Steering clear of email whaling scams at work

Email scams aren’t restricted to personal email accounts, as U.S. tech company, Ubiquiti Networks, discovered in October 2015. Cyber-thieves stole millions of pounds through an email scam known as ‘whaling’ – when criminals target one large corporation with a massive cyber-attack. It’s different from ‘phishing’, which involves emails sent out en masse to individuals and organizations, and it’s potentially more dangerous.

‘Whaling’ involves criminals targeting a single organization and acquiring the names and email addresses of senior employees. They then send emails from these accounts with (almost) identical addresses, duping unknowing employees into transferring funds and/or sensitive information.

Due to the personalized nature of the scam, it can be easily overlooked and difficult to detect. This is why it’s crucial to be vigilant in the workplace when you’re handling emails. Fortunately, there are simple steps you can take to minimise the risk of falling victim to a whaling scam.

Check the email address carefully

It may sound obvious, but if you’ve received a request from a senior manager regarding the transferal of funds or sensitive information, ensure that you check the email address. With whaling scams, there will often (but not always) be small differences between the bogus and authentic addresses. It’s a simple step to take and one which could prevent your company losing money.

Look out for unusual requests and attachments

Look at the content of the email. If there’s a request for funds or sensitive information, consider whether this is something you’d expect from this employee. If it’s an unusual message, then telephone your colleague and verify it was sent by them.

The same applies to email attachments – if it’s not something you’d expect to see, then, whatever you do, don’t open it. Contact the employee via an alternative method and check before clicking on it. It could contain malware.

Make sure your employees/colleagues are security aware

With cyber-attacks on the rise, it’s crucial employees know how to identify security threats and respond to them. There needs to be an awareness of the techniques employed by criminals. If you’re a manager, make sure your team undertakes training in digital security.

Be careful on social networking sites

Cyber-attackers have been known to use social networking sites like Facebook and LinkedIn to gather information on companies and their employees. That’s why it’s important to be sensible about who can view your personal information.

It’s probably not a good idea to make sensitive information, such as your address, work phone number and email address, publicly viewable. If you do want to share these details, then it at least makes sense to restrict their visibility to your friends and colleagues. These are simple actions that won’t affect your social networking experience.

Taking these steps should minimize your exposure to ‘whaling’ scams. Make sure you’re not lax about email security in the workplace; you and your company could be targeted in many of the same ways that you are already vigilant about on your personal account.