The threat of cyber crime is nothing new for the average business. But new tools like AI mean fraudsters have access to even more sophisticated tools, enabling them to hyper-focus their attempts on high-value targets, including top executives and C-suite members. Aileen Allkins of elev8 Digital Skilling shares tips for making sure staff at all levels have the tools they need to spot a fraud attempt.
Cyber attacks against financial services organizations have surged since the start of 2022, rising by 81%, according to a recent analysis. If cyber crime wasn’t previously high on the agenda for senior executives, it certainly is now, and business leaders across all sectors must be aware of the threats they face and how to mitigate them.
One such threat that has emerged in recent times is whaling, a specific form of phishing that targets organizations’ most influential employees. By selecting victims at the very top of the org chart, hackers are able to reap dividends well into the millions with just one email.
Characterized by ultra-realistic mimicry and real-life details, whaling emails target high-level executives with convincing requests for the transfer of funds or sensitive data. Notably, whaling and other scam emails are increasingly making use of AI to fabricate a highly convincing tone of voice, and spam email addresses are often just one character away from that of the colleague they are mimicking.
While whaling attempts may be highly convincing, their effectiveness depends on being able to exploit weak spots in the victim’s digital literacy. According to Verizon, 82% of all cyber breaches involve human error, and hackers frequently rely on this to manipulate their target into making a mistake.
Although the actions of employees are central to so many attacks, research has shown that organizations themselves may be falling behind in providing adequate training into modern attack scenarios. The UK’s Department for Science, Innovation & Technology recently reported that only 18% of businesses had provided cybersecurity training to all staff in the past year. While businesses are generally aware of the need for high-level cybersecurity measures, including appropriate education, too often, these needs are beyond the capabilities of a taxed IT department.
Cybersecurity at every level
Every employee that works with technology is a possible target for a cyber attack, making cybersecurity a vital skill for almost all roles in a business. Rather than a standalone function limited to a tech department, cybersecurity should be viewed as a foundational pillar of an organization-wide digital ecosystem that every member of the workforce should be equipped to play their role in protecting.
Regular training to bring staff up to date with cybersecurity protocol, current threats relevant to their role and best practices not only feeds into an organization’s cyber skillset but helps maintain a culture of cybersecurity awareness. Employees who are upskilled in simple yet powerful cyber defense practices will cease to be an easy access point for hackers.
The effectiveness of a whaling attempt is often dictated by the fraudster’s ability to mimic a particular employee, crafting a message using language in line with that of the supposed sender, weaving in details that the target will recognize as genuine.
Cyber criminals fuel these communications by collecting information from publicly accessible sources, such as social media platforms, discarded documents and sometimes from previously hacked materials. Through training, staff can be guided to develop an instinct of what seemingly innocuous information may pose a risk if incorrectly handled or shared. Regular education on the use of privacy settings, encryption, antivirus software and firewalls can provide a powerful guard against hackers.
While bolstering employees’ awareness of threats and removing attackers’ sources to manipulable material may diminish the likelihood of a successful cyber attack, protocols such as two-step verification must also be in place, and they must become regular practice.
The authority of the targeted individual is a central tool in whalers’ strategy, and so safeguards like two-step approval for the transfers of funds or data should be required for even the most senior executives. Whether a secondary request is automated or performed manually, employers should ensure that staff are fully aware of what proper and truly cyber-secure verification processes look like.
A workforce that is trained to identify information that can pose a risk, made aware of the particular threats their position may be subject to and equipped with an understanding of how they can properly protect their data is an essential element of a robust cybersecurity strategy.
Cybersecurity is necessary and achievable, but it requires committed investment into training and ongoing efforts from every individual in a business. Businesses with a cybersecurity strategy limited to software and IT professionals overlook the most powerful agent in a digital workplace — the people who work within it — to their peril.