Are you the next whale to be phished?
06 May 2016
Find out what whale phishing is, and how to protect your corporate whales from phishing attacks, in 4 easy steps.
When people hear the word ‘spam,’ they tend to think of unsolicited mass emails sent by individuals trying to blanket prospects and hope that one person will proceed as a result of the email. Traditionally, phishing attacks followed a similar process - cyber-criminals would send a generic email to a wide audience of recipients, with the aim of capturing personal information. As this method became more popular and prolific, spammers evolved their techniques by developing personalised phishing emails that are more sophisticated, harder to detect, and aimed at a targeted audience or even a single individual. One such type of modern phishing attack that follows this style of attack is the “whale phish”.
In contrast to traditional phishing tactics, which aim to catch as many victims as possible by casting a wide net across a wide audience, whale phishing is a cleverly crafted email targeting the most influential employees within a single company. Whilst most phishers aim for bank account details, credit card numbers and passwords for financial gain, the intent with whaling is to target top level executives who have ongoing access to important data and heavily guarded systems. Rather than catching a few bits of less valuable information, cyber-criminals take the time to harpoon the biggest phish of them all; the company whale.
Unfortunately for organisations, whale phishing is much harder to detect than usual phishing attacks. Cyber criminals aim to be as convincing as possible by carrying out extensive amounts of research on the target and organisation before an attempt at contact is made. By using techniques such as viewing social media profiles like Twitter, LinkedIn and Facebook, the attacker can quickly learn crucial facts about their target with the aim to entice them into interacting with the email. Gaining personal information such as current co-workers, every day work duties and accurate job titles is more than enough for a cyber-criminal to socially engineer a seemingly genuine email. Kim Peretti from PricewaterhouseCoopers says that “As more private information becomes public, through social media sites and otherwise, targeting specific individuals within companies has become easier for hackers and thus a preferred method of attack,"
In order to successfully target the most senior employees of a company, social engineering is used to manipulate people into divulging sensitive information. In some cases the sender address is spoofed and the company signature copied to appear as though it is being sent from an authoritative figure such as a senior manager, financial director or even a company’s lawyer. Your own CEO could be targeted by a cleverly crafted email with a malicious attachment that appeared to be sent from your company’s finance team. Simply opening this attachment could be disastrous, potentially comprising confidential files, employee passwords and in some cases your entire network.
Social engineering tactics like whale phishing can cause great damage to both individuals and organisations, because this type of attack can be hard to detect and prevent.
So what can you do to make sure your corporate whales are safe from being caught in a cyber-attack net?
1. Learn what a whaling attack is
If the phisher has done their research and copied known characteristics of your companies email, it can be tricky to identify when you are being targeted. There are however key signs to look out for such as out of the ordinary communications, unusual attachments or messages that just don’t make sense to your everyday activities. By always making sure you and your colleagues #CLICKCLEVER, you could potentially save your business thousands. As a general rule, always be suspicious of unsolicited emails and messages where the sender knows too much information about you. Remember, it’s always better to double check with the sender that s/he sent the email and be safe, rather than risk it and become a harpooned whale.
2. Don’t let your CEOs and directors sit out on training
C-level executives in every organisation are very busy people, but this is absolutely no excuse for them to sit out of security awareness exercises. Most senior employees will excuse themselves from cyber-security training when in fact, they are the very people who should be regularly attending. Because executives and department heads hold the most valuable data to a company, they are the most prized catch to cyber-attackers and will be targeted the most. These high-level employees and their direct assistants need to be made doubly aware of suspicious emails and how to spot the tell-tale signs of a phishing attack.
3. Carry out penetration tests
Regular training is always a good start, but why not go one step further and put your employees to the test? With your own workforce being one of the greatest threats to your network security, it’s important to ensure you put the training into practice by “phishing” your own users. Simulated phishing and penetration tests reinforce the necessity of being a #CLICKCLEVER workforce by targeting everyone within your organisation with email privileges, from the CEO right through to the helpdesk. Security awareness and simulated phishing solutions from Prodec Networks helps organisations to manage the growing issues of social engineering, whale and spear phishing and ransomware attacks. This security solution is designed to show you the percentage of your users that are “phish-prone” by carrying out random tailored phishing tests on your organisation’s users. Find out more about how a security awareness training solution from Prodec Networks can help organisations of all sizes to combat the continuing problem of social engineering and phishing attacks.
4. Deploy comprehensive protection technology
Whilst mandatory employee training sessions and regular security awareness exercises are essential in any organisation, you should always consider a network security solution too. Proactively backing up your network is key to making sure your business does not fall victim to the next big attack. The relatively new solution Abatis HDF is a powerful security program that stops 99.999% of all malware before it can execute any malicious code. This anti-malware software prevents executable files from being able to write to your computer hard drives, stopping the malware at its source. Want to know more about Abatis? You can download a spec sheet here.
So - what next?
Whale phishing is just one approach that modern cybercriminals are taking in order to attempt to steal personal data and extort businesses and individuals for financial gain. In today's digital-centric workplace, understanding how to recognise a potential attack before clicking or downloading anything is a skill that all employees should have, and security awareness training should be implemented and mandatory. To find out more about identifying malicious emails including spear phishing, ransomware and employee error, visit http://www.clickclever.co.uk or click on the banner below.