The Evolution: From Phish to Whale
The continuing surge of phishing scams has been keeping businesses on their toes when it comes to safely operating their email accounts. The term, to phish, refers to attackers luring targets with bait via email and hooking them in. This is when the victim: inputs personal information or clicks on infected files/links. The effects of phishing attacks can be devastating; it can affect personal careers, disrupt company reputation, and finally – create financial ruin.
Types of Phishing
Phishing began as a large-scale trap, or a fishing net, that is cast into an ocean of targets. The idea is to hook as many people as possible by using trusted brands like FedEx, UPS, Amtrak, etc. as their email address. Included in the messages of these emails are customer support-related issues. The victims of these scams can lose personal information, money, and become infected to downloaded malware.
From this evolved spear phishing, which is a more developed scam. The attackers disguise themselves as a personal confidant like a fellow employee, a friend, a family member, etc. Included in the message of these emails is the name of the individual, their employer, or a phone number. This makes the bait even more attractive. Targeted phishing operates to potentially infest the computer with malware, which can lead to the doomsday for companies: crypto-ransomware.
Most recently, attackers have been going after the biggest fish with heavy spear phishing. Whaling is where attackers disguise themselves as the CEO, company attorney, or vendor and target those with financial authority to provide information. Attackers will research companies for months and find out as much as possible about the company. They learn employee roles, the projects or cases that are underway, etc., and shape their email to be the most alluring as possible. Wire transfers are the common end result with whaling scams.
So, how can companies prevent phishing attacks?
Employ new policies for non-company email usage.
The latest techniques used by attackers is to research employee names and their roles. So, if a member of your staff is receiving an email from the CEO’s Gmail account, it should definitely raise red flags.
Alert key staff of whaling scams.
Targets of these scams usually have authority to make wire transfers or other financial transactions. This could include senior executives or, lower-level staff who thinks an executive is requesting urgent action and is skipping normal procedures. Attackers commonly target companies that conduct wire transfers or work with foreign vendors on a regular basis, so the phishing emails become less detectable.
Training is essential.
Make sure to have a comprehensive security awareness training program in place. It is also important to keep up-to-date with the most current cyberthreats that are emerging and review tips and recommendations. After reviewing, remember to train employees once more. As we can see from the trends listed above, phishing scams will inevitably evolve once again.