From the Desk of Tim Verrill, Sr., Systems Engineer
By now, you’re likely familiar with the term Phishing – the process by which a Fraudster attempts to get someone to release credentials or sensitive information. Did you know that 91% of successful data breaches start with a phishing attack? Almost two thirds of US organizations experienced a successful phishing attack last year, far higher than the global average.
Oftentimes we think of phishing as a poorly worded e-mail to reset a password or unlock your account. But for any company there is a much larger risk through targeted phishing and whaling.
Targeted phishing, (or spear-phishing), has become an ever-present threat to corporate security. Despite best efforts, targeted phishing attacks are frequently successful because they focus on the organization’s weakest links: employees. Targeted phishing attacks succeed by using information gleaned from social websites and other sources to create a sense of familiarity. These phishing email scams may mention a mutual friend, cite a recent purchase or include information that appears to be a trusted source. It is no accident that Eagle doesn’t post clients by name on our website, because a bad actor could call one of them posing as one of our technicians to request access to a desktop, for instance. We recommend that our clients consider this with their own marketing to keep their clients safer.
Once they have established trust, targeted phishing campaigns ask the recipient to provide some information or to login to a website that turns out to be phony or infected with malware.
To prevent phishing attacks and targeted phishing attacks, organizations need powerful tools to identify suspicious email and prevents employees from acting on them.
A whaling attack, also known as a whaling phishing attack, is a specific type of phishing attack that targets high-profile employees, such as the CEO or CFO, in order to steal sensitive information from a company. In many whaling phishing attacks, the attacker’s goal is to manipulate the victim into authorizing high-value wire transfers to the attacker. Through some research on the web about your company, it is often easy to find a purchase that your company may often make. If you are in construction, for instance, a piece of heavy equipment may a reasonable request for an ACH transfer which makes the request more likely to be acted upon.
The term whaling stems from the size of the attacks, and the whales are thought to be picked based on their authority within the company. Due to their highly targeted nature, whaling attacks are often more difficult to detect than standard phishing attacks.
Emails are by far the most effective phishing method: 98% of all phishing attacks use email. In the past, phishing emails focused on including links or attachments with malware; more recently, successful whaling attacks have made a single request that seems plausible to the target.
HR and payroll teams are frequent targets of whaling attacks because they have access to sensitive personal data and finances. You’ve likely seen reports in the news of companies wiring thousands of dollars, paying phony invoices, or releasing information because of a targeted attack from someone pretending to be the CEO – the result of carefully crafted attacks. Another popular one is an employee emailing HR that they just changed their bank for direct deposit.
In the enterprise, security administrators can help reduce the effectiveness of whaling attacks by encouraging staff to undergo information security awareness training. Multi-factor authentication is a must to secure your email. If you have Office 365 or a similar product and do not have MFA security on it, we strongly recommend reaching out to have us start the process. Without it, hackers could access your email box and send as you which makes it very difficult to detect the bad actor. They will put in rules to file your replies as junk so you don’t see them. We have actually seen replies to such emails asking if it is really them. The hacker replies that it is really them while the unsuspecting user never sees those emails because of the new Outlook rules that were created.
Eagle Network Solutions offers businesses Dark Web monitoring and a cybersecurity training solution followed up with our own phishing campaign on your employees to test their skills. These tools provide simulated phishing attacks and security awareness training campaigns, making your employees the best defense against cybercrime, and allow us to identify, analyze and proactively monitor for an organization’s compromised or stolen employee and customer data. Knowing when your stolen credentials hit the dark web helps keep you and your organization safe from attacks. Plans start at $99/month for Dark Web monitoring and $49/month for Security Awareness training and phishing. Click the hyperlinks for more details.