sb-au logo
Story image

Going for the big phish – are your execs safe from whaling attacks?

13 Aug 2018

Article by Dekko Secure managing director Jacqui Nelson

Security experts are starting to see a proliferation of ‘whaling’, a more sophisticated and ambitious form of phishing.

Phishing is the practice of sending fraudulent emails in the hope of eliciting sensitive personal or company information.

Phishing attacks are common because they’re opportunistic, simple, cheap and the chances of being detected and apprehended remain low.

Reports to the Australian Criminal Intelligence Commission’s Australian Cybercrime Online Reporting Network (ACORN) indicated local businesses lost more than $20 million as a result of business emails compromised in 2016-17.

According to the Australian Cyber Security Centre, this figure is likely to represent only a small percentage of total activity, as misreporting and under-reporting are thought to be common.

Hooking the big fish

Unlike phishers, whalers aren’t interested in trawling for minnows.

They set their sights on bigger fish – typically CEOs or senior executives – and go to great lengths to impersonate them electronically.

Historically, phishing emails tended to be easy to spot, courtesy of amateurish logos, dodgy domain names and ungrammatical messages.

However, whalers are investing time and effort into producing internal communications which look and sound authentic.

Some employ legal experts to help them craft convincing messages, typically adjuring more junior staff to release sensitive information or misdirect company funds.

The intent is that when in receipt of an urgent and firmly worded email which appears to be from the boss, employees will be more inclined to action rather than query the instructions issued.

Some whalers even monitor executives’ movements so they can send emails at times when the purported sender is travelling or difficult to contact.

Raising awareness

The latest Notifiable Data Breach report for the second quarter of 2018 shows that 36% of breaches occur as a result of human error or carelessness, and 59% occur as a result of malicious or criminal attacks.

Holding weekly or monthly cybersecurity briefings can slash breach rates by raising staff awareness of the ongoing threat which phishing and whaling attacks pose.

Companies should encourage employees to check details like the domain name, email address, company logo, language and nature of the request: Is it out of the ordinary or does it call for a deviation from regular operating procedures?

Additionally, instead of having many layers of security  to defend information, sometimes simpler can be better.

There is now a plethora of business-ready, secure messaging and file sharing tools that utilise technologies such as encryption to defend against targeted attacks after data leaves a computer.

The risks associated with sharing information via social media should also be highlighted to staff.

Seemingly innocuous snippets, such as the details and dates of an upcoming business trip, can provide hackers with insight into a target company’s operations which can be used to time an attack more effectively.

Creating an environment where people feel comfortable querying high-risk requests sent via email is critical.

An employee who has the confidence to pick up the phone and verify an instruction can be the lowest-tech but most highly effective line of defence there is against high tech fraudsters.

Stepping up security

The growing incidence – and increasing sophistication – of phishing and whaling attacks should be the catalyst for a broader review of email security.

In many businesses, this is likely to be overdue.

While the use of secure file sharing platforms for exchanging large documents is a well-entrenched practice, many organisations and individuals are not sufficiently mindful of the risks associated with sending sensitive information within emails.

But with email being an entrenched, ubiquitous and convenient communication channel in both the consumer and business worlds, tightening up security is likely to be a long-term challenge in many workplaces.

Once again, cybersecurity training sessions are the best way to ensure staff are aware of the dangers of sending any form of sensitive information – personal data, bank account details or sensitive company information – via insecure email systems.

Before hitting send, individuals should be encouraged to ask themselves three critical questions:

  • Am I sending something that’s important?
  • Is the channel I’m using secure?
  • Is my data encrypted so it cannot be compromised?

If no is the answer to any of the above, an alternative means of sharing the information should be sought.

Electronic safeguards

As cyber criminals continue to up the ante, human vigilance alone may not prove sufficient protection for organisations which are serious about safeguarding the integrity of their email communications.

Email encryption – either client or end-to-end – and two-factor authentication are invaluable elements of a holistic defence strategy.

Encrypted file sharing platforms can also be deployed to enable large files to be shared securely with other users.

Story image
Is cyber deception the latest SOC 'game changer'?
Cyber deception reduces data breach costs by more than 51% and Security Operations Centre (SOC) inefficiencies by 32%, according to a new research report by Attivo Networks and Kevin Fiscus of Deceptive Defense.More
Link image
Gartner report: Why SD-WAN is becoming the de-facto option
Network service providers are increasingly challenged by established and new competition in the overlay SD-WAN management as well as in the underlay WAN transport, the report says.More
Story image
Report: Rushing into cloud migration directly related to security issues
A new report from Radware highlights the impact of COVID-19 on organisations compelled to digitally transform in order to maintain business continuity. More
Story image
Video: 10 Minute IT Jams - Who is CrowdStrike?
Today, Techday speaks to CrowdStrike ANZ channel director Luke Francis about the company's key products and offerings, its upcoming annual security conference, and the infrastructure it leverages in the A/NZ region.More
Story image
Ripple20 threat has potential for 'vast exploitation', ExtraHop researchers find
One in three IT environments are vulnerable to a cyber threat known as Ripple20. This is according to a new report from ExtraHop, a cloud-native network detection and response solutions provider. More
Link image
How a metrics-driven mindset can enable DevOps at enterprise scale
Here's how to enable dev teams to deploy higher-quality software and create reporting standards that clearly communicate software performance.More