Savvy cyber-thieves are hitting up unsuspecting businesses by faking emails from company bosses, stealing millions of dollars along the way. The messages, which BBC News reports appear to come from a company higher-up, target the company’s finance staff. They ask staff to rush a payment through to a supplier, a transaction a chief executive can’t handle because he or she is out of the office.
The practice has been dubbed “whaling” fraud, since it targets one big fish, as opposed the phishing scams that tend to be aimed at multiple smaller fish. And whaling fraud has already cost several companies plenty. One case in point is the tech company of Ubiquiti Networks, which says it lost $47 million to the scam.
Whaling fraud is also on the rise, according to the security firm BAE Systems. That’s because cyber-criminals have realized they can enjoy a much bigger payday from one focused attack than they can from thousands of smaller attacks.
The emails come from web addresses that are nearly identical to that of the target company. They’re also often sent when senior executives are known to be out of the office and bypass a company's expense reporting solution.
The security firm Centrify narrowly avoided falling victim to the scam when one of the finance staff happened to run into a senior manager named in the fake email. The staff member mentioned a wire transfer was being prepared as requested, and the scam was stopped in its tracks.
That didn’t mean the criminals moved on. Scammers continued to hound the finance department to transfer the funds, even as the attempted fraud was in the midst of being reported to the FBI. Centrify CEO and head of security Tom Kemp said the whaling fraud attacks kept coming, with his company as a regular target.
Another Close Call
The UK global information firm NCC Group was also the target of a whaling fraud, receiving emails from a group that had registered the domain “nccgrrouptrust.com,” a name similar to the firm’s actual domain.
A senior member of the firm’s finance team received the email, which requested the finance department oversee a payment for a “professional service expense.” While an NCC Group representative called the attack “agile and potentially viable,” it was caught by the company’s internal controls.
Both large and small companies are targeted in these attacks, according Ben Johnson, chief security strategist at the security company of Bit9. The widespread scams are becoming a huge problem, Johnson said, particularly for smaller companies that don’t have the manpower to review or monitor all emails.
Keep expense fraud at bay with Chrome River’s travel and expense management software.
Our choice of Chrome River EXPENSE was made in part due to the very user-friendly interface, easy configurability, and the clear commitment to impactful customer service – all aspects in which Chrome River was the clear winner. While Chrome River is not as large as some of the other vendors we considered, we found that to be a benefit and our due diligence showed that it could support us as well as any large players in the space, along with a personalized level of customer care.
We are excited to be able to enforce much more stringent compliance to our expense guidelines and significantly enhance our expense reporting and analytics. By automating these processes, we will be able to free up AP time formerly spent on manual administrative tasks, and enhance the role by being much more strategic.