In 2015, a senior executive at Mattel received an email from the company’s newly appointed CEO. The note requested the processing of an overdue payment to a familiar manufacturer. In acting on the email, the executive set-in motion a $3 million mistake.
Cyber attacks of this kind are known as ‘whaling’ emails, which rather than the ‘copy-paste’ method of phishing messages familiar to anyone with an email address, use highly specific, ultra-realistic mimicry to target high-level executives.
Whaling emails can include various nefarious elements, such as links to malware or requests for the transfer of funds or sensitive data. Regardless of the attacker’s particular approach, the success of whaling attempts depends on gaps in the target’s digital literacy.
Concerns over cybersecurity are especially high on the agenda across the financial services industry, with both the Bank of England and the European Central Bank recently requiring major lenders to provide detailed plans for how they would respond to a cyber breach amid a wider call to crack down on cybersecurity in the sector. As part of their approach to tackling the issue, financial services organisations must ensure that staff at all levels are upskilled in identifying and responding to a cybersecurity breach.
On the rise
45% of security and IT experts recently surveyed by PwC predicted an increase in ransomware attacks, and AI is enabling hackers using whaling to commit scams with precision never seen before. Over 60 nationally ‘significant’ cyber attacks took place in the UK in 2022,
according to the National Cyber Security Centre
Even when cybersecurity programmes are in place, individual employees are often the chink in a business’ armour. Firewalls, phishing filters, and antivirus software are important, but the presence of good cybersecurity education and skills throughout a workforce is a crucial line of defence against a serious data breach causing the loss of millions of dollars.
Although the tools used to facilitate attacks such as whaling can be sophisticated, there are some simple yet highly effective processes that individuals can be trained in to safeguard a business from whaling and other types of cyber attacks.
Cybersecurity skills for all
Digital literacy is a prerequisite for any role that involves working with tech, which covers the vast majority of positions in financial services. Cybersecurity awareness is a crucial part of this. Businesses are largely conscious of the need for high-level cybersecurity systems, but frequently overlook the role of individuals’ digital capabilities in maintaining a secure digital ecosystem.
Cybersecurity should therefore not be viewed as a standalone function under the sole responsibility of the tech department, but a skillset that must be present throughout an organisation. Staff should be regularly trained in cybersecurity in order to keep employees up to date with protocol and to ensure company-wide awareness of potential threats and best practices.
For example, knowing how to identify fraudulent email addresses, being diligent in not opening unsolicited attachments, and knowing the proper channels to report suspected attacks are basic yet high-impact skills that all employees should be trained in. It is also important that all employees are trained in the immediate steps they should take if their devices have been infected with malware or a fake email has been successful to ensure that the impact of the attack is mitigated as well as possible.
Diligence across the board
Whalers’ strength lies in their ability to closely mimic an employee by using an email address one letter away from the authentic address, language in line with the authentic sender’s typical voice, and details of genuine deals or events that are familiar to the target. Whether the communication is drafted via AI or by a person, whaling relies on source data to imitate.
Personal information such as birthdays and hobbies drawn from social media profiles can add convincing details to falsified communications, and hackers have even been known to use schedule data from discarded documents to avoid contacting a victim when they are in a meeting with the individual being impersonated.
Ongoing cybersecurity skilling should be the foundation of setting a culture of operational security awareness. Developing a sense of what information can pose a risk and knowing how to properly protect information will ensure individuals can identify and stop seemingly innocuous activity that provides fuel for hackers. Team members should be trained in how to ensure their personal online presence does not enable hackers through skilling on privacy settings, setting up firewalls, anti-virus software, and using encryption.
Two is a magic number
Although implementing cybersecurity awareness throughout a workforce can provide a powerful shield against many hacks, a second filter for the verification of any sensitive action, such as the transfer of funds or data, is also essential.
Whaling attacks depend heavily on the authority of the individual being targeted. Even for high level executives, protocol must be in place to prevent any individual from verifying an action without secondary clarification.
Two-step verification may be an automated process embedded in company software or manual processes. Whether the second step of verification comes from a separate individual or from that same person, but on a different platform, business should ensure that staff are fully skilled on proper practice for two-step verification, and regular cybersecurity training makes this practice habitual.
Cybersecurity skills are not a luxury
Even the most robust automated cybersecurity systems can be rendered redundant by hackers able to mobilise an organisation’s people against them. Ongoing efforts and up-to-date education on secure practices are central to preventing whaling and other types of cyber attacks.
Businesses should conduct regular assessments on their cybersecurity infrastructure, policies, and their workforce’s skills to ensure all are working effectively to defend against the full range of possible attacks. This requires people to be trained to properly carry out these assessments and maintain best practice, or firms can look to invest in external cybersecurity support.
Investment into cybersecurity skills is not a luxury, but a necessity, and those that fail to properly set up and maintain systems and protocols to defend against hackers leave themselves open to fraud or data breaches. With regulators and government bodies paying particularly close attention to the vulnerability of the financial services sector to cyber attacks, it is an issue that cannot afford to wait.