Security experts are starting to see a proliferation of ‘whaling', a more sophisticated and ambitious form of phishing.
Phishing is the practice of sending fraudulent emails in the hope of eliciting sensitive personal or company information.
Phishing attacks are common because they're opportunistic, simple, cheap and the chances of being detected and apprehended remain low.
Reports to the Australian Criminal Intelligence Commission's Australian Cybercrime Online Reporting Network (ACORN) indicated local businesses lost more than $20 million as a result of business emails compromised in 2016-17.
According to the Australian Cyber Security Centre, this figure is likely to represent only a small percentage of total activity, as misreporting and under-reporting are thought to be common.
Hooking the big fish
Unlike phishers, whalers aren't interested in trawling for minnows.
They set their sights on bigger fish – typically CEOs or senior executives – and go to great lengths to impersonate them electronically.
Historically, phishing emails tended to be easy to spot, courtesy of amateurish logos, dodgy domain names and ungrammatical messages.
However, whalers are investing time and effort into producing internal communications which look and sound authentic.
Some employ legal experts to help them craft convincing messages, typically adjuring more junior staff to release sensitive information or misdirect company funds.
The intent is that when in receipt of an urgent and firmly worded email which appears to be from the boss, employees will be more inclined to action rather than query the instructions issued.
Some whalers even monitor executives' movements so they can send emails at times when the purported sender is travelling or difficult to contact.
The latest Notifiable Data Breach report for the second quarter of 2018 shows that 36% of breaches occur as a result of human error or carelessness, and 59% occur as a result of malicious or criminal attacks.
Holding weekly or monthly cybersecurity briefings can slash breach rates by raising staff awareness of the ongoing threat which phishing and whaling attacks pose.
Companies should encourage employees to check details like the domain name, email address, company logo, language and nature of the request: Is it out of the ordinary or does it call for a deviation from regular operating procedures?
Additionally, instead of having many layers of security to defend information, sometimes simpler can be better.
There is now a plethora of business-ready, secure messaging and file sharing tools that utilise technologies such as encryption to defend against targeted attacks after data leaves a computer.
The risks associated with sharing information via social media should also be highlighted to staff.
Seemingly innocuous snippets, such as the details and dates of an upcoming business trip, can provide hackers with insight into a target company's operations which can be used to time an attack more effectively.
Creating an environment where people feel comfortable querying high-risk requests sent via email is critical.
An employee who has the confidence to pick up the phone and verify an instruction can be the lowest-tech but most highly effective line of defence there is against high tech fraudsters.
Stepping up security
The growing incidence – and increasing sophistication – of phishing and whaling attacks should be the catalyst for a broader review of email security.
In many businesses, this is likely to be overdue.
While the use of secure file sharing platforms for exchanging large documents is a well-entrenched practice, many organisations and individuals are not sufficiently mindful of the risks associated with sending sensitive information within emails.
But with email being an entrenched, ubiquitous and convenient communication channel in both the consumer and business worlds, tightening up security is likely to be a long-term challenge in many workplaces.
Once again, cybersecurity training sessions are the best way to ensure staff are aware of the dangers of sending any form of sensitive information – personal data, bank account details or sensitive company information – via insecure email systems.
Before hitting send, individuals should be encouraged to ask themselves three critical questions:
- Am I sending something that's important?
- Is the channel I'm using secure?
- Is my data encrypted so it cannot be compromised?
If no is the answer to any of the above, an alternative means of sharing the information should be sought.
As cyber criminals continue to up the ante, human vigilance alone may not prove sufficient protection for organisations which are serious about safeguarding the integrity of their email communications.
Email encryption – either client or end-to-end – and two-factor authentication are invaluable elements of a holistic defence strategy.
Encrypted file sharing platforms can also be deployed to enable large files to be shared securely with other users.