Con artists are no longer content to phish for small targets – now they are trying to hook a whale.
“Whaling” is another version of email phishing attacks that is gaining momentum. While most phishing attacks cast a wide net, hoping to attract as many victims as possible with a variety of email scams, whaling is a scheme where the scammers target the CEO or other highly placed executives – in other words, the “big fish” in an organization.
Scammers generally infect the executives’ email by first sending an anodyne email that resembles correspondence from a trustworthy source, like a vendor or the IT department or a client. When the executive downloads the attachment, clicks on the link or, in some more sophisticated schemes, simply opens the email, malware is downloaded onto the computer.
The malefactor then has access to financial data, passwords, personal information of clients and employees – just about everything.
Another version of this scam – or the second step of the scam – is when the scammer then spoofs the CEO’s legitimate email to try to fool employees into paying invoices or sending out confidential tax information.
We have seen instances where an email was spoofed and the scammer was communicating with the CEO’s employees, but the CEO was never seeing the correspondence.
Even as the sophistication in these types of schemes improves, awareness remains the best form of defense.
Always check to see if the name that appears when hovering over the sender’s email address matches. This is only the first line of defense, though. When an email is compromised, the victim’s actual email address is used, so this is not a fail-safe measure.
Pay attention to your clients’ or customers’ habits. If you have a client or customer who is suddenly sending you random emails that are outside of their normal style of operation then closely scrutinize these emails. We recently noticed that one of our client’s emails had been spoofed in one of these scams. We were able to catch it because we noticed correspondence coming in at odd times. Specifically, this client typically emails us a batch of invoices to pay in the morning and then leaves his office for the evening. The email in question came to us after he had sent his normal daily email and when he would have been out of the office.
Always question new vendor invoices. If you receive an invoice from a new vendor you should verbally confirm with the vendor or the person who sent the invoice that it is legitimate. The invoice amount in the example with our client was very high, which caused our team member to question it. However, the more savvy criminals will submit smaller invoices and hope to fly under the radar. They will also send out tester invoices to see what they can get away with.
Delete first and ask questions later. It is always better to delete a suspicious email before accidentally opening Pandora’s Box by clicking on an infected link or attachment. As stated above, victims’ emails are compromised when they click on a link, open an attachment or, in some cases, simply open the email.
Don’t reuse passwords for critical services and definitely don’t use your internal network access password for any other service. This one almost needs no explanation. If you reuse passwords, you are giving criminals easy access to everything you are working to secure.
Take advantage of multifactor authentication. We recommend going one step further and using multifactor authentication methods whenever possible. Multifactor authentication requires that you provide multiple pieces of known information in order to have access to a site. For instance, you would enter your password, which would prompt a code to be sent to your phone. You would then enter this code to access the site.
Using a password management system like LastPass is way to manage various passwords and reduce the urge to use easy-to-remember passwords.
Implementing strong security measures is the No. 1 way to protect your business, your employees and your customers. Please contact us if you would like to learn more.