Skip to main content

Bigger phish – Everything you need to know about whaling

2016 saw bigger, more frequent and more high-profile hacks than any year before it. Whispered rumours of hacking during the US election linger on, Yahoo finally admitted to two colossal data breaches with billions of records leaked, and the internet of things offered new opportunities to attackers, as tech users take advantage of a range of connected devices without perhaps the same regard we have for the security within our PCs, phones and laptops. 

Realistically though, 2016 is only the tip of the security iceberg with the threat landscape continuing to develop and grow. Attacks on SMEs are on the increase, as smaller firms are repeatedly targeted with ransomware attacks and ever-more sophisticated phishing scams.

We’ve all had an email from a benevolent Nigerian millionaire asking for our bank details and shown our friends for a quick laugh, before consigning it to the trash. But could you so easily identify a hoax email built by a team of professionals, who have information about which services you use, what your colleagues’ names are and what business you are engaged in?   

The development of these more targeted attacks is a feature of the spear phishing landscape in recent times. Malicious emails used to be far less sophisticated, with basic looking templates and spelling mistakes. Now they are branded with company logos and a forged email address. Attackers tailor the communications for their victim using information they know about your business. The more plausible and personalised the attack, of course, the higher the success rate.

Stolen identities

More than 80,000 successful phishing attacks occur every day worldwide. That’s more than 80,000 people who click the link and are netted by the baited website.  The stolen details result in stolen identities, financial loss, credit card fraud and other internet scams. It’s essential, now more than ever, for companies to put cyber-security at the top of their agenda.

The fallout from an attack like this can be massive so it’s extremely important for C-level employees to sit up and listen. The FBI recently lost 20,000 records from someone calling the helpdesk and pretending to be a new employee. If it can happen to them, it can happen to anyone.

Whilst the general internet user is becoming more savvy and switched on to the generic spoofed emails of phishing scams, phishing is evolving. One such evolution rising to prominence in the last 12 months, and continuing to gather pace, is whaling. This new form of spear phishing scam sees high-net-worth individuals hoodwinked into authorising online payments to cyber scammers posing as employees or legitimate suppliers.

Whaling is a notable development compared to other spear-phishing attacks because of the incredible sums of money involved. Cases of this online ‘confidence trick’ are on the rise, with huge sums at stake – one MD approved a £30m payment in a single incident.

Pretexting and baiting

Targeted spear-phishing attacks use methods like pretexting and baiting – creating fabricated scenarios and offering free products to build up a fake sense of trust, before stealing sensitive information. 

In whaling attacks, frontline workers are often targeted to gain access to bosses’ credentials and information, helping attackers build a credible method of approach to their target.  Posted as urgent and looking legitimate, employees are being duped by the ‘whaling’ techniques, resulting in CFOs and CEOs making massive payments into accounts not run by their company.

These attacks are not going to stop, so it’s your responsibility to be prepared. Rather than just telling your team what to look out for, you actually need to test them. There are three steps you need to take: tell your team, test your team, and then invest in more technology. 

Would you know how to examine a link to check that it is taking you to a secure place rather than a forged website? It’s becoming a regular occurrence to receive these links in emails but more education is needed to reduce exposure.

If you are going to invest in tech you should look at a secure email system. You will see this implemented in security-aware companies. The cost isn’t high, and if you look at the potential cost of an attack then the peace of mind provided by being safer is priceless.   

One group benefiting from the increased success of phishing and digital confidence tricks is ransomware attackers. More sophisticated phishing scams are among the factors behind the explosion of ransomware globally in the last 12 months. Again, human error is the easiest vulnerability for attackers to exploit, so prepare yourself and your employees or colleagues.

Of course, the spike in attacks has also been driven by the emergence of the Dark Web and cryptocurrencies like Bitcoin. In Q1 of 2016 there were 4,000 attacks a day in the US, whereas a year earlier that number was just 1,000. The average ransom demand is also on the rise, increasing 135% in the six months to June 2016.   

Big news

Once infected by ransomware, there is absolutely nothing a victim can do beyond paying the ransom to the attackers. Of course, they may be saved from disaster if they have a regular and comprehensive backup regime, allowing them to restore their files from backup systems at the point just before the ransomware struck.   

Hacks make big news, daily, and the risks are growing at an alarming rate. At UKFast we look after the online infrastructure of nearly 6000 businesses and we are seeing this kind of confidence trick occurring with astonishing regularity. It’s only a matter of time before a large business is brought down by one of these attacks. Now is the time for firms to knuckle down and strengthen their cyber security defences, before it’s too late.

Lawrence Jones, Founder and CEO, UKFast
Image Credit: wk1003mike / Shutterstock