Whaling and other phish tales

By Laura Haight
Originally published as the Digital Maven in Upstate Business Journal

There are always bigger phish in the sea. And after a really successful 2016, this year could be the year they will be circling our boats.

We’re talking about whaling, also known as CEO fraud, a new and very successful high-stakes cyberscam that preys on a vulnerability every business has, regardless of IT acumen or budget – human nature.

There are many variations of whaling, but here’s a common scenario: Jane, a mid-level staffer in accounting, receives an email from the company CFO – her boss’s boss. He directs her to provide him with a list of the top 25 clients including amount billed, name, address, phone number and email address. It’s urgent as an unplanned partner’s meeting has been hastily scheduled.

What does Jane do? Whalers know that most of the time, Jane will be pleased that the CFO asked her to do this (or in a larger company, that he even knew her name). Jane will most likely not want to appear confrontational or difficult so it’s unlikely she’ll go to her boss to check. And even less likely to reach out to the CFO to confirm.

Jane does it. And, of course, the email is a scam, the email address while it appears real is actually being redirected. And sensitive company and client data is lost.

Another common technique is to set up an email domain that is similar to the company you’re scamming. So if the CEO’s email is laura@mycompany.com, the scammer would create an account for laura@mycornpany.com. The substitution of two letters is likely to go unnoticed and appear real.

How big a bite is whaling taking? The FBI reported in April 2016 (goo.gl/bJTFSd) that US companies lost $2.3 billion from October 2013 through February 2016. During that time period, there were 17,642 victims. In one year, the FBI reported a 270 percent increase in whaling reports.

There are several reasons why whaling works: It’s personal in nature, the requests are often normal business functions such as processing an invoice, making a wire transfer, or producing a client report, and the language is customized to the receiver and the message. There is no boilerplate: “Hi. I thought you’d find this interesting” that we have been trained to be suspicious of.

The whaler’s emails may even ask how your weekend was or if you enjoyed the holiday. And they will always be personalized to the receiver.

Software developers and cybersecurity specialists are working on tools to help harpoon whaling efforts before they reach Jane, but there’s a problem. Quarantining emails that use terms like W-2, or wire transfer, will trap a lot of minnows in very large net.

As with most cybersecurity, a three-pronged defense is required. Hardware and software working together to screen email for common risk elements and quarantine those with a high number are two important elements, but they will fail ultimately without the third.


Here are three things, employees should be trained to know and to do. The most vulnerable to whaling are those in accounting and finance departments, but phishing attacks, which often end with ransomware demands can start with any chink in the armor, at any level of your company.

Identify where an email really comes from.
Whaling emails are successful because people really overlook the header. A quick glance at the “To” field shows the name Laura Haight, which they know, so they continue on. Employees need to know how to identify the actual email address, and being trained to really look at it. Our minds often see what they expect to see, (goo.gl/GwJzVO) which is why a simple substitution of a letter or two will go unnoticed in a false-flag email address (also why we can’t catch typos).

Be skeptical, get confirmation.
Whalers know that we avoid personal contact, preferring a quick email to a phone call. We are also most likely to email the sender back by hitting “Reply”. That email will go directly back to the whaler. Instead employees should be trained to ask for confirmation by creating a new email and using the executive’s email in the company email address book.

Follow procedures.
Internal controls exist to protect you from yourself, as well as from an embezzler or scammer. If a transfer over a certain amount requires another signature, or a form, insist on getting it. If you get in trouble for following a business rule, you need a new job.

Employees are every company’s most important line of defense. Few probably feel that way. But when an employee does the right thing, companies need a mechanism to thank or reward them. That will help build a culture that encourages everyone to do the right thing.

Technology tools are definitely an asset. But no system will detect every bad email. Eventually one will get through and one is all it takes. Only an empowered and trained employee can protect you from that.

More posts on phishing