Whaling - A very modern security issue

Legalex blog post image 1

These highly focused messages target finance staff encouraging them to expedite a payment to a supplier that the Managing Director or Chief Executive cannot due to being away from the office.

This new phenomenon has been dubbed Whaling as the mark is one large target as opposed to Phishing which looks to de-fraud a larger number of smaller targets.

How is it done?

The attacker is able to intercept emails between companies and freely read their content. Over many weeks or even months the attacker learns how to impersonate the style and language of those sending and receiving the emails. The attacker is then able to send a bogus request for money including new bank account details for the transfer. As the attacker has lots of information about the target the request will appear to be genuine and money is very often transferred to the attackers account.

An attacker is able to successfully infiltrate a target as standard email has no way to verify the email address of a sender or recipient. This means that the displayed to or from name actually has no relation to the email address behind it.

Consequences

Many medium and large size companies have been targeted by these attackers, losing over #520m between them since 2013. Snapchat is the latest high-profile victim, revealing employee payroll information to an unknown attacker. 

As with any scam of this type, the goal of whaling is to trick someone in to disclosing personal or corporate information through various methods, most typically email correspondence.

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. 

The primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect it will replace the data protection directive (officially Directive 95/46/EC) from 1995. 

The regulation was adopted on 27 April 2016. It enters into application 25 May 2018 after a two-year transition period and, unlike a directive, it does not require any enabling legislation to be passed by national governments.

In 2016, telecommunications company TalkTalk were fined #400,000 by the ICO for failing to prevent a cyber-attack that took advantage of technical weaknesses in TalkTalks systems.

The attack gained access to 156,959 customer records including names, addresses, dates of birth, phone numbers and email addresses. In 15,656 cases, the attack also gained access to bank account details and sort codes.

As whaling becomes a part of everyday business life, can your business afford not to take action to protect your business from this new threat?

About the author:

Lenny Wood is Marketing Manager for Frama (UK) Ltd, a Swiss supplier of digital security solutions. Frama are excited to introduce RMail, a registered email product designed to defend against cyber-attacks as well as providing crucial complience with the General Data Protection Regulation, mandatory from May 2018.

 

CONTACT DETAILS

COMPANY NAME: Frama (UK) Ltd

URL: www.frama.co.uk

EMAIL: lenny.wood@frama.co.uk

Phone: 01992 451 125