A real-life Anatomy of a Whaling Cyber-Attack: One Question away from Saving Nearly £500,000!

Posted by Trevagh Stankard on Mon, Oct 10th, 2022

Do you believe you’re safe from a Whaling attack?

These socially engineered attacks target business leaders, executive management, their close advisers and executive assistants. They’re targeted at this group as they have the keys to the most sensitive projects and company information – they’re the whales!

Cyber criminals use fraudulent emails that appear to be from trusted sources to try to trick their victims into divulging sensitive data over email or to ask for sensitive information such as payment or account details. They play on our human nature – to trust and respond to our senior peers or to those in authority, usually quickly and efficiently.

Plenty has been written about Whaling attacks but there are not many examples to illustrate how easy it can be to succeed. Here is a real-life story behind a catastrophic attack resulting in a leading UK organization recently losing nearly £500,000.

The Chief Executive Officer (CEO) and Finance Director (FD) of the organization had agreed to commission a confidential executive search firm to find suitable candidates for a C-suite colleague. They informed their respective Executive Assistants (EAs) of the project and advised them to keep it confidential. What they did not know was that as the search commenced cyber criminals had gained access to the organisation’s systems allowing them to access and control the FD’s email system, via a suspected phishing attack. It allowed them to watch and wait. This reconnaissance allowed them to plan out their attack.

On the 18^thof the month the attackers sent an email from the FD to the FD’s EA with an invoice from an executive search firm which they had approved, asking to arrange speedy payment. Having been passed to Finance for payment Finance then emailed the FD for further approval – this email was intercepted by the attackers and they then approved pretending to be the FD. The invoice for £40k was then processed and paid.

The cyber-criminals then got greedy. They responded to say thank you for the payment but also highlighted there remained an outstanding sum that was also due for payment. The new invoice was for £434,000k!

The attackers, posing as the FD, then authorized immediate payment by email. This raised concerns. The FD’s EA texted the FD, who was at an Investor event, to check they were happy to authorize. The FD missed the text so their EA then emailed the Group HR Director asking if they could confirm the fee was right with the agency. The HR Director contacted the FD directly to check. This process took 45 minutes – the attackers were watching and again acting as the FD they responded to the FD’s EA to say that the HR Director had just contacted them and asking what the problem was stating “I thought I’d asked you to pay it.  Pay this now. You shouldn’t be emailing others – this is a confidential project. I asked you to pay this, pay it.”   

The FD’s EA then passed the 434,000k invoice to Finance for immediate payment. It was paid after a final approval was sent by the attackers, masquerading as the real FD. The attackers were still not satisfied! On the 11^thof the following month the attackers sent another chasing email from their ‘Accounts Payable’ team saying that payment had not been received. This was when the FD was called out of a Board meeting and personally asked about the payment. This was when they realized something was seriously wrong and the FD requested to see all the emails that had proposedly been sent.

The incident was then reported to the security team and the CEO. At no point until the Board meeting was a verbal confirmation from the FD or CEO requested.

The CEO admitted that they and the organization had learnt some valuable security lessons in the most damaging way. Their response was to demand an immediate summary of what had happened and how it had got to the point of losing nearly 500k in less than a month without knowing anything about it.

In my discussion with them they said: “The attackers played to their strengths. Not only having accessed the network and an executive email system but critically using the secrecy of the project, the urgency for payment and the authority that it was sanctioned by myself and my FD as validity for the demands being made.

My shock and frustration focused not about our technical response (some essential remediation actions have already been actioned) but critically about our behaviours during the attack. People assumed it must be valid and only made simple checks, using the same channel (i.e. email) that the attackers were using and were able to intercept. We failed to appreciate just how coordinated the attackers were.

“The most galling aspect was that no-one thought it sensible to just personally ask me or my FD about the requests demanding immediate payment. I am constantly asked about many aspects of our operations that are far less serious than the impact of this massively damaging cyber-attack. I pride myself on always having an open door but on this occasion, people thought that as the project was secret and urgent that we did not need to be troubled. I suspect cyber-criminals understand and exploit the psychology that sits behind the actions we take in these circumstances far better than we do!”

Here is the advice the CEO gave to others after the attack:

“I can summarize it in three simple points:

1. Create a culture and environment where your employees, wherever they sit in the organization (from the boardroom to the engine-room) know they can ask questions or report suspicions or mistakes at any time. In our case we were one question away from not losing nearly £500k
2. Carry out engaging, short and targeted awareness tests, little and often. Cyber-attacks can happen at any time. We all need the instinct to identify a range of threats we face, the understanding of our own vulnerabilities and the know-how to do the right thing instilled in us
3. Because of our new home working environment these first two points have become even more important. Our home and working lives and now inextricably linked - our employee’s security awareness now starts at home. We must inform our people about secure behaviours throughout their digital lives far more effectively. We will all benefit.”  

SafeTitan is the only behaviour-driven security awareness solution that delivers security training in real-time.