Email phishing scams targeting executives have skyrocketed over the past year, costing companies billions in losses and inspiring an FBI alert or two.
Whale phishing, or Business Email Compromise (BEC) scams, are
phishing attacks that target the “big fish” of a company or organization.
The crux of email phishing is data, and that is what makes it so difficult to defend. Scammers leverage
any information available to better disguise themselves as real individuals, including social media and previous data hacks and leaks.
“Email phishing is much more involved then just a
virus,” says Paul Everton, the founder of MailControl.
MailControl is an email security startup and anti-spymail solution. It powers MailControl’s Enterprise Privacy Shield
(EPS), which sits on top of an enterprise email server, to disable hidden tracking codes in incoming emails.
Everton says email trackers offer a key piece of information to phishers: where and
when targets open their email. By disabling tracking codes, Everton says brands can strengthen cybersecurity by safeguarding employee privacy and protecting confidential information.
Customers have the option to customize tracking service by turning any trackers on or off, enabling email marketers to find the Goldilocks between insights-driven email marketing and company
security.
Whale phishing isn’t just a CEO problem. “Phishing is everywhere,” says Everton. Those who have access to wire transfers, tax information or budgetary details
are more likely to be targeted, says Everton, asserting how “everybody should be on the lookout.”
A marketing director might not have access to their employees’ W2s, but they
likely have information about their department’s budget, vendors and customers. Gleaning that data could help an email phisher further exploit individuals, says Everton.
Understanding
with whom a CEO communicates with, including their secretary, adds weapons to a scammer’s arsenal. “The best way to phish is to gather evidence, says Everton. “The more information
you know, the easier it is to exploit.” He recommends a combination of technology and education to help safeguard company, employee and customer security.
One training service that
Everton recommends is PhishMe, a Virginia-based company that trains employees to spot, report and mitigate phishing attacks.