Is Your Website Luring Whalers & Minnow Phishers?

In 2015, Mattel was lured into wiring $3 million by fulfilling a requested payment, seemingly made by the new CEO, to a new vendor in China. In 2016, a Snapchat employee was targeted by a scammer impersonating Snapchat CEO Evan Spiegel. The imposter identified himself as Spiegel and asked the unfortunate employee for payroll information, which was dutifully handed over shortly thereafter.

A whaling attack is a form of spear phishing focused on senior-level individuals within an organization or targeted at employees with the “keys to the kingdom.” While ordinary phishing attacks usually involve sending emails to a large number of individuals without knowing how many will be successful, whaling attacks usually target one specific individual at a time, primarily focusing on the C-suite (aka “the big fish”) to exfiltrate sensitive resources or cash. These types of attacks can be more difficult to detect, as they often use techniques to make them appear as trusted sources.

Information about the “whales” in your organization is often posted on your website as a marketing technique. This information and more also can be easily found by doing a quick internet search. BKD performed a recent search on several Fortune 500 executives and turned up a treasure chest of personal information in just seconds. Therefore, the information you post to promote your C-Suite may be no different than the information that’s readily available on the internet.

However, information identifying individuals further down the organizational structure (the "minnows"—no disrespect intended) may not be as easily found through a web search—particularly information about your employees and indicators they might have administrative or other super-user credentials to your systems. Therefore, you may want to remove information from your website to make it more difficult to net the high-value minnows.

According to the Proofpoint 2019 State of the Phish Report, “threat intelligence continues to demonstrate attackers’ focus on end users, and it validates the need to take a [more] people-centric approach to cybersecurity.” BKD Cyber recommends the following to help reduce your attack profile:

• Consider reducing the amount of usable information posted on your organization’s website about key employees, especially contact information.
• Regularly re-educate all employees, directors and contractors who have access to your systems about whaling and minnow phishing attacks and how to identify phishing emails and pretexting.
• Periodically perform internal phishing campaigns designed to heighten awareness, in particular campaigns requesting log-on credentials or other data entry.
• Flag emails you receive from outside the organization.
• Provide a mechanism to report and quarantine potential phishing emails. Don’t discourage false reports.
• Implement internal controls that require multiple approvals to release sensitive data, cash or other tangible and intangible assets.
• Deploy tools to monitor the use of administrative accounts; review the logs frequently and at a sufficient granularity to identify potential unauthorized use.