Who is at risk?
The domain spoofing attacks (commonly referred to as ‘whaling’) typically target the accounting department of organisations. They are designed to trick the email recipient into believing that a senior colleague has authorised a payment to be made and that payment should be actioned as a matter of urgency.
As opposed to crude cyber attacks which work by sending huge numbers of spam email with malware or rogue links, cybercriminals invest a great deal of time researching and identifying victims, making the attacks far more sophisticated and considered.
How does it work?
The whaling cyber attacks are based on the creation of an email account which uses a very similar domain to that used by the potential target. For example, www.j0hnsmith.co.uk might be registered for an attempt against www.johnsmith.co.uk.
The next stage of the attack is to copy the format for the email and obtain the name of a very senior executive. With the prevalence of social business networks such as LinkedIn, this process is simpler than it seems and, in many cases, just involves basic research to obtain the information required.
Unless the email recipient of the spoof message is particularly eagle-eyed, messages will often clear the email security measures in place and may well be considered genuine requests to make a particular payment or bank transfer.
These emails will generally appear to be from their boss or a more senior member of staff. The message itself will look authentic and will likely be very well written, with a seemingly legitimate reason for a quick bank transfer to be made.
In the majority of cases, the request will not adhere to company procedures as these will be unknown. However, the premise of the whaling attempt is that some accounting staff will not question the request as it seemingly came from a senior figure at the organisation. They may not question whether the email is genuine out of fear, complacency, wanting to be seen as efficient, or simply a lack of knowing better.
Closer inspection would reveal a very slight anomaly in the domain name. Very often this will be as subtle as replacing an L with an 1, putting a zero in place of an o, or registering a .co domain for an attempt against a company using the .co.uk variant.
What should email admins do?
Unfortunately, whaling attempts are difficult to detect unless advanced spam filtering is in place. As there are no attachments or malicious links the email will be seen as genuine.
However, steps can be taken to reduce the chances of an attack succeeding. The most important are as follows:
- Email admins should ensure that appropriate anti-spam software is installed and that these are configured to block emails being received from similar domains (blacklisting all variations of the corporate domains used).
- Secondly, companies should implement internal procedures for ensuring that transfer requests are not adhered to without verifying with the sender that it is genuine (and not by simply replying to the original message!)
What is the message to finance staff?
Those working in accounting departments need to be aware of this threat and be vigilant at all times. Whaling attacks have risen significantly since we first blogged about it a year ago and they are specifically targetting finance staff.
Again, the aim of the whaling attack is to use subtle domain spoofing techniqures to trick end users into transferring money from corporate accounts directly to cyber criminals. Unfortunately once this has been transferred it is unlikely that it will be recoverable, even if the crime is recognised.
Need help or advice?
If you have any concerns or questions concerning the risks and would like to ensure that your organisation is appropriately protected, contact our security team on 01732 762675 or email email@example.com and we will be pleased to discuss this with you.