April 2017 Update: Scammers are accelerating their use of this cyber swindle and expanding its use beyond the corporate world. The IRS is warning restaurants, schools, nonprofits, hospitals and other sectors to be vigilant.
If you’ve read Moby Dick, you might remember Melville’s reference to an all-destroying but unconquering whale.
Well, whales and whaling have made a 21st century comeback — migrating from the sea to the business office, where they have proven to be just as dangerous and destructive to the unwary.
In the modern sense, whaling refers to a form of business-focused cybersecurity threat that has harpooned the likes of Snapchat, Moneytree and Seagate Technology (employee payroll information), Ubiquiti Network ($46 million) and The Scoular Co. ($17 million). The list goes on. In fact, the FBI has estimated that nearly one in ten targets actually become victims.
Whaling — sometimes referred to as CEO scam, C-level fraud or business email compromise (BEC) — is a form of cyber swindle that targets a business’s accounting, finance, HR or payroll operations.
What a Whaling Scam Looks Like
Unlike most cybersecurity threats, there’s typically no malicious attachment to open or dangerous link to click on in a whaling scam.
Instead, an employee in the target company receives an email that appears to be from someone in authority, most often the company’s CEO or CFO (big fish, i.e. whales). The message asks that the employee wire or otherwise release funds or provide payroll or tax information, usually on an urgent basis that seems to require quick action.
The email appears legitimate as the sender’s address may only have one letter or digit that differs from the legitimate email address.
How many of us question a request or verify a message from the boss, especially when it sounds urgent? Whaling scams rely on the fact that we often don’t.
How to Protect Your Business
To prevent becoming a victim of whaling, the most important thing you can do is to educate your employees on the existence of whaling scams and urge them to be diligent.
Ask that employees always verify any email message that requests a nonroutine or out-of-normal-channels disbursement of funds — especially via wire transfer — or the release of payroll or tax information. Contact the sender of the message directly to ensure its legitimacy.
Also, encourage employees to check the sender’s email addresses carefully when the message requests funds or personal information.
Tools That May Help
If you’re ready to make an anti-whaling investment, there are a number of software companies that have developed or are developing tools to intercept and hopefully prevent whaling and other email scams.
Protect yourself from whaling schemes by staying in the know.