It seems you can’t turn on your TV, Computer or open up your smartphone without seeing yet another report of a cyberattack or security breach. By far the greatest threat to organizations stems from one of their own members naively clicking on a nefarious link in an email. It’s easy to do. After all, cybercriminals are getting sneakier in their attacks. Phishing, Speak-phishing, Executive Whaling and CEO Fraud are the most common email-based vectors into organizations. So what's the difference in these types of attacks? Our friends at KnowBe4 Security Awareness Training offer these definitions:
Phishing: You’ve all seen examples of phishing emails. They are sent to large numbers of users simultaneously and attempt to “fish” sensitive information from unsuspecting users by posing as reputable sources. This includes banks, credit card providers, delivery firms and law enforcement. Their ploy is to trick the user into either clicking on a link to infect the PC, open an infected attachment or go to a fake website to enter login credentials, financial information, social security data or credit card details. But any data entered is likely to be used maliciously to steal money or an identity, or infiltrate a network. According to the Verizon 2015 Data Breach Investigations Report, 23% of recipients open phishing messages. Another 11% click on attachments. Unfortunately, nearly half open these emails and click on links within an hour of receiving them. Some respond within a minute of receipt. In other words, security teams have a tiny window in which to note the presence of such an attack and take adequate precautions to cleanse it. Clearly, a purely defensive posture is doomed to failure.
Spear-phishing: This malicious strategy takes phishing to a different level. Phishing is spray-and-pray in that it involves the transmission of one email to a large list, many of whom don’t even use that bank, credit card or service. Spear-phishing, on the other hand, is targeted at specific individuals or a small group. The cybercriminal has either studied up on the company or group or has gleaned data from social media sites in order to gain enough data to con users. The originators craft their messages to make them more believable and increase the likelihood of success. It isn’t difficult for the bad guys to find out basic data about employees from the web, Facebook, Twitter, LinkedIn and other similar venues. This can include travel plans, family details, employment history, various affiliations and more. Thus the open rate for spear-phishing is far higher than that of phishing.
Executive Whaling: This practice is becoming increasingly common. The term comes from the Vegas gambling moniker “whale” which means a high roller who is going to lay down some serious money in the casino. After all, the higher up the command chain you go, the more likely you are to find valuable information from your phishing efforts. So cybercriminals are increasingly targeting executive whales. To make matters worse, C-level executives have been found to be some of the biggest culprits when it comes to opening suspicious emails. Perhaps due to their hefty volume of traffic, they don’t have the time to look closely before they click. Whatever the reason, whaling is causing some serious breaches inside major corporations.
CEO Fraud: Known variously as the “CEO fraud,” or the “business email compromise,” highly sophisticated cybercriminals try to social engineer businesses that work with foreign suppliers. This swindle is increasingly common and targets businesses that regularly perform (foreign) wire transfer payments. In January 2015, the FBI warned that cyber thieves stole nearly $215 million from businesses in the previous 14 months through such scams, which start when crooks spoof or hijack the email accounts of business executives or employees. The CEO's email gets spoofed while the CEO is traveling and employees are tasked to transfer large amounts of money out of the country.
The best way to safeguard your business against sinister phishing attacks is to arm your staff with the knowledge and resources to spot a phishy email. MIS Solutions offers a comprehensive employee security training program to help mitigate the chances of your company falling victim to a cybercrime. Call our office for more information.