The increased sophistication of whaling emails has prompted the FBI to issue a warning to high-level executives about the threat from organized BEC scams.

The FBI has warned high-level executives to be on their guard against acting on emails that appear authenticate and request business-critical data or a transfer of funds to a third-party. The warning comes after the bureau identified a 1,300% rise in losses incurred by victims of business email compromise (BEC) scams.

The alarming rise in losses is being attributed to the increased sophistication of whaling emails – emails sent to high-level executives that request a specific action. The emails appear to be from an authentic source – or they originate from a compromised email account within a company – and usually contain information relative to the recipient.

Due to the effort required to create the impression of authenticity, and the data that has to be collected in order for the content of the email to appear convincing, the FBI believes that the majority of business email compromise scams are originating from organized criminal enterprises – many of whom operate in the same way as professional organizations.

During one investigation, Steve Meckl – a former technical operations unit chief in the cyber division of the FBI – found one unit following a Monday-to-Friday work week and even taking time off for Christmas. The organized nature of some criminal enterprises has now been given its own name by some security industry professionals – “the corporatization of cybercrime”.

The Work that Goes Into Whaling Emails

The whaling emails used to perpetrate BEC scams are not hit-and-miss affairs. Often they involve months of studying how a company operates after infiltrating its network via malware. The cybercriminals will study the company´s structure, its billing systems and the style of email communication between high-level executives.

Once a target is selected, further research is conducted across “open source intelligence” to collect as much information about the target as possible. The FBI has warned that social media sites such as Facebook, LinkedIn and Twitter provide key details about an individual and their lifestyle, and often provide key information cybercriminals can use to execute their scams.

Even when the profile of the target and the company he or she works for is complete, cybercriminals will choose the time to send the whaling email carefully. Often this will occur when the supposed sender of the email cannot be contacted by phone to confirm the instructions within the email, for example when a CEO or CFO is traveling or on vacation.

Sometimes bogus accounts are set up to receive funds that have just one or two digits different from the account funds are usually sent to. Typically mechanisms are already in place to take the money out of the bogus accounts as quickly as possible – making it impossible to reverse a payment and recover the funds once the scam is discovered.

CEOs and CFOs Particularly High-Value Targets

Due to being best placed to make, or order, high-value financial transactions, CEOs and CFOs are particularly high-value targets. Research conducted by the cybersecurity company Mimecast in 2015 found that 72 percent of whaling emails were either targeted at CEOs or CFOs, or sent to high-level executives appearing to have originated from a CEO or CFO.

The difficulty in detecting that these emails are BEC scams, according to Mimecast´s cybersecurity strategist Orlando Scott-Cowley, is that they do not contain hyperlinks or malicious attachments – typical red flags to most high-level executives with cybersecurity awareness. Scott-Cowley agrees with the FBI´s assessment that the volume of organized BEC scams is going to increase.

“Cyber attackers have gained sophistication, capability and bravado over the recent years, resulting in some complex and well executed attacks,” he said. “As whaling becomes more successful for cybercriminals, we are likely to see a continued increase in their popularity, as hackers identify these attacks as an effective cash cow”.

Other security experts also believe an increase in organized BEC scams is inevitable. The computer security researcher and author Markus Jakobsson believes the success of organized BEC scams will accelerate the “corporatization of cybercrime”, resulting in more and more sophisticated attacks with potentially devastating results.

Precautions to Take to Avoid Organized BEC Scams

In the latest warning about BEC scams, Harold Shaw – the special agent in charge of the FBI´s Boston division – said “As devastating as this crime is, it is equally easy to thwart. We must all develop the habit of verifying the authenticity of emailed requests to send money. The best way to do this is through in-person conversations or using a known telephone number.”

Shaw also suggested several best practices companies could adopt to avoid becoming the victim of future organized BEC scams:

  • Verify changes in vendor payment details by adding two-factor authentication for online financial transactions.
  • Use phone verification as part of the two-factor authentication, and use previously known phone numbers, not the phone numbers included in the email request.
  • Create an email rule to flag communications in which the “reply to” address is different from the “from” address displayed.
  • Create another email rule to flag emails with similar addresses to company emails. For example, to flag an email with the extension @abc_company.com when the company email extension is @abc-company.com.
  • Color code emails so that emails from internal accounts are one color, and emails from external accounts are another.