When the notorious thief Willie Sutton was asked why he robbed banks, he reportedly replied: “That’s where the money is.” Hackers have a similarly simple motivation for targeting senior executives and other key managers. They have the best data.
Law enforcement officials and information security experts have noted a significant rise in the number of phishing-type attacks aimed at executives, managers and other key individuals in IT, accounting and finance. Unlike traditional phishing scams that cast a wide net with mass distribution of fake emails, so-called “whaling” attacks are highly targeted at the big fish who have complete access to the most sensitive company data.
Whaling attacks tend to be highly personalized and more carefully crafted, with none of the spelling and grammar mistakes common in generic phishing scams. Whaling emails are often designed by professionals with corporate logos, names, job titles, phone numbers and other details that make the communications look as legitimate as possible.
Executives are not merely attractive targets — too often, they are remarkably easy targets. Because they engage with such a broad range of business partners, associates, suppliers and contacts, they don’t want to be restrained by digital limitations. They often sidestep good security practices in the name of convenience.
For instance, CEOs are often on the move and wish to remain connected in airports, hotels or restaurants. However, using public Wi-Fi hotspots to make those connections can expose a wealth of sensitive information, including usernames and passwords.
Many successful attacks exploit the fact that employees don’t generally question a directive from the executive suite. There have been several cases where hackers spoofed the CEO’s email and tricked payroll into forwarding the W-2 forms for all employees. The FBI has also reported a sharp increase in wire transfer fraud in which a spoofed email message directs an employee to move funds to a fake account.
Education is always the first line of defense against both phishing and whaling attacks. Although there may be some initial pushback from the C-suite, IT should administer hands-on training exercises to teach execs how to follow strict data protection standards. Employees must also be encouraged to verify unusual or suspicious email requests either by phone or in person.
Review all security policies and preventive procedures on a regular basis. Because email is the chief mechanism for phishing and whaling scams, establish policies for regularly updating passwords, with requirements that make them hard to crack. Make sure help desk and IT staff require verification before giving out forgotten passwords. Periodically review network access and authentication policies to prevent unauthorized access.
Education and prevention are elements of a strong “human firewall” for thwarting phishing and whaling attacks. Of course, that’s only part of the solution. IT must also secure the infrastructure to prevent potential exploits. It is imperative that operating systems, browsers, plugins, antivirus and email filtering solutions are up to date, and that all software is properly patched.
A periodic security assessment from a reputable managed security services provider can be invaluable for identifying potential vulnerabilities and providing recommendations. This is why annual security assessments and quarterly network perimeter assessments are key elements of the SSD Assurance program. Let our team of professionals help you shore up your defenses and develop and maintain policies based upon industry best practices.