Phishing attacks are among the most popular types of attacks used by attackers and online criminals. They are used to trick consumers into forking over their sign-on credentials to financial and credit card sites, fooling email recipients with scams and having users click on on attachments that launch nothing more than malware used to exploit the victim’s endpoint.
Just before the holidays, email services provider Mimecast released results of an IT professionals survey showing that the majority (55%) of organizations have seen an increase in the volume of whaling email attacks over the last three months.
Traditionally, whaling attacks have been defined as phishing attacks that target high-profile victims. These can be politicians, celebrities and, of course, corporate executives.
Whaling attacks are in many ways similar to phishing (mass email attempts to fraud or compromise users) and spear-phishing attacks (the targeting of a specific person) in that they use social engineering to comprise users. But whaling attacks use either entirely spoofed email domains, making it look as if the email came from an internal email system, or they use domains that look very similar to the internal email system.
Mimecast’s research found that most of the whaling attacks come under the pretense of being sent by the CEO (72%), while 36% come from the “CFO.”
These types of attacks have become easier to execute in recent years as social networks have made it much easier to obtain information about executives. Today, it often takes little more than a scan of a social media network to gain the name, titles and detailed descriptions of executives to build a corporate hierarchy. A look at Twitter can often reveal personal interests and behaviors, leaked slowly 140 characters at a time over weeks, months and years. All of this is excellent fodder for creating emails that could potentially fool anyone.
Mimecast provided a handful of recommendations for IT teams to consider when mitigating whaling attacks, and they are worth your consideration:
- Educate senior management, key staff and finance teams on this specific type of attack.
- Carry out tests within your business. Build your own whaling attack as an exercise to see gauge the vulnerability of staff.
- Use technology where possible. Consider inbound email stationery that marks and alerts employees to emails that have originated outside of the corporate network.
- Subscribe to domain-name registration alerting services so you know when domains are created that closely resemble your corporate domain.
- Consider registering all available top-level domains (TLDs) for your domain, although with the emergence of generic TLDs (gTLD) this may not be scalable.
- Review your finance team’s procedures and consider revising how payments to external third parties are authorized.