It’s evident that social engineering cyber-attacks, namely ‘phishing’ and ‘whaling’ have grown from small-scale issues into pre-eminent threats. Some companies targeted by such scams have lost as much as $57.6m, with the FBI estimating that whaling schemes have cost businesses $2.3bn globally in recent years

It’s evident that social engineering cyber-attacks, namely ‘phishing’ and ‘whaling’ have grown from small-scale issues into pre-eminent threats. Some companies targeted by such scams have lost as much as $57.6m, with the FBI estimating that whaling schemes have cost businesses $2.3bn globally in recent years.

Here's how it works: the cyber-criminal disguises themselves as a figure of authority within a company, such as a Managing Partner or CEO, and sends an email to an employee requesting a data transfer. This message will appear highly credible, have a similar-looking domain name and will be hand-typed by the criminal to avoid spam filter detection. The message will usually be urgent in nature and request immediate action, leading the recipient to ignore standard procedures for fear of being an annoyance to the CEO, which lets admit, none of us want.

So, what do you do?

A lot of people in that situation don’t do their due diligence and without question adhere to the needs of the perceived ‘CEO’. Companies including Snapchat, Seagate and Weight Watchers International have all fallen victim to such attacks in recent times, with 43% of organisations surveyed by Mimecast reporting an increase in attempted sensitive data transfers involving whaling or CEO impersonation fraud in the last 3 months alone.  

“65% of IT professionals don’t feel fully equipped or up-to-date to reasonably defend against email-based attacks”.

Companies may lack the essential security safeguards to deter attackers such as data encryption, endpoint security and email gateway technology to identify suspicious email, but it begs the question - why?

Why, even in the wake of such high-profile companies being attacked by phishing and whaling scams are companies not taking note and improving their security procedures?

Here are five ways you can help guard yourself against attacks:

  1. Educate - Coach employees to recognise impersonation emails.
  2. Simulations – Send staged whaling emails to key individuals to raise awareness.
  3. Email Design – Periodically re-design email layouts and use unique identifiers.
  4. Rethink Procedures – Add extra levels to authentication procedures and second signatures when transferring money to trigger approval.
  5. Pick up the phone – If in doubt, pick up the phone! If there’s been a request to transfer funds, call the company that’s requested it and get it verified.
Wayne Barber
Wayne Barber
Managing Director, Oosha
accountancy hex image

“Companies may lack the essential security safeguards to deter attackers such as data encryption, endpoint security and email gateway technology to identify suspicious email, but it begs the question - why?”

RELATED ARTICLES

Gig economy law firms – a threat to traditional legal servic...

In legal circles, much of the debate around the so-called “gig economy”, has focused on the legalities surrounding it - with high profile cases involving Uber and Deliveroo dominating press coverage.   "The gig...

How law firms can get the most out of their IT

With an incredible 713% growth in legal tech investment in 2018, technology is clearly something that firms are confident can bring huge benefits to efficiency, profits and client satisfaction. Tech is playing ...

Is Windows Virtual Desktop a game-changer for law firms?

VDI (Virtual Desktop Infrastructure) is a fully formed Windows 10 desktop delivered directly to an end user via the cloud. To date, it has been a popular use of the cloud amongst legal firms. And it’s no surpri...

blog-subscribe-bg

Like what you see?

Join our mailing list to receive the latest insights on legal and accounting technology