Whale Phishing: Are You The Big One?

Phishing attacks have been a huge problem for businesses over the last several years, and it is only getting worse. While most business owners and managers understand that phishing attacks can lead to malware or the theft of personal information, there is a specific type of phishing attack that targets employees specifically to undermine a C-level.

When cybercriminals attack an organization, it’s usually not personal. They are trying to scam your organization out of money, steal valuable data, or deliver ransomware. In previous years, cybercriminals used breaches to acquire data such as credit cards, Social Security numbers, and other sensitive information to sell to bad actors. Today’s cybercriminals evolved and instead attack a business' ability to conduct business. Most modern cyberattacks are designed to make an organization’s data inaccessible.

Most commonly, this is done through ransomware, which locks down all of the data on a device or network and forces the user to pay a ransom to get it back. Cybercriminals have found that businesses are pretty willing to pay these ransoms, so it is an easy way to make money off of hapless victims.

Cybercriminals realized that some businesses are more likely to pay than others too, so certain industries are often targeted specifically.

For instance, Texas hospitals have been the target of cyberattacks, as well as organizations in the education, legal, and accounting sectors. Even state and county agencies are prime targets for ransomware attacks.

Unfortunately, this means your team is your weakest link and biggest target when it comes to a cybersecurity breach in preparation for a ransomware attack. However, proper training and security protocols including managing who can access the data can prevent a cybercriminal from gaining access to said sensitive data. 

As cybercriminals are constantly evolving their tactics, the next logical step is to target team members who do have access to the data they covet, and that means your C-level executives.

The Benefits of Developing an Anti-Phishing Policy

Phishing, despite its success rate, uses the lowest common denominator method of attack, targeting low-level team members to deliver a payload of malware or gain access to sensitive information. Your best line of defense is strong internal cybersecurity systems like spam protection, firewalls, and centralized antivirus, as well as proactive training for your entire staff.

However, once your office develops and implements data protection and anti-phishing policies, you reduce the opportunities cybercriminals thrive on to gain access to the data they need to generate their elicited income. If they can’t attack your business using low-hanging fruit, then they will target the people who have the keys to the data, your C-Level executives.

Your C-Level Team Members are the Real Target

This is where cyberattacks start to feel more personal. Cybercriminals can utilize these tactics to get into your organization.

Spear Phishing: These are targeted attacks aimed towards specific team members. Unlike vanilla phishing attacks, spear phishing is designed to gain the trust of specific team members. This is reflected in the type of communication used to make contact with their target, including social media, direct messaging, and personalized emails. By using personalized messaging, team members are more likely to fall for the deception. 

Spear phishing emails pose as someone your team members would trust. This is why it is important to ensure your vendors and other partners have their own cybersecurity protocols in place, to prevent their credentials and access from being used to attack your business.

One example of a common spear phishing attack involves spoofing an email of someone within your organization sharing a document with another team member. It could be HR sharing an updated employee handbook or a holiday bonus pay stub, or a salesperson requesting access to a folder they shouldn’t need access to. Cybercriminals can scope out who is who in an organization based on public records, LinkedIn profiles, office directories, and more. It isn’t difficult to spoof an email address and make an email look legitimate. 

Establishing a policy to not share sensitive information over email is a good step in the right direction to protect yourself from these types of threats.

Whale Phishing: These attacks are similar to spear phishing, but mimic a high-level executive. Common tactics include posing as financial, legal, or even political contacts. As these persons are traditionally responsible for important decisions, any communication your executives receive from them is more likely to gain their attention, perhaps even causing them to drop their guard and share sensitive information.

One overlooked factor regarding the success of whale phishing is due to higher-level executives' reluctance to follow established cybersecurity protocols. If the CEO is asking for a password or account information, an employee is likely going to follow instructions and eschew cybersecurity best practices.

The reality is, once you reach a certain level in an organization, you expect things to work and not have to do the work yourself. This is particularly true for technology; many executives expect and even demand that all they want their systems to do is turn on when they push the button.

The result of this disconnect is that some C-level executives assume that if an email reached their email, it must have been vetted by the IT department and is therefore safe to open. Unfortunately, even the most optimized email filter can allow for this type of attack to slip through. This is why it is essential that all team members, regardless of their station, are receptive to and receive cybersecurity training, particularly when it comes to recognizing a phishing attempt.

While we have provided tips and tricks to prevent a phishing attack in previous blogs, the most crucial thing your C-level executives can do is practice patience. That is, to take a moment to examine their email and verify its nature before providing access to sensitive information. One way to help crystallize this to members of your team who may not fully value the damage even one rogue email can do to their organization is in terms of their bottom line.

It is vital to provide C-level executives a worst-case scenario to a data breach’s results in terms they are more likely to understand and value. Regardless of the size, organizations that suffer a data breach will have repercussions. There will be consequences, whether it is in reputation, consumer confidence, or even financial penalties.

If you're a business manager and finding your C-level team members aren't readily able to understand the importance of adhering to cybersecurity measures, we can help. Capstone Works is Austin's premier business technology expert. We can help your organization develop the processes and, most notably, the message to help all team members understand their place in ensuring your business is protected.

Call (512) 882-2242 today to schedule an appointment for an IT or Cybersecurity audit.