Earlier this year, the FBI stated that the second most prominent scam on the internet is the wire fraud scam
, whereby a CFO is sent a phishing message that is supposed to appear to come from the CEO, requesting an urgent transfer of funds.
These attacks that are targeted toward the “big fish” in a company, usually the Chief Financial Officer, are known as “whaling” attacks. A recent conversation that I had with a corporate CFO indicates that there is no sign that these attacks will be dissipating anytime soon.
Think about a busy CFO who receives no more than two of these scam messages each week. That would amount to 104 per year. This presents a couple of distinct problems.
Unlike the mind-numbing flood of scam messages that would probably result in a corporate policy shift that prohibits wire transfer requests via e-mail, the low volume is just enough to create confusion, and if triggered with some lucky timing, it might be enough to catch even the most vigilant executive off-guard. “Low and Slow,” as it is known, is a time-honored and effective evasion technique in the hacker community. The whalers have apparently read the hacker manual.
Another problem is that these whaling attacks, even when presented as a trickle, create just enough “noise”, possibly causing a CFO to miss a legitimate request.
The primary piece of advice for anyone who receives a wire transfer request is to verify the request with the sender. As my CFO friend indicated, if it was that easy to verify it, then it would not have arrived as an e-mail in the first place. This is a good point, as the CEO is usually not available for every phone call, even if it is the CFO who is calling.
One way that you can avoid this type of scam if you cannot immediately verify the authenticity of the request is to establish a technique used by some police departments to protect plain-clothes officers.
Before an officer goes out on patrol, he is advised of the “color of the day”. The color of the day is the color that the plain-clothes officers will be wearing. In the event of an emergency, the uniformed patrol officer is aware that a person on the scene wearing the secret color is likely to be a member of the force. I have seen this technique in action, and it is quite impressive.
While we could debate the obvious flaws with the police color system, there is a much easier system that a CFO and a CEO can use to protect against whaling attacks.
They can use a secret word or phrase that could accompany all money-related requests.
A simple phrase inconspicuously woven into a message can be used to signal that the message is genuine. Something like “enjoying a tuna sandwich”, or “Regards to Rosie” at the end of the message (even though Rosie is a fictitious character in both the CEO and CFO’s life). A CFO and CEO usually meet or speak in person on at least a weekly basis, so the secret phrase of the week could be part of the agenda for a scheduled meeting.
This “secret phrase” technique may seem silly at first glance. However, we all know that C-Level executives often communicate using code words to conceal many of the high-level operations of a company. In the case of some software companies, entire projects are referred to only by the designated code name.
If something as silly as a color code can be used to protect the life of an undercover officer, it is not a far stretch to use a secret phrase to protect the finances of a corporation.
Regards to Rosie!
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock