For those familiar with the worlds of small business management and entrepreneurism, Verne Harnish is a venerated authority. A popular thought leader who regularly hosts panels and conferences globally, his founding credits including the Entrepreneurs’ Organization, Gazelles Growth Institute, and strategic planning and executive education firm Gazelles Inc (a system and process used by our own company). Though a business guru by all definitions of the term, his latest newsletter illustrates that nobody can be too knowledgeable —or cautious— to be immune to phishing and whaling attacks.
Harnish recounts a recent run-in with cyber criminals. During a conference for leading Russian CEOs and entrepreneurs in Moscow, his email was hacked while using a public network. The assailants accessed daily updates including his organization’s substantial bank balances, as well as his process with his assistant for transferring funds.
Subsequently, the hackers sent his assistant an email completely mimicking his style, subject line and signature asking her to wire funds to three separate locations. She wrote back to confirm the transactions and the criminals responded in-character as Harnish, all the while removing their communications from email servers and deleting daily bank alerts. Ultimately, the thieves got away with about $400k from Gazelles and their likelihood of getting caught is next to zero.
Like a true leader, Harnish accepted full responsibility: “The big failure was not thinking it could happen to me! The second was falling out of some critical daily and weekly routines with my team, especially when travelling. And it underscored the importance of talking about these large transactions, not just relying on emails.”
Ironically, he had planned for someone to speak at the next Growth Summit on the necessity for small and mid-sized business to take cyber security seriously. In his words, “If they can hack into governments, they can hack into you! Lesson learned the hard and expensive way.”
This is an unfortunate example of whaling, otherwise known as CEO fraud or business email compromise (BEC). A highly targeted form of the socially engineered hacking tactic known as phishing, cyber criminals use sophisticated emails to hoodwink corporate executives into divulging personal, financial and corporate details. The term comes from CEO and upper level management being big “phish” (or, whales, even though whales aren’t quite fish…). Hackers harpoon and land their catches through crafty copy, deceptive design and rigorous research. They then try and steal as much data and funds as they can before they get noticed.
So far as whaling attacks go, Harnish got off relatively light, although may not quite feel that way. Leona AG, Europe’s largest manufacturer of wires and electrical cables, recently lost $44.6 million to a similar incident. Toy giant Mattel found themselves at the receiving end of CEO fraud from Chinese hackers who made off with $3 million. And the costs are not always monetary; Snapchat was whaled earlier this year, with the subsequent data breach revealing their entire employee payroll. Unfortunately, unlike their videos, that kind of embarrassment and damage does not go away after 24 hours.
The FBI notes that BEC is on the rise, with incidents reported in every U.S. state and 79 countries globally. Between October 2013 and February 2016, law enforcement recorded 17,642 — with a cost totalling over $2.3 billion in losses. In 2015 alone, there was a 55% increase in whaling attacks over the year before. And the trend looks to be the same for 2016.
So how does one defend against whaling? IRL, you set sail with Greenpeace. In the world of URL, however, you need a mixture of email filtration systems and anti-virus programs as a first line of defense. Given whaling’s socially engineered nature though, it preys on human error. That means you need education as much technology.
Buddle Findlay of Lexology argues that combating whaling is as much an HR issue as it is an IT issue. He notes that cyber security should be treated as an organization-wide affair as opposed to a problem just the techies. And it needs to start at the top. Citing PwC’s ‘Global Economic Crime Survey 2016: Adjusting the Lens on Economic Crime’, he points out that, “only 61% of CEOs are concerned about cyber security and less than half of board members request information about their organization’s state of cyber-readiness.”
Leaders must be aware of the threats facing their organizations, their current measures in place and have a developed plan in the instance of an incident. Policies should also be established —and monitored— for employees to follow, including appropriate behaviors around not sharing passwords and limitations surrounding emails, social media, WiFi, confidential information and mobile devices (both personal and professional).
Other tips he gives for helping employees include:
- Providing examples of attacks against your organization or similar ones
- Giving extra training to customer service and accounts staff as they are the most targeted. The more questions they ask, the more likely hackers are to move on.
- Test employees randomly and anonymously; publish the results internally.
- Frequently remind them of policies so they stop top of mind.
Hindsight is 20/20 and it’s impossible to say if Verne Harnish and his team had followed these tips if they would have been whaled. However, his experience is a (expensive) lesson for us all. It’s a testament to Verne’s true leadership to share his $400,000 lesson with the world, in the spirit of full disclosure.
Be cautious, teach your users to follow suit and hopefully you’ll keep above water.