12 Nov 2018

Whaling is Flourishing, a $5 Billion Hacker Lottery

Whale Tail

Harpooning whales is (in most of the world) a thing of the past. This is good for the kind-hearted. But in the cyber world, harpooning “whales” is a thriving and fantastically profitable criminal profession.

Who is doing the whaling? Sophisticated hackers start by purchasing your information from marketing companies and LinkedIn recruiter tools. They use basic automation tools to lure “whales” into replying to an email that has no links, and looks like a normal short message sent among business staff. Because there are no links to click, and these emails don’t call for any immediate action, this is a far more advanced form of the traditional “spear phishing” cyber lure. In a whaling cybercrime, someone on your staff receives and responds to these simple looking emails, which in many cases, end with a new (fake) vendor being added to payment systems, an existing vendor having payment information changed by staff in a payment system to an imposter address or account, or staff sending a one-time payment for an important “urgent” matter unknowingly right to the cybercriminal.

Who are the whales? YOU. (You, if you or your peers and staff have the ability to pay an invoice — or ask someone to pay an invoice; or if you are in control of payment, human resource and/or payroll data).

In 2016, RPost developed the first anti-whaling detection service, that runs inside Microsoft Outlook when the RMail email security add-in is installed. The anti-whaling technology is enabled by default at no extra cost. At that time, the FBI reported $1 billion lost in the United States alone, from people mis-wiring or mistakenly paying invoices arranged by the cyber criminals. Recently, the SEC reported a more than 500% increase in lost money — astonishingly, now more than $5 billion has been “mis-wired”, normally never to be recovered.

When people see big numbers, “billions”, sometimes their eyes glass-over and think they are not at risk. Consider, however, in this situation, the FBI reports that these crimes (that they call Business Email Compromise) cause people to lose their money in average increments of $6,000 for individuals and $130,000 for businesses, with each incident. This is real money for most people. For most small businesses, this can certainly strain budgets.

Now consider some of the great big blue whales recently harpooned by these cyber lures. The SEC conducted their recent study looking at actual incidents in public companies, and considered whether, in addition to the financial losses, the executives of the tricked companies could be held accountable for a securities law violation for not implementing sound practices effective enough to protect from these lures.

The SEC profiled nine public companies that mistakenly sent at least $1 million each; two sent more than $30 million to the cybercriminal directly. In total, the nine companies (mis-wired) nearly $100 million to the perpetrators, almost all of which, they report, was never recovered.

What is scary is these cyber criminals are so bold that once they get their first harpoon in, they keep harpooning the same whale, over and over. Some of these investigated companies were victims of protracted schemes that were only uncovered as a result of third-party actions, such as through detection by a foreign bank or law enforcement agency, according to the SEC report. “Indeed, one company made 14 wire payments requested by the fake executive over the course of several weeks—resulting in over $45 million in losses—before the fraud was uncovered by an alert from a foreign bank. Another of the issuers paid eight invoices totaling $1.5 million over several months in response to a vendor’s manipulated electronic documentation for a banking change; the fraud was only discovered when the real vendor complained about past due invoices.”

What makes this so lucrative — like a “hacker lottery” with many million dollar winners — is that there is no simple all-in-one fix. Email security gateway services may provide some protection, but they cannot block the most common lures that only RMail’s Microsoft Outlook app detects.

One simple measure that every business executive should require to add essential protection and peace of mind, is to install RMail for Outlook app. There is no cost to use the RMail for Outlook app for any staff to have the anti-whaling detection running. Install it for all accounting, finance and human resource staff at the very least — why take the risk? There is only small cost if users choose to additionally use the RMail email encryption, e-signature, and Registered Email e-delivery proof service. You can install the free RMail for Outlook with RMail’s Anti-Whaling technology enabled now and protect your organization from whaling attacks.

Those that would like to read more should review the thorough SEC report and the RPost Tech Essentials past blog and video discussing this anti-whaling in more detail.