3 Real-Life Whaling Cases
As we discussed in our earlier blog post, Avoiding a Whaling Attack: Recognizing 3 Common Security Risks, Mattel, Inc. recently was the victim of a terrifying whaling case. After being duped into providing an approval for a $3 million offshore payment to China, a finance executive found out that the payment was sent to a ring of criminals.
According to the Associated Press, “Mounting evidence indicates that China is becoming a global banker for the criminal economy, according to interviews with police officials, court records in the U.S. and Europe, and intelligence documents reviewed by the AP…The city (where the receiving bank was located) is the destination for 90 percent of the funds stolen through fake CEO scams in Europe.” Luckily, this whaling case has a happy ending, with the money returned in full after two days, but unfortunately not all enterprises are so lucky.
In 2015, Ubiquiti Networks Inc. was less fortunate than Mattel, Inc. In a quarterly financial report filed with the U.S. Securities and Exchange Commission (SEC), the manufacturer of wireless network hardware disclosed that its Hong Kong subsidiary inappropriately transferred $46.7 million to several fake vendors as a result of an email to a finance worker that impersonated an executive. This is a classic example of whaling, where criminals target a top executive by impersonating a legitimate business message. The company recovered $8.1 million with the help of the courts and the subsidiary’s bank, and is still pursuing the remaining balance.
3. The Scoular Company
In a separate case, The Scoular Company, a grain industry giant with $6 billion in annual revenue, also lost big to a whaling attack. According to an article in Infosecurity Magazine, Scoular’s corporate controller received a fake email pretending to be from the company’s CEO that said, “For the last months we have been working, in coordination and under the supervision of the SEC, on acquiring a Chinese company... This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations.” To enhance credibility, the scammers also sent the controller a fake email from Scoular’s accounting firm. The controller even called the accountant’s telephone number in the email and spoke with the fake accountant. Falling for the well-executed scam, the business lost total of $17.2 million that was sent to offshore accounts.
Whaling: Phishing for the Big Catch
Mattel, Ubiquiti and Scoular were all victims of whaling attacks, which exploit workers who have the ability to make large financial decisions. Scenario details can vary, but often attackers send a fake email from a CEO or CFO to a member of the finance team to request a large transfer of funds to a new vendor or other third party.
Whaling is one type of phishing attack where a scammer poses as a trusted party so that a user opens a malicious website or attachment. In most phishing attacks, an attacker broadcasts an identical email to thousands of recipients. A portion of phishing attacks are known as spear phishing, which is an attack focused on a specific individual, while a whaling attack is spear phishing that focuses on a high-level manager or executive.
WEI is on your side to keep your finances and company information safe from criminals. For details on how you can best protect your company from these enterprise security threats, contact us today.