“Aye, aye! and I’ll chase him round Good Hope, and round the Horn, and round the Norway Maelstrom, and round perdition’s flames before I give him up.”
– Captain Ahab to Starbuck
Herman Melville’s classic tale of Captain Ahab’s maniacal pursuit of the great white whale Moby-Dick , published in 1851, remains one of the richest novels
ever written. Interestingly, it offers a lesson for today’s hyperconnected world, in which the vast expanses of the Internet ocean can be traversed at light speed. Think of a world in which there now exist many Ahabs, relentlessly pursuing their quarry. Now think of yourself as the whale.
Whaling offers the ultimate trophy in spear phishing. It’s a sophisticated scam that targets senior executives — the “whales.” It also represents the natural evolution of “phishing,” the commonly used practice of sending a supposedly legitimate email in an effort to gain personal information from the recipient.
At one point virtually every Internet user in the world may have gotten an email from a desperate person in Nigeria who wanted to smuggle money out of their country and needed only modest assistance, in return for which they would be ever so generous. For most people, those phishing attempts were obvious. But the primitive early efforts have been replaced by far more sophisticated undertakings. Now the term “spear-phishing” is far more applicable, for scammers use generally available information to craft more personal emails that are harder for potential victims to identify.
The attacks are unrelenting. Symantec’s 2015 Internet Security Threat Report notes “Almost no company, whether large or small, is immune. Five out of every six large companies (2,500+ employees) were targeted with spear-phishing attacks in 2014, a 40 percent increase over the previous year. Small- and medium-sized businesses also saw an uptick, with attacks increasing 26 percent and 30 percent, respectively.”
Cloud services provider Intermedia and Intel Security have published an ebook titled How Fishing Evolved in the C-Suite that offers an interesting look at the range of “phishing” techniques successfully employed. With regard to whaling, it has a chapter that begins … “In June 2014, Keith McMurtry, financial corporate controller for Scoular Co., lost $17 million of the company’s money. And it all started with an email.” It turns out there were multiple emails. The emails used addresses in Israel, France and Germany, and a server based in Moscow. In the “it’s a small world after all” department, the FBI has entered the case and alleges that the money ended up with a company in Shanghai.
Scoular is large enough so that the loss of $17 million is embarrassing rather than catastrophic. But others may not be so fortunate. Some of today’s Ahabs work for concerns that want information far more valuable, and use schemes more complex than that which ensnared Scoular. It is absolutely critical that access to key proprietary data be restricted. If and as it is, one can imagine that the focus on the whales who might have access to that data will become ever more intense. To help assess whether you’re ready, try taking this quiz from McAfee.
By Tom Davis, SDI Cyber Risk Practice
SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.
You can view previous blog posts on cyber risk management here.
June 23, 2015