Imagine finding out that the recent bank transfer you made on the CEO’s orders didn’t come from them at all. Instead, you were conned into sending money to criminals. This is known as executive phishing, or “whaling”, which often targets businesses in the tech industry.
In this article, we will find out what executive phishing is, compare it to other phishing techniques, and consider how you can protect your business.
Table of contents
What Is Executive Phishing?
If you received a suspicious message claiming that you’re the beneficiary of a small fortune, then scam artists may have already targeted you in a general phishing attack.
They use social engineering tactics, such as phishing, to bait people into sharing their personal details. These are then mis-used in a variety of ways: sold, used to gain the victim’s contacts, or empty their bank account.
Executive phishing is the corporate version of this. They target business leaders and, instead of trying to steal from their personal money, they try to gain access to their organization’s wealth.
They do this by, for example, sending links that take the victim to a site that secretly downloads and installs malware to their target’s devices, either by pretending to be local authorities that require their cooperation, or impersonating other executive team members.
In 2015, popular toy-making company Mattel nearly lost $3 million in a whaling incident. One of their high-level executives received an email from the fraudsters claiming to be the company’s newly appointed CEO. The email explained that he needed to make an urgent wire transfer to a new vendor—which he did.
Fortunately, a bank holiday prevented the transfer from going through immediately and was spotted and canceled in time. However, this incident demonstrated how exposed the company was to executive phishing.
Spear Phishing Attacks Are Different from Whaling Attacks
You can classify phishing attacks based on who they target. In order to understand executive phishing better, it’s important to know what general phishing and spear phishing are. Have a look at the table below for a quick comparison:
Spear phishing and whaling both target individuals based on unique information that’s known about them. However, the former targets an individual or a group of individuals of a similar profile, while the latter aims at a high-ranking executive in an organization as a pathway to the business.
How Can Executive Phishing Impact Your Business?
If your business is targeted by con artists, it has the potential to bankrupt you. These are the immediate consequences of executive phishing:
1. Financial loss
The main goal of phishing scams is to make a profit. Fraudsters will take any avenue available to them to convince an executive to transfer funds to their bank accounts.
Austrian airplane component manufacturer FACC lost $61 million to executive phishing in 2015. This was achieved by a single email that impersonated the CEO requesting money for an “acquisition project”.
If you’re fortunate enough to be saved by a technicality, such as a bank holiday, you may still lose money from the other consequences. For example, if your company’s reputation is damaged, other businesses may not want to be associated with you.
2. Loss of trade secrets
High-ranking executives typically have access to trade secrets, which makes them vulnerable to executive phishing attacks.
If a scam artist can convince them to give away their access credentials or click on a seemingly harmless link and install malware on their device, they can steal these trade secrets.
The major threat here is the theft or exposure of private customer information, which can be sold on the dark web or misused in other scams directly.
Software businesses are also vulnerable to this, since they may need to safeguard their unique source code, which is readily available on their computers. Fraudsters can sell these trade secrets to the highest bidder or blackmail the company for its safe return.
3. Reputational damage
Some incidents of executive phishing attacks go unreported because companies are scared of what might happen to their reputation.
In 2020, a hedge fund company called Tessian became a victim of whaling. Its cofounder clicked on a duped Zoom link, which installed malware on their device. The scam artists then used their access to create fraudulent invoices, of which $800,000 was paid to them.
This isn’t as large of a financial loss as other cases, but shortly after this went public, they lost their largest client and were forced to shut down permanently.
4. Operational disruption
Even if your company manages to survive the initial financial loss of an executive phishing attack, its usual day-to-day operations will still be disrupted. This means that several departments may have to temporarily change their focus.
Sophisticated phishing attacks, like whaling, are sometimes part of a more complex malicious campaign that involves multiple stages. The endgame could be that the company is completely crippled because its data has been encrypted and won’t be released unless a ransom is paid.
Depending on company size, the financial losses can go into millions per day due to inoperation, and the reputational damage could be catastrophic.
5. Potential lawsuits
Executive phishing may also lead to costly legal battles if your company is found to be negligent and having insufficient data protection measures. These can carry on for years and ruin your reputation further.
In 2016, Seagate Technology—an American data storage company—lost the personal data of 10,000 employees through an executive phishing incident. This resulted in a class action lawsuit, in which the company was accused of carelessly handling personal data.
In another case, French film group Pathé lost $22 million when their business emails were compromised by fraudsters. The company decided to fire both the CFO and CEO, who were involved in the incident. However, they retaliated by taking them to court for unfair dismissal—and won.
