Scamming the Big Fish

An old type of cyberattack has gained newfound, high profile attention this month. Two finance Chief Executive Officers fell victim to an email hoax. Cybersecurity researchers have a name for this subtype of cyberattack: “whaling.” It’s an email phishing attack specifically targeting a particularly big fish – the executive. And, unfortunately for executive leaders, it is a simple and increasingly common way for attackers to gain unprecedented access while also damaging an organization’s credibility.

A Whale of a Fail

Earlier this month, CEOs of two major U.S. banks succumbed to this social engineering hoax. Goldman CEO Lloyd Blankfein and his counterpart at Citibank, Michael Corbat, were both successfully scammed by the same prankster who fooled the head of Barclays in May 2017. Although none of the executives revealed sensitive information during their email exchanges with the attacker, the entire financial industry is wondering how a single prankster managed to cause so much embarrassment.
The attacker masqueraded as a bank chairman, then a company president, and finally a Chief Operating Officer to fool the executives at Barclays, Goldman Sachs, and Citibank, respectively. Each time, the prankster – who operates under the Twitter handle, “SINON_REBORN” – created fake gmail accounts using the real names of the people he was impersonating. It was a simple but effective trick. According to the cybersecurity firm GreatHorn, 91% of all corporate phishing attacks involve this kind of display name spoofing.
To make his correspondences seem legitimate, the attacker also trawled through his victim’s social media feeds. In an email to Blankfein, for example, SINON_REBORN used Blankfein’s public Twitter postings to gather information, asking about a recent business trip to China.  
On all three occasions, the attacker replicated the same strategy. The premise was simple, like most phishing scams: the attacker simply emailed the target address, enticing his victim using some clever bait (in this case, a bit of well-timed small talk). However, the recent cyberattacks on financial industry executives differ from traditional phishing campaigns, wherein an attacker sends hundreds of emails at once. SINON_REBORN was able to improve the effectiveness of his phishing operation by tailoring his scams to a single, high-profile individual.
Cybersecurity experts warn CEOs and business leaders to be wary of any email that makes reference to personalized information about their organizations or themselves and/or is written with a sense of urgency.

Executive Actions and Considerations

It’s tempting to lean on technical fixes to solve your phishing problems. However, relying on spam blockers and other forms of email filtering will not protect against a whaling attack especially given the ease of email spoofing. Moreover, attackers are constantly searching for new ways to evade these technical controls; as a result, there will always be fake emails that make it through your lines of defense. The most effective way to mitigate any type of social engineering attack is through cybersecurity training and awareness – for all employees.  
If you want to learn more about how to create a cyber-secure company culture from the top, contact us to schedule a Cyber Resolve training session for your board or executive team.