With the daily onslaught of news stories about companies losing millions of dollars to phishing scams, it is incredible to think that email security was practically non-existent as recently as the late 1990s. In fact, Yahoo Mail and Hotmail didn’t roll out anti-spam and antivirus tools to the masses until 1999. (For those of the Gmail generation, that was back when @yahoo.com and @hotmail.com accounts were the “hip” alternative to mom and dad’s @aol.com accounts.)
Obviously, spam filters and email antivirus scans rapidly became standard among email service providers and they continue to be in use today. Even though they have evolved to react to the latest threats, the problem is that these precursory email security solutions have never been proactive in helping to prevent future threats. The majority of these tools simply compare email contents to signatures of known threats.
One of the future threats that security solutions need to be able to address is whale phishing (“whaling”). Whaling is a type of spearphishing targeting “big fish” in an organization with access to sensitive, highly valuable information. Cybercriminals use this technique to lure senior executives or other key individuals to share valuable information or transfer funds to an account managed by the attacker.
To increase the efficacy of a whale-phishing scheme, cybercriminals will use spymail to gather intelligence on their victim before they move in for the attack. Spymail is an email that contains hidden tracking code that sends information about the recipient back to the sender. The recipient is unaware that such information has been shared with the sender, which allows the attacker to assess who opened the message, where the message was forwarded, the physical location of the user and more without being detected by the victim.
The best way to block spymail and help protect against a future whale-phishing attack is to invest in more advanced technology solutions. These solutions need to be supported with cybersecurity training, policies and procedures, among other precautionary measures.
In this slideshow, Paul Everton, founder of MailControl, has identified the top five ways to prevent a whale-phishing attack in your organization.
5 Ways to Prevent a Whale-Phishing Attack
Click through for five ways organizations can help protect executives and prevent whale-phishing attacks, as identified by Paul Everton, founder of MailControl.
Email Security Training
Make email security training mandatory for key individuals.
While training employees at all levels within the organization is essential, senior executives and employees with access to funds and sensitive information require a special training session focused specifically on email security. These employees need to understand how to identify a malicious email, how to verify the sender, and the risks associated with sharing sensitive information or transferring funds based on an email request.
Implement Multi-Layer Security Systems
The reality is that email security training will never be enough to fully secure an organization. Cybercriminals are too sophisticated in their tactics, with many choosing to target users when they are most vulnerable, whether that be during business travel or after a long day at the office. For this reason, it is important that companies use multiple layers of security solutions that go beyond the basic spam filter and antivirus software to keep company data secure.
Establish Secure Fund-Transfer Procedures
Considering many whaling attacks attempt to persuade the victim to send company funds to an account controlled by the attacker, establishing clear-cut fund-transfer procedures can help mitigate the risks of unknown users gaining access to company financial information. For instance, companies can require employees to make all fund requests through a secure banking portal with two-factor authentication enabled.
Incorporate an Anti-Spymail Solution
An anti-spymail solution is an effective way to limit the amount of intelligence hackers can obtain on company leadership and senior executives, as well as all employees within the organization. By limiting an attacker’s ability to know who is communicating with whom and when, anti-spymail solutions make it difficult to craft believable and perfectly timed phishing attempts.
Exercise Flexibility with Your Cybersecurity Policy
Cybercriminals’ techniques are evolving at an alarming rate, which is why company cybersecurity policies need to be updated constantly to address the latest threats. In addition to updating company security policies, organizations need to incorporate more advanced security solutions as new threats arise.