The next time your company's CEO sends you an email and asks you to do something, it might be best not to comply. This is no April Fool's joke to get you fired — just a bit of caution in the wake of a widespread phishing scam known as "whaling."
Snapchat was a victim in February when a hacker exposed the company's payroll information to the world. Mattel got toyed with in March when the company was duped into sending $3 million to a bank account in China. In all, the FBI estimates more than 12,000 businesses have been targeted since October 2013, with total losses around $2 billion.
These big companies with big IT departments can still be extremely vulnerable to cyberattacks, and the biggest vulnerability is a company's employees. Cybersecurity expert Joseph Steinberg says the reason we’re seeing such a rise in these phishing attacks is because they’re much easier than hacking into a computer system, and the odds of getting caught are also much lower.
"Security technology has improved quite a bit over the two decades since the commercialization of the Internet, but we are still using human brain version 1.0," said Steinberg, CEO of SecureMySocial. "Making things worse in recent years is social media, which gives criminals plenty of information to help them craft highly effective phishing emails."
It all starts with a simple email in which the criminal pretends to be an executive at the company, often the CEO. The criminal asks the email recipient to take an action that would be common for that person’s job role — asking someone in accounts payable to issue a wire payment to some new vendor, or asking someone in IT to reset a password, etc.
"Many of the email addresses of your organization are available to the public via the Internet and thus easy to find for cyberthieves," said Darren Guccione, CEO and co-founder of Keeper Security, Inc. "Once they conduct a search for email addresses of your company, they find all publicly available email addresses of your employees and launch a phishing attack on as many of them as possible."
Once the action is taken, it's pretty much game over. Mattel was lucky enough to work with Chinese authorities to get its money back, but the vast majority of these attacks don't end on such a happy note.
So what can companies do to prevent this? Steinberg offers three basic steps:
1. Social media caution: "To prevent employees from oversharing on social media, educate them about the risks, and use technology to warn them if they are making a problematic post."
2. Implement safeguards: "Institute policies to prevent problems (e.g., that payments over a certain dollar figure to new providers must be approved, or requests for W2s must be approved by multiple people separately with emails sent to them rather than from them or orally by callback to an authorized party's known cellphone number), etc."
3. Teach employees: "Educate users about CEO email scams, and train them to recognize phishing emails."
And to that final point, Guccione suggests periodically running mock phishing scams on your company to test how vulnerable you are.
"After the 'attack,' companies can better understand how vulnerable they are to phishing attacks by identifying employees most prone to clicking them," Guccione said. "The employees themselves don't need to be singled out and humiliated, but the company can release the results as a wake-up call before implementing a no-click policy."
Take the steps necessary to protect your company from becoming the next "whaling" victim. After all, it's much better to be Moby-Dick — the one that got away.