In recent weeks we have seen a worrying number of volunteer run sports clubs targeted by a new but increasingly common type of phishing attack.
In the most recent, the treasurer of the club received a series of emails that purported to be from the chairman, requesting that the treasurer urgently transfer over £10,000 into an account to make a payment that was overdue, and would lead to an important contact being cancelled if it wasn’t paid quickly.
The fraudster’s email looked very convincing and so the treasurer went ahead and made the payment. As you can appreciate, the loss of such a large sum of money was devastating to the club.
This type of attack, known as whaling, is a new form of “phishing” in that it targets one “big fish” organisation as opposed to many smaller consumers and is a highly profitable scam. In recent months several sports organisations, including small clubs and National Governing Bodies, have found themselves the victim to such an attack.
Although cyber-attacks may seem complex, some of the most successful hacks have been achieved using simple methods such as social-engineering to trick their target into transferring large amounts of money straight into a fraudulent account. They don’t even need to use malware technology to gain access to your organisations software.
Cyber criminals conduct their attack by carrying out extensive research into the functional divisions of an organisation by taking information from your company’s website and social media sites such as Facebook, Twitter and LinkedIn to find information on staff within that organisation.
The attack is delivered in the form of a hoax email from a spoof domain name that appears to have been sent by the CEO of the company to the finance department, urgently requesting money to be transferred to an external account. Cyber criminals will impersonate the CEO by engaging in conversation with their target by asking questions such as “Are you in the office today?”, “Can you do me a favour and transfer this money to this account” for a payment request that requires a single sign off to process the transaction.
Unlike other types of spam, whaling emails are more difficult to detect because they don’t have suspicious looking hyperlinks attached that could deter a person from opening an email. The layout of the email is usually well written, inconspicuous and appears to be genuine. .
Tips on protecting your club from a whaling attack:
- Provide training and education for your staff and volunteers, particularly those with management and financial responsibility and ensure they are aware of this type of scam.
- Demonstrate examples of how sports clubs and organisations have been caught out in the past by similar attacks.
- Carry out a simulated test within your club in how to identify and prevent a whale attack.
- Set up an alert system that flags up emails that have been received from outside of your sports organisation.
- Register with a domain alerting service that notifies you when a domain has been created that closely matches your organisations domain.
- Revise and review your financial procedures for sending payment to external parties.
- Keep software up to date and frequently run malware and spyware checks. Inform staff and volunteers about the dangers of opening suspicious looking emails, especially if the email fails to display the sender’s details in the footer from the organisations address book.
Andy Goulbourne, Associate Director of Sport and Recreation from Howden adds:
“Cyber-attacks against large corporations are in the news on an almost daily basis but these types of low level frauds, targeted against small organisations, can be really damaging. Several of our clients, from small member’s clubs to National Governing Bodies, have been targeted by phishing attacks that have cost them tens of thousands of pounds. However robust your IT security is, it won’t prevent losses resulting from human error or this kind of deception. A specific insurance policy could cover the cost of such a loss, and would also provide essential IT and legal support in the event of an attack on your website or in the case of a denial-of-service (DOS) issue in an attempt to corrupt an organisations network to make it temporarily or indefinitely unavailable for its users. This could lead to a loss of revenues and high costs to restore the website as well as causing damage to your sports organisations reputation and customer relations”.
How can you find help?
For more information on whaling attacks and cyber-crime or to discuss your club’s insurance needs call British Triathlon's preferred insurance provider, Howden on 0121 698 8000
* Statistics according to a survey conducted my minecast