It’s evident that social engineering cyber-attacks, namely ‘phishing’ and ‘whaling’ have grown from small-scale issues into pre-eminent threats. Some companies targeted by such scams have lost as much as $57.6m, with the FBI estimating that whaling schemes have cost businesses $2.3bn globally in recent years

It’s evident that social engineering cyber-attacks, namely ‘phishing’ and ‘whaling’ have grown from small-scale issues into pre-eminent threats. Some companies targeted by such scams have lost as much as $57.6m, with the FBI estimating that whaling schemes have cost businesses $2.3bn globally in recent years.

Here's how it works: the cyber-criminal disguises themselves as a figure of authority within a company, such as a Managing Partner or CEO, and sends an email to an employee requesting a data transfer. This message will appear highly credible, have a similar-looking domain name and will be hand-typed by the criminal to avoid spam filter detection. The message will usually be urgent in nature and request immediate action, leading the recipient to ignore standard procedures for fear of being an annoyance to the CEO, which lets admit, none of us want.

So, what do you do?

A lot of people in that situation don’t do their due diligence and without question adhere to the needs of the perceived ‘CEO’. Companies including Snapchat, Seagate and Weight Watchers International have all fallen victim to such attacks in recent times, with 43% of organisations surveyed by Mimecast reporting an increase in attempted sensitive data transfers involving whaling or CEO impersonation fraud in the last 3 months alone.  

“65% of IT professionals don’t feel fully equipped or up-to-date to reasonably defend against email-based attacks”.

Companies may lack the essential security safeguards to deter attackers such as data encryption, endpoint security and email gateway technology to identify suspicious email, but it begs the question - why?

Why, even in the wake of such high-profile companies being attacked by phishing and whaling scams are companies not taking note and improving their security procedures?

Here are five ways you can help guard yourself against attacks:

  1. Educate - Coach employees to recognise impersonation emails.
  2. Simulations – Send staged whaling emails to key individuals to raise awareness.
  3. Email Design – Periodically re-design email layouts and use unique identifiers.
  4. Rethink Procedures – Add extra levels to authentication procedures and second signatures when transferring money to trigger approval.
  5. Pick up the phone – If in doubt, pick up the phone! If there’s been a request to transfer funds, call the company that’s requested it and get it verified.
Wayne Barber
Wayne Barber
Managing Director, Oosha
RELATED ARTICLES

Why the Cloud is the saviour of business continuity

Every business in virtually every industry you can think of has had its world turned upside down by the Covid-19 pandemic. And as the lockdown has progressed, it’s become increasingly clear that things won’t be...

Remote working for risk-averse law firms

Legal practices are relaxing their traditional caution to take advantage of the numerous benefits of remote working. Benefits that can easily be undone by inadequate security. In this blog, we look at the advan...

How law firms can benefit from Office 365

In the past, there has been some resistance within law firms to using cloud IT solutions. But that is now eroding as more and more firms realise the potential offered by cloud-based platforms like Office 365. L...

blog-subscribe-bg

Like what you see?

Join our mailing list to receive the latest insights on legal and accounting technology