There is some deeper relationship between IT security and the sea that has yet to be fathomed.
You’re probably familiar with phishing, in which hackers try to trick users into unsafe practices by sending phony emails. Popular lore suggests that “phishing” is derived from “fishing” and the idea that hackers, for some reason, like to replace the letter “f” with the letters “ph”.
A more recent addition to the hackers’ arsenal is whaling. In this case, hackers try to imitate the email style of a high ranking member of a company, like a CEO, and trick another employee into transferring company funds (or is that “phunds”) to a bogus account. What then is the best way to fight such tactics?
Whaling emails usually contain few or no indicators that conventional anti-virus software can pick up.
There are no suspicious links or embedded malware programs, simply credible natural language instructions or requests for money to be transferred. Do such attacks work? According to the FBI (US Federal Bureau of Investigation), the answer is clearly yes.
The FBI estimates $2.3 billion has been stolen through whaling attacks during the past three years, with individual losses as high as $3 million (the Mattel Company in 2015).
Some software vendors are developing new tools to fight whaling security threats by scanning messages for references such as “wire transfer”, checking whether the sender really works for the company concerned, and identifying a fake domain name in the sender’s email address, designed to look like the company’s real domain name at a casual glance.
Yet employee information security awareness should not be neglected either. All communications should be checked by the recipient for authenticity and double-checked with the sender (via some other channel) to confirm instructions or root out phonies.
Technology can help, but employee awareness and robust “checks and balances” processes remain among the most effective ways of combatting social engineering attacks like whaling and phishing.