Cybercriminals Know How to Hook Your Firm's Whales

October 1, 2019


When it comes to targets for online scams, there are a lot of “phish” in the sea. And, some cybercriminals are looking to catch the “big one,” using targeted phishing methods to compromise large, high-profile targets, like company executives. This is known as a “whaling” scam, and it can be shockingly sophisticated and devastating.

Toy-making giant Mattel nearly lost $3 million in a carefully crafted whaling scheme. A senior finance executive received an email from the new CEO requesting payment to a vendor in China. The request was fraudulent, but the attackers had done their homework, researching the company hierarchy and protocols regarding payments to make it look legitimate. They timed the attack to coincide with the installment of the new CEO and preparation for massive growth in China.

The finance executive transferred the $3 million, only to discover in a later conversation with the new CEO that he had never made the request. When Mattel contacted law enforcement, they were told it was too late; the money was already gone. The company’s only saving grace was a banking holiday in China that allowed Mattel just enough time to work with local law enforcement to freeze the account and recover the funds. Not every business will be so lucky. Help prevent a whaling attack at your company by following these best practices:

  • Implement cybersecurity defenses, such as two-factor authentication, that reduce the chances of email accounts becoming compromised.
  • Set your spam filters to quarantine emails that appear to be spoofed, such as those coming from a domain that mimics your company’s.
  • Establish internal procedures that include face-to-face or phone verification for financial transactions.
  • Consider protocols that require two executives to sign off on payments that exceed a certain threshold.
  • Conduct employee training that teaches team members how to identify cybersecurity red flags and reinforces internal procedures.
  • Train executives not to reveal information on social media that could be mined by hackers to make attacks appear legitimate.
Contact Bank Iowa immediately if you fear your business has been the victim of a whaling scam. Once a financial transfer has taken place, funds can be very difficult to retrieve, and time is of the essence.