Story image

Going for the big phish – are your execs safe from whaling attacks?

13 Aug 18

Article by Dekko Secure managing director Jacqui Nelson

Security experts are starting to see a proliferation of ‘whaling’, a more sophisticated and ambitious form of phishing.

Phishing is the practice of sending fraudulent emails in the hope of eliciting sensitive personal or company information.

Phishing attacks are common because they’re opportunistic, simple, cheap and the chances of being detected and apprehended remain low.

Reports to the Australian Criminal Intelligence Commission’s Australian Cybercrime Online Reporting Network (ACORN) indicated local businesses lost more than $20 million as a result of business emails compromised in 2016-17.

According to the Australian Cyber Security Centre, this figure is likely to represent only a small percentage of total activity, as misreporting and under-reporting are thought to be common.

Hooking the big fish

Unlike phishers, whalers aren’t interested in trawling for minnows.

They set their sights on bigger fish – typically CEOs or senior executives – and go to great lengths to impersonate them electronically.

Historically, phishing emails tended to be easy to spot, courtesy of amateurish logos, dodgy domain names and ungrammatical messages.

However, whalers are investing time and effort into producing internal communications which look and sound authentic.

Some employ legal experts to help them craft convincing messages, typically adjuring more junior staff to release sensitive information or misdirect company funds.

The intent is that when in receipt of an urgent and firmly worded email which appears to be from the boss, employees will be more inclined to action rather than query the instructions issued.

Some whalers even monitor executives’ movements so they can send emails at times when the purported sender is travelling or difficult to contact.

Raising awareness

The latest Notifiable Data Breach report for the second quarter of 2018 shows that 36% of breaches occur as a result of human error or carelessness, and 59% occur as a result of malicious or criminal attacks.

Holding weekly or monthly cybersecurity briefings can slash breach rates by raising staff awareness of the ongoing threat which phishing and whaling attacks pose.

Companies should encourage employees to check details like the domain name, email address, company logo, language and nature of the request: Is it out of the ordinary or does it call for a deviation from regular operating procedures?

Additionally, instead of having many layers of security  to defend information, sometimes simpler can be better.

There is now a plethora of business-ready, secure messaging and file sharing tools that utilise technologies such as encryption to defend against targeted attacks after data leaves a computer.

The risks associated with sharing information via social media should also be highlighted to staff.

Seemingly innocuous snippets, such as the details and dates of an upcoming business trip, can provide hackers with insight into a target company’s operations which can be used to time an attack more effectively.

Creating an environment where people feel comfortable querying high-risk requests sent via email is critical.

An employee who has the confidence to pick up the phone and verify an instruction can be the lowest-tech but most highly effective line of defence there is against high tech fraudsters.

Stepping up security

The growing incidence – and increasing sophistication – of phishing and whaling attacks should be the catalyst for a broader review of email security.

In many businesses, this is likely to be overdue.

While the use of secure file sharing platforms for exchanging large documents is a well-entrenched practice, many organisations and individuals are not sufficiently mindful of the risks associated with sending sensitive information within emails.

But with email being an entrenched, ubiquitous and convenient communication channel in both the consumer and business worlds, tightening up security is likely to be a long-term challenge in many workplaces.

Once again, cybersecurity training sessions are the best way to ensure staff are aware of the dangers of sending any form of sensitive information – personal data, bank account details or sensitive company information – via insecure email systems.

Before hitting send, individuals should be encouraged to ask themselves three critical questions:

  • Am I sending something that’s important?
  • Is the channel I’m using secure?
  • Is my data encrypted so it cannot be compromised?

If no is the answer to any of the above, an alternative means of sharing the information should be sought.

Electronic safeguards

As cyber criminals continue to up the ante, human vigilance alone may not prove sufficient protection for organisations which are serious about safeguarding the integrity of their email communications.

Email encryption – either client or end-to-end – and two-factor authentication are invaluable elements of a holistic defence strategy.

Encrypted file sharing platforms can also be deployed to enable large files to be shared securely with other users.

Using blockchain to ensure regulatory compliance
“Data privacy regulations such as the GDPR require you to put better safeguards in place to protect customer data, and to prove you’ve done it."
A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.
DigiCert conquers Google's distrust of Symantec certs
“This could have been an extremely disruptive event to online commerce," comments DigiCert CEO John Merrill. 
One Identity a Visionary in Magic Quad for PAM
One Identity was recognised in the Gartner Magic Quadrant for Privileged Access Management for completeness of vision and ability to execute.
Gartner names newcomer Exabeam a leader in SIEM
The vendor landscape for SIEM is evolving, with recent entrants bringing technologies optimised for analytics use cases.
52mil users affected by Google+’s second data breach
Google+ APIs will be shut down within the next 90 days, and the consumer platform will be disabled in April 2019 instead of August 2019 as originally planned.
Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.