Whale phishing, or Business Email Compromise (BEC) scams, are phishing attacks that target the “big fish” of a company or organization.
The crux of email phishing is data, and that is what makes it so difficult to defend. Scammers leverage any information available to better disguise themselves as real individuals, including social media and previous data hacks and leaks.
“Email phishing is much more involved then just a virus,” says Paul Everton, the founder of MailControl.
MailControl is an email security startup and anti-spymail solution. It powers MailControl’s Enterprise Privacy Shield (EPS), which sits on top of an enterprise email server, to disable hidden tracking codes in incoming emails.
Everton says email trackers offer a key piece of information to phishers: where and when targets open their email. By disabling tracking codes, Everton says brands can strengthen cybersecurity by safeguarding employee privacy and protecting confidential information.
Customers have the option to customize tracking service by turning any trackers on or off, enabling email marketers to find the Goldilocks between insights-driven email marketing and company security.
Whale phishing isn’t just a CEO problem. “Phishing is everywhere,” says Everton. Those who have access to wire transfers, tax information or budgetary details are more likely to be targeted, says Everton, asserting how “everybody should be on the lookout.”
A marketing director might not have access to their employees’ W2s, but they likely have information about their department’s budget, vendors and customers. Gleaning that data could help an email phisher further exploit individuals, says Everton.
Understanding with whom a CEO communicates with, including their secretary, adds weapons to a scammer’s arsenal. “The best way to phish is to gather evidence, says Everton. “The more information you know, the easier it is to exploit.” He recommends a combination of technology and education to help safeguard company, employee and customer security.
One training service that Everton recommends is PhishMe, a Virginia-based company that trains employees to spot, report and mitigate phishing attacks.