Cybersecurity attacks in the financial industry have not only become more sophisticated but more bold. Bad actors are aiming high, directing their schemes at the top level of financial executives to gain the greatest access and, potentially, the highest profit.
In gambling hotspots like Las Vegas and Macau, the term “whale” usually refers to a big gambler — the kind who might bet thousands, or even hundreds of thousands, on a single hand of Black Jack or roulette. When cybersecurity experts discuss “whaling,” they are looking at how cybercriminals target high-level executives with an eye to stealing the most privileged information and getting access to the most sensitive data.
Typically, these whaling attacks begin (as is so often the case) with a phishing email, according to Tonia Dudley, strategic advisor at Cofense. According to the FBI, these high-level whaling attacks have cost enterprises more than $12.5 billion in losses during 2021 alone.
“When we look at the themes used across many campaigns, these are typically finance related, such as invoice, purchase order or quote,” said Dudley, adding Cofense has seen "fewer attachments actually making it to the inbox for users to interact with.” However, HTML and HTM files “consistently” make it thorough security filters, Dudley noted.
Dudley, a current member of the board of directors for the National Cyber Security Alliance who has worked for Charles Schwab and Honeywell, said that more and more whaling campaigns are leveraging “multiple stages in their attack.” For example, the first stage might start with a link to a file-sharing cloud site, such as Google, Dropbox or DocuSign.
“Then, once the file is downloaded, imbedded files or links to pages would execute the second stage, [which] could include anything from a credential login page to malware leading to an entry to point to build to a ransomware attack,” she added.
Harris Schwartz, chief information security officer of Elevate Security, said financial institutions and top executives are often the “prime targets for both spear-phishing and whaling attacks, so they need to be especially aware of who in their organization would be a vulnerable target.”
“Whaling attacks look for users with high-level access credentials that may not think before they click and high-level access credentials,” Schwartz said. “Credentials from a user like this can provide cyber thieves with a pathway to anything from employee or customer personal information, to corporate secrets, to actual fund transfers.”
Due to this trend, Schwartz said that more and more U.S. financial institutions are working to “identify risky users” and augment their cybersecurity training.
Rob Rendell, vice president of payment solutions at Feedzai, added that with “more banking and transactions happening digitally, FIs (financial institutions) need to be especially alert to this type of scam. It’s much easier today for victims to make a quick digital transfer to appease that fake CEO before double-checking the veracity of the request.”