Both of these companies continued to lose money after the phishing attacks, and the lawsuits caused severe reputational damage.
Get a free phishing security test
If you want to do a free phishing security test, have a look at our article that suggests 6 best practices you can apply today to protect yourself and your company.
How to Identify a Whaling Attack
A whaling attack can destroy your business. You need to make sure that you’re equipped to identify these executive phishing attacks so that you can avoid them.
When you receive communication from a high-level colleague, you should take the following steps before clicking on any links or transferring funds:
1. Confirm the recipient
It’s easy to overlook the email address that a mail is coming from—and this is exactly what fraudsters hope for.
They know that “r” and “n” next to one another (“rn”) can easily be mistaken for an “m”. They then use this technique to create fake email domain names, such as email@example.com, and convince their recipients to click on a dangerous attachment.
Before you click on anything in an email, make sure that the correct email address has been used. Don’t let legitimate-looking logos convince you that it’s a legitimate email—make sure it really is.
2. Double-check the subject line
Executive phishing relies on urgency to convince the recipients to take immediate action. For example, you may receive an email stating that the company is being sued and you need to immediately pay a settlement to resolve the matter.
This means that the subject lines will usually contain some kind of warning words, such as “important” or “urgent”. Con artists may also try to add familiarity by including “Fwd” or “Follow Up”, which gives you the impression that you know the recipient.
3. Inspect the attachments before clicking on them
If an attachment has made its way to your inbox, it doesn’t mean that it’s harmless. Criminals can easily hide malicious software in a range of file types, such as Word documents and Excel spreadsheets.
Before you click on an attachment, make sure that you’re certain you know the recipient. You should also scan documents with your antivirus software before you open them.
4. Scrutinize the content of the email
If the email contains personal information, such as references to your partner and children, it doesn’t automatically mean that it’s from a trusted party.
You may have recently posted about your family on your social media accounts, and fraudsters can use this information to make you feel comfortable acting on an email.
5. Speak to a real person
If you have gone through all the previous steps and you’re still feeling uneasy about an email, it’s best to reach out to the recipient directly.
Instead of responding to the email, phone the sender. They will quickly confirm whether they sent the email or not, and you will have peace of mind if you then go ahead and act on their emailed instructions.
Protect Your Company’s Sensitive Data
Besides educating yourself on executive phishing attacks, you need to make sure that your company isn’t targeted through another individual.
There are several steps you can take to achieve this. Here are four of the most important actions you can take to protect your company against whaling:
- Educate your entire company on executive phishing, spear phishing, and general phishing. Host awareness training sessions and invite speakers to further explain to employees and your executive team how they can protect themselves and the company.
- If your business is predominantly online, you need to make sure that employees use multi-factor authentication when they access business platforms. This means that when they log in, they will have to confirm their identity—usually through their phones.
- Passwords are often stolen and, if an employee uses the same passwords at home and at work, then fraudsters may be able to access their secure files. Set up a password policy in your office and make sure that passwords are changed each quarter.
- Deploy a web/DNS filter to prevent access to phishing sites, malware-hosting sites, or otherwise disreputable domains.
How a Business VPN Can Protect Your Business
In spite of having security protocols in place, accidents can still happen. It just takes one high-level employee to mistake suspicious emails for legitimate ones for the whole company to be affected.
It’s in every company’s best interest to take extra precautions—especially if they’re in the software industry and have remote workers.
A VPN (virtual private network) allows your business to keep its communication and data private by establishing a secure connection between your computers and company systems over the Internet.
Communicating over secure encrypted connections significantly reduces your attack surface on the internet, making it harder for fraudsters to intercept sensitive information that can be misused in malicious attacks.
Mature VPN services also include additional security measures like multi-factor authentication (MFA), which bars access to the adversary even if access credentials do get stolen.
Another useful security measure you may find among VPN services is a DNS filter, which prevents access to malicious in case an employee clicks on a link in a spoofed email.
GoodAccess can provide a VPN for your entire team–regardless of where they’re based. This is the best way to deter con artists from choosing your business for whaling. Sign up for a free trial by clicking here.
Executive phishing attacks mean that your entire business could be put at risk with the click of a button. You could face reputational damage, financial loss, and ongoing lawsuits.
However, executive phishing attacks are preventable. With the right knowledge and tools, you can make sure that your business remains untainted by criminals trying their luck with your executives.
You can start a free trial with GoodAccess, where you will have access to all the paid-for tools, such as a strong VPN.