Phishing Schemes Include Whale Hunting: How to React When Someone Pretends to Be the Boss
Good, and by that we mean effective, phishing schemes make you jump into action without thinking twice. They use a mix of fear, urgency, and uncertainty to make email recipients follow the instructions in the email without hesitation. Your company's employees aren't entirely on their own against this threat: anti-malware programs are getting better and better at both detecting suspicious email addresses and catching bad links.
But once an email gets through the cracks, there needs to be a policy so employees aren't left to guess at what they should do. An effective form of phishing, called a whale attack, involves a singular person in upper management or a C-level executive. Sometimes they're the target: a malicious actor will craft an email that sounds precisely like something the recipient is expecting as part of business operations. Other times, the executive is the tool: the malicious actor pretends to be them and brings that power to bear by demanding an employee sends them files.
That second situation is a big problem but it's one you can prepare for. Here's how:
- Implement a strict policy about sending files to non-corporate email accounts.
The scheme works like this: a malicious actor will make a plausible email account with an executive's first and last name, with Google or Yahoo or even something that barely goes below the radar like Hotmail. Then they'll tell an employer that (i) they're locked out of work laptop, so they can't use their regular email or log in to the CRM and (ii) they have a deadline right now and need some files.
Make the answer to that request 'no' every time. Don't just make it policy. Make every manager reiterate it to their team, make every director say it to their department, and make the C-level executives broadcast the message.
- Have them call the request in.
It's a crude two-step authentication. But it works, especially if it's company policy. If someone really is locked out of their account and they really need one of their employees to send them files, they need to pick up the phone. Malicious actors aren't yet at the point where they can fake someone's voice and conversational tone. They also can't fake the details about precisely which files? and where were they saved again?
For more ways to make your cybersecurity policies survive contact with the daily grind, contact our team to learn more.