Skip to main content
Phishing and Whaling: The Art of the Cyber Con

You just received an email from your CEO with instructions for an urgent wire transfer from your company’s account. Quick – what’s your next step?

Over $1.2 billion has been swindled in the past 12 months from businesses by con artists using this kind of scam.  Business email compromise (BEC) can occur in several ways, but usually ends with a wire transfer of funds.

BEC is successful because emails appear to be sent from individuals who are in a position to make requests for wire transfers or have the authority to approve financial transactions like this.  Gathering information about officers of the company or others with that capacity can be gleaned from business filings and social media websites.  This is a form of phishing known as whaling, because the criminals are targeting top executives and gathering as much information as possible to make the swindle look legitimate.

Cybercriminals may also take over a company’s email server and monitor traffic to watch for payment-related emails, so they can create a convincing forgery or use a counterfeit domain that resembles the targeted victims email address or website.

Creating a convincing fake is only part of the equation – we are the other.  Social engineering or knowing how to hack the human and exploit our weakness is what clinches the con.

Sometimes it’s our desire to help others that leads us into trouble; why else would we want to help a Nigerian prince transfer money to save his country, or wire money to a friend who is travelling abroad and lost all their cash, even though we know he has never set foot outside his Granny’s flat?  We also tend to follow the herd, succumb to fear or loneliness or greed or hubris.  Any of these emotions can be successfully played upon by a cyber con artist.

Recognizing a con can be difficult – that’s why it’s critical to have processes in place to stop the con.

For businesses, examine the controls you have in place and make sure they are adequate to prevent this type of scam.  For example:

  • There should be two or more people required to approve any wire transfers.
  • Accounting staff should engage new vendors in two-way communications to verify they are legitimate.
  • There must be a set of rules regarding urgent requests for information or wire transfers.  Even if it appears as though the CEO is sending you a direct email ordering you to take immediate action, you must escalate the request up your chain of command.
  • Make sure everyone in your organization feels confident about their role in preventing this fraud.  When the helpdesk is asked for a password reset, they should ask a series of questions that only internal employees will  be able to answer to verify the caller’s identity. When the front office receives an urgent call purportedly from an executive, they should be able to explain why they are not able to comply with that request.  And they can remind the ‘executive’ that they should know the procedures too.
For individuals:
  • Remember that con artists are trying to gain your confidence, to establish trust and get you to divulge information that can be used to compromise your security.  Don’t overshare with strangers.
  • If you receive a phone call or email that includes a plea or demand for assistance or information, tell the caller you don’t accept phone solicitations – ever – and hang up.  Don’t respond to emails, delete them.
  • If you are unsure – always err on the side of caution and don’t respond.

related posts