A whale of a crime:
how scammers target managers
– and how we can stop them!
Many online fraudsters aren’t very intelligent — think of all those ridiculous, misspelt scam emails that quite literally take you for a fool.
The problem is that we CAN be fooled — by the smarter kind of scammer. These dastardly digital conmen are out in force, snooping into our business and sniffing out our points of weakness. One of their sneakiest schemes is called WHALE PHISHING.
This technique is based on the idea that if your goal is to steal money or sensitive information from a company, then the best people to target are its leaders — ranging from CEOs and CFOS to managers at all levels of the organisation. This is because executives and managers often have the power to authorise immediate external payments and because their computers often contain sensitive company information, which can be stolen and then held to ransom.
So, the whale phisher will start by identifying suitable managers with the power to act unilaterally. Then, they will extract money or data from them by posing as someone important: either a fellow executive or an outside individual or entity, such as a creditor, a client, a law enforcement agency, or a tax authority.
Once they’ve picked their victim, the whale phishers get to work. They might use a trick called email spoofing: impersonating a trusted person by changing the metadata of an email to create a fake sender address so that it looks perfectly legitimate to the recipient.
When the phishers have already researched the company and its business procedures, they can carefully craft the message to seem plausible.
‘Do it now!’
The content of the whale phishing email will often be written to create false urgency or a false threat to the organisation. For example, it might tell the ‘whale’ that the company’s IT system or machine has been hacked and that they need to download an anti-malware attachment to block the hacking attack — when in fact, the attachment itself contains malware code. In other cases, the whale phisher will tell the victim that a payment to a (fake) client or creditor needs to be made urgently or that an online form must be filled out to fulfil an urgent legal process (but in fact, the form will give confidential information to the attacker).
The anxiety triggered by a fake threat tends to trigger managers to act hastily and recklessly: our critical thinking ability is easily switched off by stressful situations. And if you genuinely believe your boss or the law is issuing the fake instruction, you are even more likely to comply without pausing to think.
Deeply fake
The rise of AI technology has given whale phishers a devastating set of tools to impersonate someone that the whale or the whale’s assistant knows — even in live video calls. By harvesting existing video and audio footage of the person they are impersonating, the phisher can create a live ‘deep fake’ filter of that person’s face and voice during a Zoom or Teams call, along the lines of the famous ‘cat filter’ accidentally used by a US judge during a remote court hearing in 2021. The difference now is that these deep fake filters have advanced to a terrifying level of accuracy. In a recent case in Hong Kong this year, a finance worker at a multinational firm was tricked by a series of deep-faked Zoom calls into paying out US$ 25 million to a phishing syndicate.
If you’re asked to do anything urgently, take the time to interrogate the request.
Apply the four eyes principle – find a colleague to offer a second opinion and talk it through. To validate the legitimacy of the instruction, directly contact the apparent sender by calling their mobile, or if necessary, through corporate-managed platforms like Teams, avoiding non-managed mediums such as WhatsApp or Zoom. Ideally, opt for a face-to-face interaction, if at all feasible. It is far better to be late to comply with a real instruction than to get whaled.
When criminals go phishing, you don’t have to take the bait. Think before you click.
Report incidents to our local IT department or by swiftly emailing our cyber defense team (phishingreport@sappi.com).