There's a new threat in cybersecurity and it's aimed at the business world's biggest targets. The FBI estimates that Business Email Compromise (BEC) – CEO fraud or "whaling" - increased more than 270%.
The FT reports total potential global losses increased by $800 million in just six months. Also, Mimecast research found that 55% of companies experienced increased whaling attempts. Companies ranging from Ubiquiti Network to Snapchat have publicly admitted losing millions to these scams. What psychological and cultural factors make employees vulnerable to whaling and what can you do to prevent them?
Cyber criminals use sophisticated social engineering backed by meticulous research. It's easy to find information: Company websites provide executive names and biographies. Internal reporting relationships can be mapped on sites like LinkedIn.
How Do Criminals Conduct Their Research?
During whaling scams, a finance employee receives an email spoofed to look like it's coming from the CEO or CFO. The email requests a wire transfer and provides instructions for how to send it – usually confidentially or on short notice. An executive receives a request for information from a colleague that plays to their expertise. The requests look routine and convincing.
Cyber criminals use sophisticated social engineering backed by meticulous research. It's easy to find information: Company websites provide executive names and biographies. Internal reporting relationships can be mapped on sites like LinkedIn. Publicly traded companies sometimes even include bank names in their annual filings. Hackers' ability to put together a complete picture of the executive – including mining published articles and social updates for clues about communications styles – results in a very convincing portrayal.
The Employee-Side Psychology
Confusion and pressure: Confusion and pressure make employees more vulnerable to whaling scams. Requests from senior executives with confidentiality requests and short timelines don't leave room for follow-up. Considerable pressure – such as multiple emails and phone calls in a short time – amp up an employee's stress during the event.
Hierarchy and unwillingness to question authority: A cultural emphasis on efficiency and hierarchy leaves employees feeling like they'll get in trouble for verifying requests. Mid-level employees are often unwilling to challenge a request from the C-suite, especially when the request has been carefully targeted to look authentic.
The optimism bias: Harvard researcher Daniel Kahneman outlined a phenomenon called the optimism bias. People believe – despite knowing the risk – that they're less likely to be victims of a crime. Optimism leads you to believe the world is more benign than it really is, so when something looks fishy you chalk it up to non-harmful causes instead of asking questions.
Self-importance and ego: Whaling attacks geared at getting an executive to reveal information may play on ego and self-importance. From the desire to help to take pride in your expertise, flattery and genuine-sounding appeals for help play into your emotional vulnerabilities.
The Impact of Whaling Scams
Cybersecurity breaches don't just endanger your data. Beyond the financial impact, internal and external trust is eroded when your company falls for a whaling scam. There's the loss of money and brand damage to the public. An executive's reputation can be harmed. Employees who fall for whaling scams can find themselves out of a job; if not, their reputation's damaged, their judgment is questioned and there's always lingering concerns.
One executive who fell victim to a whaling scam noted in an interview with the BBC, "It's like when your house or apartment gets broken into. You feel vulnerable. People get into your life and they know things about you and you have no clue, and they take things from you."
Understanding the psychological factors that contribute to whaling scams can improve your efforts to combat them, from employee training to internal testing. The right tools can also help. Learn more about Mimecast's new Impersonation Protect service and how it can protect employees and financial assets from this type of fraud.
You think you’re prepared to deal with cybersecurity threats. But, what if your organization became the target of a whaling attack, spear-phishing or weaponized attachment? These are just a few methods hackers and cybercriminals use to steal confidential data, employee information and even cash. Are you confident that your corporate email can protect your organization from these insidious attacks?
To ensure you really are confident to cope with email-based attacks, you need to get in touch with your true IT security self. This can help you find out how much of an impact past experience with email attacks has on future preparedness, and whether or not your organization is dedicating enough of your IT budget to cybersecurity.
Don’t worry: we can help. Mimecast recently surveyed hundreds of IT security pros across the globe to get to the bottom of how they felt about email security preparedness. Those responses identified the gaps between how prepared they think their companies are against email threats, and how prepared they actually are. Based on this insight, we spotted five security “personas” of IT security pros, or ways of helping you self-identify with a group that shares your values:
- The Vigilant: This is less than one-fifth of IT security professionals. They demonstrate a high confidence in their ability to handle or defend against cyber threats, despite no experience with email hacks or data breaches.
- The Equipped Veterans: Approximately one-fifth of IT security professionals – they are confident in their cybersecurity and have dealt with attacks in the past.
- The Apprehensive: About one-third of IT security professionals – they have no experience with data breaches or hacks and do not feel confident in their level of preparedness.
