Phishing attacks aren’t a new cyber threat, but hackers are more ambitious in their threats in recent years. Instead of targeting low-level employees, hackers are now incorporating social engineering to gain access to systems from an executive level – especially finance executives. This means higher elevated privileges and access to more sensitive corporate data if successful. They can then steal proprietary information and sell it on the black market or even sell it to your competitors.
Two New Phishing Attacks
The term “phishing” is probably not new to you, but have you heard of whaling or spear phishing attacks? Both of these have been introduced in the cyber threat world as a way to target corporate executives.
Whaling attacks are little less targeted, but they use mass mailing with the hopes of gaining access to at least one executive’s credentials. Whaling uses a spoofed sender address and sends it to several executive email accounts. This, of course, takes time to gather a list of accounts, but even personal email addresses will work with phishing if the attacker can gain access to corporate credentials.
A more targeted attack is called a spear phishing attack. In this type of attack, the hacker finds a specific target and uses social engineering. This could be anything from calling the victim and attempting to get credentials, sending an email, or even obtaining physical access to the premises by following the user into an office after they’ve swiped their badge to open the door. The latter is called piggybacking.
Since these attacks focus on financial executives, they are especially troublesome due to the nature of information executives have access to. For instance, an executive has access to earnings statements, social security numbers, tax records, and even bank accounts for the company.
How You Can Protect Your Data
If you’re a financial executive or even a system administrator responsible for financial systems, you can take steps to protect yourself.
First, security awareness should be a priority each year for all employees. Security awareness helps reduce risk by educating employees on the red flags and signs of any phishing attempts and social engineering.
Next, perform regular security tests. For instance, send a phishing email and identify who falls victim to it. This can be a good exercise for everyone including executives, employees and even security personnel.
Many domain registrars have alert notifications that let you know if a similar domain name has been registered. Many phishing attempts are used on domains that are similar to the official site.
Although it’s expensive, consider purchasing all top-level domains that include your brand. Several vanity domains have been released, but having these TLDs eliminate much of the phishing that occurs when a hacker registers your brand and sends mass emails.
Finally, review the finance team’s procedures to ensure that they follow the best practices in any type of situation. Just ensure that executives understand that they are a bigger target than other employees.