Whaling is big business. No…this is not a Greenpeace initiative – it is not killing giant mammals of the sea for their blubber and meat. This is whaling attacks that are a form of phishing aimed at senior corporate executives, who have access to loads of valuable information. The bad guys are trying to steal huge money. Sensitive corporate data is worth big money and worth protecting.
The issue is becoming more prevalent as the bad guys enhance their techniques of compromising the executive suite. What should we do to combat this issue and how should we respond to the new “normal”?
- Educate your executives what a phishing email(s)/attacks look like and what to look for. KnowBe4 provide fantastic non-IT staff security training and it is cheap.
- Instruct all executives that they need to use caution when going through email.
- Re-inforce the message and provide education about whaling & phishing attacks to your executive team. You can do this by providing raining to them on a regular basis.
- In Exchange Server, you can enforce rules to help users to exercise caution when opening email from external sources. For example, all external email can have a footer applied, such as: The e-mail below is from an external source. Please do not open attachments or click links from an unknown or suspicious origin.
- Span and AV filtering applications or services, such as: Proofpoint, Barracuda Spam filter and Bitdefender all offer a layer of protection.
- Do a Penetration test and social engineering. The results can be eye opening.
- Talk to the executive team about social media and the potential risks. Provide education.
- Use this as an opportunity to build a security culture within your firm. Build awareness over time.
- Use security tools/technologies to your advantage. Firewalls, Intrusion Detection, SIEM or an enterprise immune system to name a few.
- Educate, Educate. And educate more.
Whaling and phishing attacks are getting more sophisticated, with attacker conducting research for months on unsuspecting executives so they can improve their success rates.
If you have any questions about implementing any of the above ideas, give our staff a call. They love to “talk shop” and help fellow IT staff with challenges.