It’s evident that social engineering cyber-attacks, namely ‘phishing’ and ‘whaling’ have grown from small-scale issues into pre-eminent threats. Some companies targeted by such scams have lost as much as $57.6m, with the FBI estimating that whaling schemes have cost businesses $2.3bn globally in recent years
It’s evident that social engineering cyber-attacks, namely ‘phishing’ and ‘whaling’ have grown from small-scale issues into pre-eminent threats. Some companies targeted by such scams have lost as much as $57.6m, with the FBI estimating that whaling schemes have cost businesses $2.3bn globally in recent years.
Here's how it works: the cyber-criminal disguises themselves as a figure of authority within a company, such as a Managing Partner or CEO, and sends an email to an employee requesting a data transfer. This message will appear highly credible, have a similar-looking domain name and will be hand-typed by the criminal to avoid spam filter detection. The message will usually be urgent in nature and request immediate action, leading the recipient to ignore standard procedures for fear of being an annoyance to the CEO, which lets admit, none of us want.
So, what do you do?
A lot of people in that situation don’t do their due diligence and without question adhere to the needs of the perceived ‘CEO’. Companies including Snapchat, Seagate and Weight Watchers International have all fallen victim to such attacks in recent times, with 43% of organisations surveyed by Mimecast reporting an increase in attempted sensitive data transfers involving whaling or CEO impersonation fraud in the last 3 months alone.
The threat continues
“65% of IT professionals don’t feel fully equipped or up-to-date to reasonably defend against email-based attacks”.
Companies may lack the essential security safeguards to deter attackers such as data encryption, endpoint security and email gateway technology to identify suspicious email, but it begs the question - why?
Why, even in the wake of such high-profile companies being attacked by phishing and whaling scams are companies not taking note and improving their security procedures?
Here are five ways you can help guard yourself against attacks:
- Educate - Coach employees to recognise impersonation emails.
- Simulations – Send staged whaling emails to key individuals to raise awareness.
- Email Design – Periodically re-design email layouts and use unique identifiers.
- Rethink Procedures – Add extra levels to authentication procedures and second signatures when transferring money to trigger approval.
- Pick up the phone – If in doubt, pick up the phone! If there’s been a request to transfer funds, call the company that’s requested it and get it verified.