In 2015, the CEO of an Austrian aircraft parts manufacturer was dismissed after he fell victim to a whaling attack that cost the company €40.9 (approx. $50 million at the time). Although whaling attacks aren’t new, they are becoming increasingly common, endangering not only the jobs of C-level employees but also the financial and brand security of the organizations they work for.
Whaling: A Bigger Phish
The next level of a phishing attack, whaling is the method attackers use to attempt to gain unauthorized access to executive-level credentials and data. As CSO puts it, the idea is that whaling “lands the big one.” And attackers are wise to focus their efforts on whales: Although executives usually have a greater level of access to data, they often aren’t any better trained in cybersecurity than other staff, making them a worthy target. In a Verizon study of 150,000 phishing emails, almost a quarter of executive recipients opened them and 11% opened attachments.
Like Shooting Phish in a Barrel
Part of the reason executives make easy targets is that they’re so busy and receive so many communications via email. While trying to efficiently make it through their inboxes, they often don’t take notice of red flags. Another reason they’re vulnerable is because so much of their information is easily available—their workplace, social and professional contacts, vacation plans, the conferences they attend—giving hackers plenty of material to spearphish.
To help keep your executives—and your company—safer, you can implement a handful of tools and techniques:
Ensure all staff receive ongoing training about email attacks. Make sure everyone knows if they see something suspicious from what looks like a known sender, take a quick minute to call the sender. And when in doubt, delete it.
Employ junk mail motivation. If executives are slow to buy-in to the whaling risks they face, show them what’s been filtered out into their spam and junk folders. These folders are likely swimming with spearphishing lures.
Use best practices, security tools, and policies. From the basic to the cutting-edge, there are a plenty of ways to improve your cybersecurity stance: strong passwords, multi-factor authentication, VPNs, outbound web communications controls, advanced endpoint security, etc.
Make sure everyone is covered wherever they are. Executives are often working remotely, from conferences, third-party offices, and other locations. Make sure security measures are in place so that your data is secure regardless of from where it’s being accessed.
Get expert help. One of the best ways to ensure your organization is secure from top to bottom is to undertake an enterprise cybersecurity audit—or better yet, find an experienced third party to perform a controls review, deliver a risk assessment, and guide vulnerability remediation.
As whaling attacks become more common, organization are wise to invest in security measures that protect the corner office. As InfoWorld states, the cost of getting harpooned can be huge.