A Whale of a Tale: Phishing for the Big One

By: (Security +)

Publication: The Kansas Banker , June 2016

 

The Kansas Banker June 2016It is a cool foggy morning out on the lake. Dawn is just beginning to break on what is going to be a great weekend. The fishing tournament is getting started and it is every fisherman’s dream to land the big one. So too, is the dream of every phisherman In recent years, a new phenomenon in phishing known as whaling has been on the rise.  Whaling is similar to a regular phishing email, but the initial target is a top level executive.The Federal Bureau of Investigation claims that it has seen a rise in whaling cases by 270% in 2015!

What makes whaling so special that it receives a unique name? By targeting top level executives, attackers have a higher chance of by-passing standard security controls while remaining inconspicuous by not SPAMing the entire company. From the outset, a whaling email looks like a regular phishing email, but when the executive clicks, malicious software is downloaded and then the attacker will assume the identity of a top level employee or even the CEO. Most commonly, what happens next is this:

  1. The criminal will draft an email from the executive to a lower level employee asking if they are available. The executive will also instruct the employee not to call because there is no one in the office.
  2. If the executive receives a response, instructions will then be sent to initiate a wire transfer and bypass the normal security because the customer is in a rush and all documentation will be provided upon the executive’s return to the office.

It is a very simple ruse and it works because SPAM filters do not filter them out. Since 2013, businesses have had a reported loss of $1.2 billion.

While whaling brings with it many frustrations to financial institutions, it is important to remember that the human element can be the single greatest asset to mitigating this risk. As an executive, there are some simple guidelines that can be followed to help thwart these criminals:

  • Train often. Train yourself just like your other employees to spot suspicious email activity so your PC does not get infected.
  • Remove local administrator rights. Unless there is a pressing need that outweighs the risk it presents, remove administrator rights from your user account.

  • Remember your IT staff wants to protect you, too. When your IT staff recommends a new anti-phishing product/training, they are not just wanting a new expensive toy.  These are the tools they need to effectively do their job.

Security companies are working on technological solutions to help combat whaling, but it takes time and the threats are constantly changing. While technology is a wonderful tool, it is important for you to remember you can buy the latest fish finder on the market, but that doesn’t guarantee you a big catch. Fishing is a relaxing sport that takes intelligence and patience. These attributes are also true of criminal phishermen. Fortunately, there are simple steps that can be taken that drastically reduce an institution’s exposure to these types of malware. Employee awareness and training (all the way to the top) are the two greatest tools a business can develop to help mitigate these risks and ensure a more secure environment

Dr. Jerrod Pickering, Security +, is a Security and Compliance Consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits, security testing, and tandem – a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. To learn more about CoNetrix and their new tandem Phishing tool, visit www.CoNetrix.com.