6 tips to foil a whaling scamFebruary 11, 2019
Accounting firms are vulnerable to whaling scams, where cybercriminals impersonate a senior executive.
Whaling scams are subtle, low-tech attacks on senior people in a business that can cause significant financial loss. They aim to trick an unsuspecting employee, often a high-profile person in the company, to transfer money or send sensitive business data.
The term “whaling” refers to the seniority of the victim, and in a typical whaling scam, a CEO receives an email that appears to be from the CFO, asking the CEO to approve a large invoice or provide banking details.
In reality, the scammer has infiltrated the accounting firm’s IT system and taken over the CFO’s email account. To the CEO, however, it looks like a genuine request.
Cybercrime scams cost business
Data from cyber security firm Trend Micro shows Australia was one of the top two countries for business email compromise attempts in October 2018. The research also found CEOs and managing directors – the whales – continue to be the top two positions cybercriminals impersonate in these scams.
“The accounting industry can be a lucrative target for whaling and business email compromise scams, given the level of sensitive financial data it holds,” warns Mick McCluney, technical director, Trend Micro ANZ.
“An organisation’s best defence is to educate executives and employees at all levels of the business on how to identify these scams and make sure formal processes are in place to report scams once they are suspected. These systems are essential when authorising banking details on invoices, for instance,” he adds.
McCluney says whaling scams are often hard to detect because the emails usually do not have an attachment or URL link, which employees are trained to recognise as being suspicious.
Here are six tips to help all staff from falling prey to a whaling attack.
1. Show people what a scam looks like
Refer to resources such as the Australian Competition and Consumer Commission’s Scam Watch website to find out about the latest scams.
“Remind staff to be vigilant when scrutinising any invoice they may receive. Staff are often very familiar with certain regular payments or account details. So be aware if an invoice comes through that has unfamiliar information on it,” warns Kevin Tran, a director of ethical hackers Trustwave SpiderLabs APAC.
Picking up the phone and calling the party named on the invoice is another way to ensure it is bona fide.
2. Stage simulations to help prevent an attack
Phishing simulations should test employees on how to spot these scams and avoid attacks. This allows the business to check how susceptible staff are to paying invoices when they shouldn’t, or revealing sensitive business data.
“Also, double check any change of details with suppliers,” says McCluney.