2015 was a ‘successful’ year for cyber criminals with millions of data records being lost or stolen around the world. In 2016 we can expect the attacks to continue and to see even more advanced attacks like spear-phishing where victims are specifically targeted using their personal information. And the level of sophistication the criminals use to dupe us is also rising. According to Mimecast research conducted in December, 55% of organisations saw an increase in the volume of whaling attacks – highly personalised emails targeting the finance and accounting departments within an organisation usually to extort cash.
“The barriers to entry for whaling attacks are dangerously low,” says Mimecast’s Managing Director Brandon Bekker. “As whaling becomes more successful for cyber criminals, we are likely to see a continued increase in their popularity, as hackers identify these attacks as an effective cash cow.”
So how can your organisation stay safe in the face of this dangerous new threat? Here are six email security tips to protect yourself.
Educate senior staff
Spear phishing and whaling attacks are so effective because they target named individuals within an organisation. Often appearing to come from a trusted colleague. Whaling in particular is the result of careful social engineering. While fostering a culture of security at all levels is important, it’s crucial to educate senior management, key staff and finance teams specifically on these new attacks aimed at them.
Defend your domain
Today’s phishing emails are so dangerous precisely because they appear to be authentic, right down to the embedded links. Domain-spoofing constitutes 70% of whaling attacks, so it’s important to use email security services that review domain links. Also consider registering top-level domains that look or sound like your own so that hackers can’t exploit a similar domain name in an attack.
Make your mark internally
Educated employees will be on the lookout for emails that come from outside sources, but what if they appear to come from someone significant within the organisation? Most whaling emails are designed to look like they come from the CEO or CFO. One simple trick to mitigate this is to use email stationery on all emails that alerts employees to emails originating outside the corporate network.
Consider all your platforms
Chances are your employees don’t just access their corporate emails from a secured company laptop. For many their mobile device is their preferred way of reading and responding to emails. Also the lines between personal and corporate devices are beginning to blur thanks to BYOD and your security practices need to account for that. Whatever email security technology and procedures you have in place, make sure they’re also optimised for mobile use.
No security strategy is waterproof, particularly as threats and technology evolve. The trick is to find those gaps before the bad guys do. It’s advisable to carry out regular tests within your organisation to identify vulnerabilities. And don’t limit this to your IT systems – test your human firewall too. Look for ways to test your employee base regularly in a safe environment to support your security education programme.
Review and revise
Your security practices aren’t the only things that should be under close scrutiny. Conduct a thorough audit of your finance departments’ authentication procedures. Cyber criminals excel at taking advantage of unsafe processes, so consider revising how financial transactions with third parties are conducted. Requiring additional checks when transfer requests are made over email (or phone for that matter) could help tackle the whaling threat.