider flagging all emails that come in from out with your organisation. A flagged email from the CEO upstairs will show it wasn’t sent from the CEO upstairs. In tandem with this, your IT Dept, or support company could assist you in running an internal campaign to identify those team members that need educated on what to look out for.

A final idea may be to make a change to your procedures. Whereas at present you may only require one person to sign off a payment, increase this to two. Two heads are often proved better than one and you are doubling your chances of spotting a fake email and saving the business from making a payment they shouldn’t.

If you need further advice on how to protect against all manner of email scams, please don’t hesitate to get in touch.