CEO Fraud (aka Whale Phishing, aka Colleague Impersonation)
We’ve written about Colleague Impersonation before and are now pleased to announce that Rupert’s produced a bitesized video giving plenty of useful information. Take less than 15minutes out of your day to learn vital information that will help to keep your business safe.
We’ve given a short summary of the video content below.
‘Whale Phishing’ evolved from Email Phishing and Spear Phishing and basically involves the impersonation of the biggest fish (the whale) of the company via email.
Why are the bosses targeted?
Because they have a lot of power, make the ultimate decision about change and hold the purse strings. They will be responsible for making big announcements – things that employees won’t have heard of up until now.
People want to please the boss – keep them happy to enhance their career prospects, maintain secure employment and generally have a nicer time! Emails from bosses get actioned quicker than others. It’s therefore essential to SLOW DOWN! Team members need to be aware of Whale Phishing tactics and take the time to review an email for signs of fraud, as follows:
- Signature – is it correct?
- Display names – names can be forged and note any spelling mistakes and format changes
- Email address – check that it’s correct
- Urgent requests – take your time – don’t be rushed to do something that could be fraudulent
- Bypassing procedure – if an email asks you to ‘skip’ a procedure, double check in person
- Needing to login – why should you login to a different site if you’re already logged into the company site?
Take a look at Rupert’s video to see an example of a fraudulent-type email so that you have a better idea of what to look out for and why.
- Humans click on emails so you need to ensure your teams are trained to think before they click – what does ‘normal’ look like?
- Ensure procurement and communication policies are in place, and that staff are aware of them
- Adopt a no-blame culture – better to ask if something is right and report any concerns
- Make sure your email services are set up properly
- Have link protection in place
- Activate ‘Restricted Access’ and ‘Usage Monitoring’ to help avoid breaches
- Enable ‘End User Notifications’ – Net Primates add a banner to warn people of suspicious emails
- Implement and pay attention to security warnings
- Security awareness training – make sure your teams know what Whale Phishing is
- What does a legitimate email look like?
- What is/isn’t acceptable to ask for via email?
- How are suspicions reported and requests verified?
- Consider implementing regular training and testing – think fire drill, but for IT
- Implement procurement processes and stick to them
- Reinforce a no-blame culture
If you need more information about how to avoid CEO Fraud within your organisation please do get in touch. We can assist you by evaluating where problems could arise and helping to put solutions in place, including the additional security included with our Office 365 Enhanced Security solution.