Email, social media, smartphones, and other electronic communication are now the norm for communicating across and between businesses of any size. You may even be a part of a company so big that you email back-and-forth with people on a daily basis whom you’ve only met a few times in passing. Or you may be contacting multiple potential clients for your start-up business, many of which you have never met before at companies you’ve barely heard of. If you see that an email is from someone who appears to be an employee at your business or a good potential client, you click on it so as to build and maintain positive relationships with them and help them with whatever it is that they may need. But how do you know if that email is actually from Jim in Accounting or Jane at your strong lead’s firm and not a hacker posing as him or her? When it is really the hackers and not the genuine people you think it is, this is called phishing.
Phishing is a tricky cyber threat—able to stump 20% of employees at J. P. Morgan when the company sent out a fake phishing email—but what is it exactly? Phishing is when impostors pose as reliable entities, such as banks, universities, or other well-known companies, via electronic communication, to solicit personal information which they can then use to steal people’s identities or infect their computers with malware. Phishing is growing at a rapid rate with many other cyber crimes; not even halfway into 2016, there have already been 36 companies that have fallen victim to phishing email attacks where the hackers were in search of employees’ personally identifiable information (PII) to aid the hackers in identity theft. Arguably just as vicious as going after people’s PII, these hackers have begun to steal funds from companies primarily through a form of phishing known as whaling.
Whaling, the new Phishing
Whaling, a form of phishing usually synonymous with the term spear phishing, is when hackers target executives for their phishing attacks; either emailing them directly or posing as these high-ranking members to send mass emails to employees (and in turn successfully infecting all employee’s computers who open the malware-ridden emails), in order to gain access to valuable information like financial numbers, wire transfers, and employee information. A Mimecast survey conducted late last year found that 55% of businesses across the globe had experienced an increase in whaling attacks over the previous twelve months.
Whaling has been in the news recently for having hit Mattel, the producer of such toys as Barbie and Hot Wheels, with a malicious $3 million transfer of money to a hacker based out of the Bank of Wenzhou in China. Cyber criminals posed as a legitimate member of the Mattel executive board—the newly-instated CEO, Christopher Sinclair—to trick finance employees into transferring the sum to their malevolent bank accounts. In order to transfer money, Mattel requires two executives to sign off on the transfer so as to help reduce financial-related risks, one of which being the CEO. When the unnamed financial executive saw what he thought was the CEO’s approval, he assumed the transfer was legitimate and transferred the funds to the Bank of Wenzhou, unknowingly completing the hacker’s mission.
Thankfully, this event happened on a Chinese banking holiday, meaning that the funds were held up and Mattel was able to recover the wrongfully transferred funds almost immediately after finding out about the issue. Though this is good news for the toy-producing giant, most companies do not always have such lucky timing when cyber crimes strike. This is why knowledge and education are crucial defenses on the cybersecurity front. If employees know how to identify suspicious communications, then it is less likely that the company will be subject to phishing and whaling attacks.
How to identify a suspicious message
The primary goal in combating phishing and whaling attacks is to make sure that harmful traffic to employees is stopped without hindering the good traffic of current and new clients as well as other reliable entities. The best way to handle a phishing email scam is to prevent it from happening in the first place; employee training on how to identify a fraudulent email is an extremely important step in ensuring workplace cybersecurity, and there are a few telltale signs that indicate whether or not an electronic communication is a scam:
Links- The best way for a hacker to access your information is by making you come to him. Many links in suspicious emails can be verified by hovering your mouse over it; if the link is taking you to an .exe file for example, do not click on it, as these have been known to be the source of various malicious software in other cyber crime situations.
Threats- When there is a threat in an email, such as forcefully taking down an account or being fined if you do not take instant action, this is usually an indicator of phishing. This can come in the form of both email and phone solicitation and threats are easily identifiable by the request of immediate action or otherwise facing the hacker’s consequences.
Posing as a popular company- Seeing a familiar logo or name on an email or other electronic communication can give you a false sense of security that what you are receiving is a legitimate connection from an accredited company. An indicator that a message is phishing is when the hacker includes the company title in a way that is slightly different from the actual company name (i.e. Twitter Co. instead of Twitter Inc.). Also, if you regularly get emails from a reliable company and you receive one that looks different than usual, this is a sign that it may be a phishing scam.
Spelling errors- If there are clear spelling errors throughout the email, it is obvious that this email was not carefully looked over by a member of an authentic company and is likely phishing. This not only includes spelling and grammatical errors, but also when key parts of an email, such as the subject line or a signature, are missing or strangely worded.
If you believe an electronic communication to be malicious or suspicious, do not open it, delete it, and report the incident to your IT department. For small businesses that may not have an IT department or think that cybersecurity is out of reach for your company’s budget, please go to www.axiomcyber.com to learn more about our affordable managed cybersecurity solutions and how we can help your business get and stay secure.