About Christopher J. Giovino

Christopher J. Giovino is director of forensic investigation, crime and cyber evaluation risk quantification for Aon Global Risk Consulting.
Immediate Vault Immediate Access

Be Proactive in Managing Whale Phishing Risks

Shutterstock, Chris Roe

The rash of incidents involving whale-phishing has created new challenges for risk managers. In these cases, criminals use a combination of emails and phone calls to scam companies out of large sums of money through fraudulent wire transfers.

Perpetrators use emails that appear to come from senior executives to instruct employees that have access to a company’s finances to transfer large sums of money to temporary accounts held by the criminals. By the time the fraud is discovered, accounts typically have been closed and the criminals can’t be traced.

Managing this exposure calls for careful planning and a coordinated effort both within the organization and with external providers and trading partners. For risk managers, navigating this exposure might involve the following steps:

• Assess your vulnerabilities. Form an “anti-whale-phishing” team with executives from your finance/treasury, security, legal, operations, IT and HR departments to identify where your firm might be vulnerable and the individuals most likely to be targeted by outside perpetrators.

• Establish clear protocols for any fund transfers. Make sure there are multiple internal steps for approval of any financial transactions that exceed defined sums.  Don’t allow any exceptions and make sure all senior leaders of the firm are aware of the protocols, comply fully and consistently reinforce them with staff.

• Communicate protocols within your organization. Be sure everyone with access to funds who might be targeted for these types of scams is fully aware of the protocols, the reasons they are being implemented, understands there are absolutely no exceptions, and knows how to report any email,  phone call or other communication that appears suspicious.

• Coordinate with your banking/financial institutions. Establish protocols with your financial institutions with respect to any requests for wire transfers that exceed clearly identified thresholds.

• Check your crime insurance coverage. Meet with your broker to review how your crime policy might respond to any claims related to whale-phishing losses. You may have to arrange a meeting with your insurer to clarify or add policy language that will extend coverage for these types of losses.

• Look for coverage opportunities under cyber policies. Your broker will help you determine how and whether your current cyber insurance policy might address first-party losses, such as those resulting from a whale-phishing attack. As protection under cyber insurance policies continues to expand, see if there is related coverage under newer stand-alone policies.

• Maintain organizational vigilance. Work with your anti-whale-phishing team to continue to monitor risks associated with whale-phishing. Monitor changes in employee responsibilities, promotions, new hires, adjustments in banking relationships, email system updates, and any other developments that may affect your organization’s vulnerability to potential risks.

• Remember, time is not on your side. Plan ahead to know what federal investigative agency is best for you, such as Secret Service or the FBI. Call them while the bad guys are still communicating and before you take actions to scare them off.

As these scams evolve and become more sophisticated, whale-phishing is likely to remain a significant risk for businesses and other employers. By taking steps before a loss occurs, risk managers can put their organizations in position to manage this difficult and potentially costly exposure.

Batten Down the Hatches: Watch Out for Whale Phishing

Many risk managers and corporate counsel are in a quandary over the latest crime wave to strike businesses—a flood of incidents involving what is known as whale-phishing. This occurs when criminals use a combination of emails and phone calls to perpetrate a fraud and scam companies out of large sums of money through fraudulent wire transfers.

Here is how a typical whale-phishing episode unfolds. A perpetrator sends a “spoofed” email (indicating it came from an email address other than the one that was actually used) to a company employee.  The spoofed email address is usually that of a senior company official, which is why the term “whale” is attached to these phishing emails.

The email message is usually sent to a mid- or lower-level manager in the finance department or person with access to banking funds. The email is typically worded as “highly confidential.” The perpetrator often selects an employee who has had minimal contact with the senior executive whose email address is spoofed. Thus, the employee will not be familiar with the executive or his or her mode of interacting with employees on fund transfer matters.

The spoofed email message typically refers to a “project” for which significant funds are required immediately, but emphasizes that the funds need to be transferred discretely. The message also informs the individual handling the transaction to expect a phone call from a trusted official outside the company, typically an attorney or accountant, who will provide instructions for transferring the funds.

The employee gets the follow-up call and usually transfers the money. Once funds are transferred, if the scam goes undetected, a second email is sent from the same executive thanking the employee for helping with the transaction and providing instructions for the next transaction. Another call is placed to the employee, who then unwittingly arranges the second, often significantly larger, transfer of funds. This process continues until the fraud is detected.

At that point, however, the transferred funds and the perpetrators usually are long gone. These criminals are difficult to apprehend, and their accounts are almost impossible to trace.

The challenge for the risk manager then becomes trying to collect on a crime insurance policy. Unfortunately, however, insurers have been denying coverage.

With respect to crime/fidelity insurance, there often is some policy language pertaining to losses due to computer fraud. Since a portion of the scheme is carried out via a telephone call or fax, insurers contend that the fraud was not perpetrated by a computer.

Insurers also have issued denials based on their contention that the email is not a financial instrument and/or the email does not constitute a forgery of a financial instrument. Furthermore, they point out that in these situations a company employee, not an outside perpetrator, was directly responsible for the loss.

As the number of whale-phishing incidents continues to increase, risk managers and their brokers need to confirm with their insurers that they expect these types of losses to be covered under their crime insurance policies. Indeed, policy language should be reviewed carefully in this context.

To help prevent such frauds, senior leadership and all individuals with access to company bank accounts need to be made aware of the potential for such scams. Procedures should be in place to validate any and all requests for money transfers and there should be adequate redundancy in the approval process that takes place outside of email.

Be forewarned and prepared; phishing scams are out there and they can lead to large losses.