- The Nervous: Less than one-tenth of IT security professionals – they feel completely ill-equipped to cope with the cyber threat.
- The Battle-Scarred: Just over one-quarter of IT security professionals – these have experienced a history of data breaches or email hacks, but still feel unprepared to defend themselves against attacks in the future.
Ready to find out your true IT security persona? Take our IT Security Persona Test now. Learn about your distinct personality type and tips to boost your confidence.
Mimecast welcomes a new bill designed to protect emails and other electronic communications.
Can you remember the world in 1986? Aliens, Top Gun and Labyrinth were on at the movies and brick phones weighed the same as a bag of sugar.
The Electronic Communications Privacy Act was also enacted by the United States Congress. This ancient legislation allows law enforcement to search through emails, instant messages and photos stored in the cloud once they are 180 days old.
Back then, emails stored on a third party server for six months were considered by the law to be abandoned. This allows law enforcement agencies to obtain the data with just a written statement certifying that the information is relevant to an investigation, without judicial review.
Thirty years later and business archiving requirements, cloud technology and public opinion has moved things on considerably.
Today, we are proud that approximately 16,200 organizations and millions of their employees from around the world have entrusted their email and data to Mimecast. We process more than 180 million emails per day and our customers look to us to protect them from cybercriminals, outage and unwarranted government snooping.
The new Email Privacy Act (H.R. 699), passed unanimously by the U.S. House of Representatives, will require the government to get a warrant from a judge before obtaining private communications and documents stored online.
Email has gone from being just a communication platform to probably the greatest single repository of corporate knowledge any organization holds. Almost all corporate activity, discussion or ideas touch email at some point.
Due process should apply in digital world now more than ever before.
Our customers use Mimecast to improve the security, reliability and archiving capabilities of their own email servers or primary cloud email service. We take our responsibility to protect their email and the petabytes of business information this includes very seriously.
Public opinion is on the side of fair and reasonable control of law enforcement and government in this regard to protect the right of the individual to privacy.
This is a clarion call for governments around the world to continue to modernise law-making in wake of the unstoppable rise of cloud computing services. Laws written in the analogue and desktop computing age need rethinking for the cloud era.
Email is the bedrock of modern day communication and deserves up-to-date protection enshrined in legislation. This bill is a step in the right direction to further protect citizens’ private historical data held in the cloud from unreasonable intrusion.
Cybercriminals use email as a gateway for data breaches. This is not old news. New cyberattacks happen almost daily across all industries.
The bad news is, the speed of innovation for email threats has skyrocketed in the last year. If you don’t already know that 91 percent of breaches are due to phishing attacks, you at least shouldn’t be surprised to learn this statistic. What may shock you is that there has been a 270 percent increase of social-engineering-based whaling attacks since January 2015.
The healthcare industry, in particular, has been a ripe target for cybercriminals seeking to obtain massive amounts of personal, private patient data. Why the focus on healthcare? IT staff at healthcare organizations are often over-burdened and dealing with tight budgets and limited resources. While many IT teams have looked to cloud services to solve these issues and increase their capabilities, many have been unable to make the move due to concerns over their ability to adopt cloud security solutions in a regulated environment.
Mimecast can address these concerns and ease the fear that stops many healthcare organizations from moving to the cloud. We have recently passed the Health Insurance Portability and Accountability Act (HIPAA) Security Compliance Assessment. This third-party assessment verifies the safeguards in place to protect health information within Mimecast’s software and facilities.
Now, healthcare organizations can take advantage of the benefits of cloud services without worrying about violating stringent rules, policies and regulations. And, most importantly, they can effectively protect patient data from email-based threats like whaling, spear-phishing and ransomware.
Here are three healthful tips to help healthcare organizations have it all when it comes to the cloud: security, compliance, efficiency and a positive patient experience:
- Update your email security: Traditional malware scanning and spam management are not enough. Organizations will invariably have a breach if they are not protecting themselves against the latest generation of email-based threats.
- Transport-level encryption: Emails should be encrypted during transmission between email servers to provide protection from interception.
- Message-level encryption: Because issues can arise with the servers themselves, message-level encryption can be used to protect content on the remote email server.
- Secure webmail: The most secure approach is some form of secure webmail delivery, in which the message is stopped at the gateway. The recipient of the email gets a delivery notification with a link that is used to access the original email. Secure webmail delivery solutions typically require a password to access the email which adds another layer of security to message access, giving worried doctors peace of mind. Ideally, the solution will also track recipient access. Use transport-level encryption for access to the Web server.
Read our Healthcare Security Checklist to learn more.