Whaling and spear phishing are latest scams targeting execs

Cybercriminals, no longer satisfied with a sweeping, general approach, are adding another weapon to their arsenal - so-called spear phishing attacks, or scams that are targeted at specific individuals.

Not surprisingly, according to security vendor MessageLabs, the latest targets are executives. Finding the names of top executives is easy - they're usually found on company websites. Cybercrimals then do some research on the individuals and write e-mails that directly relate to their role at the company in hopes that they will click on a link, Network World reported. The link brings the executives to a site where malware is downloaded onto their computers that tracks their keystrokes, which can reveal sensitive information.

Some anti-phishing tips
  • Education: one of the best strategies to combat phishing is to educate your users of current attack methods and to teach them what to do in the event of a phishing attack.
  • Where possible, use two factor authentication, which requires an additional mechanism (ID card or code-generating key fob) as well as a password.
  • Avoid mass-mailing customers links to your website - doing so encourages them to accept such emails as normal.
  • Use anti-phishing systems that to identify phishing content in both e-mails and web sites through add-ins to your browser and e-mail client. Systems include: NetCraft Toolbar, Google Safe browsing, eBay Toolbar, Earthlink Scamblocker, Geotrust Trustwatch or McAfee SiteAdvisor.
  • Report suspicious mails to your e-mail administrator or ISP and alert the APWG.
  • Report all incidents where fraud occurs to the police.
  • Source: Sans Institute.

    MessageLabs earlier this year spotted two e-mail blasts of what they are calling whaling. The e-mails say they are from the Better Business Bureau, a recruitment company or they are seeking invoice information. In June, MessageLabs caught 514 e-mails sent to executives in various organizations over two hours. In September, 1,100 whaling attacks were detected within 15 hours.

    "It's really the social engineering that has tipped the balance now; now [phishers] are becoming much more technologically sophisticated as well as applying psychology to what they're doing," said Paul Wood, senior analyst with MessageLabs. "Now they conduct a lot of research before they attack, so it becomes much more difficult to recognize those attacks," Network World reported.

    Jennifer Openshaw, a MarketWatch columnist, has a few tips on sniffing out bad e-mails. Beyond the obvious advice - don't reply to suspicious e-mails or open attachments - she advices always using good antispyware and making sure your firewall is on at all times. Also, she said snopes.com is a good resource to find out if some sob story is really true, and phishing scams should be reported to the Anti-Phishing Working Group (APWG) at reportphishing@antiphishing.org. She also suggested typing in "phishing" and the name of the source, "IRS" or "Paypal," for example, into your search engine. You can find out if your e-mail is a scam pretty fast that way, she writes.

    The APWG reports some good news, however. In a July report on trends, it said the average time online for phish sites is about 3 and a half days, versus a week in 2003. The APWG says, "Response strategies are slowly closing phishers' felonious windows of opportunity."

    You may like these other stories...

    In the old days, we used to tape down receipts from our travels and submit them to accounts payable. But that was before remote employees who may live in a different city from the home office. And of course, there's all...
    In 2011, electrical services and technology provider Parsons Electric in Minneapolis, Minn., decided to take its accounting to the cloud. Monica Ross, the company's director of strategic projects, talked with AWEB about...
    Event Date: July 24, 2014, 2 pm ET In this presentation Excel expert David Ringstrom, CPA revisits the Excel feature you should be using, but probably aren't. The Table feature offers the ability to both boost the...

    Upcoming CPE Webinars

    Jul 16
    Hand off work to others with finesse and success. Kristen Rampe, CPA will share how to ensure delegated work is properly handled from start to finish in this content-rich one hour webinar.
    Jul 17
    This webcast will cover the preparation of the statement of cash flows and focus on accounting and disclosure policies for other important issues described below.
    Jul 23
    We can’t deny a great divide exists between the expectations and workplace needs of Baby Boomers and Millennials. To create thriving organizational performance, we need to shift the way in which we groom future leaders.
    Jul 24
    In this presentation Excel expert David Ringstrom, CPA revisits the Excel feature you should be using, but probably aren't. The Table feature offers the ability to both boost the integrity of your spreadsheets, but reduce maintenance as well.