The number of “whaling” attacks through company email systems is on the increase. Is your business doing everything it can to keep information and profits safe?
More and more companies are becoming aware of the pressing need to increase the security of their digital communication systems. There has been a huge increase in attacks on email communication in recent years, leading to the loss of sensitive information, client and company funds and the reputation of countless companies.
The UK government released these startling figures in 2018:
- 43% of businesses identified security breaches in last 12 months
- 75% of employees across all businesses received one or more fraudulent emails
- 28% of employees across all businesses were being impersonated online
- 24% of businesses experienced a virus or malware attack
Even more worrisome is that only 20% of businesses believe they have the relevant tools and training to deal with this threat.
The risks of using standard email Highly trained, highly motivated cyber-criminals are targeting businesses and helping themselves to millions of pounds via spoofed email messages.
These messages target finance staff, encouraging them to expedite a payment to a supplier that the managing director or chief executive cannot due to being away from the office.
This new phenomenon has been dubbed “whaling” as the mark is one large target, as opposed to “phishing” which looks to defraud a larger number of smaller targets.
The attacker is able to intercept emails between companies and read their content. Over many weeks or even months, the attacker learns how to impersonate the style and language of those sending and receiving the emails.
The attacker is then able to send a bogus request for money, including new bank account details for the transfer. As the attacker has lots of information about the target, the request will appear to be genuine and money is very often transferred to the attackers account.
According to a 2018 report by Symantec, the average user receives 16 malicious spam emails per month.
Even if a business only has 20 employees, that is 320 attacks per month. Businesses often trust in their employee’s ability to scrutinize emails and make the right decision whether to open them or not. That amounts to 3,840 bullets to dodge every year.
An attacker is able to successfully infiltrate a target as standard email has no way to verify the email address of a sender or recipient. This means that the displayed “to” or “from” name actually has no relation to the email address behind it.
Many medium and large companies have been targeted by these attackers, with unwitting CFO’s and finance leaders losing more than £9.1bn between them since 2013. Snapchat is the latest highprofile victim, revealing employee payroll information to an unknown attacker.
As with any scam of this type, the goal of whaling is to trick someone in to disclosing personal or corporate information through various methods, most typically email correspondence.
As well as significant financial loss, since May 2018, compliance has become a high priority for companies doing business in the UK and Europe.
The new General Data Protection Regulation regulations, which came into force on 25th May 2018, will still apply to UK companies dealing with the EU regardless of the UK’s decision to leave the union and have transformed the way that companies send emails.
The Information Commissioner’s Office has published detailed guidance on encryption to demonstrate when and where different strategies can help provide a greater level of protection.
All businesses need to prove they are fully compliant with the new regulations and should be focusing on the secure transmission of sensitive and financial data via email.
GDPR requires that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” and expressly states that such measures include the pseudonymisation and encryption of personal data.
A breach under this new legislation carries its own possibility of financial loss, with a fine of up to €20m or 4% of a company’s worldwide turnover.
Why are companies slow to adapt to secure email?
Statistics show that less than 20% of businesses today use any form of encryption when sending data via email. Why is this? Simply, it has been a cumbersome process both for the sender and the recipient. Frama RMail provides a secure method of sending emails that is easy to use for both the sender and recipient: no portals, no logins, no software to download and no lengthy registrations.
Even if a business is using a form of encryption, that business still needs a method of proving they have been compliance. This is where Frama RMail will help. Frama RMail provides a legal, third-party authenticated record of who said what, to whom and when. It records email delivery, opening, official time of sending and receiving, and associated message and attachment content, providing a complete audit trail and authentication.
The Frama RMail platform provides a secure environment for sending and receiving encrypted business-critical communications. There are a variety of encryption configuration options to maximise security, while maintaining user simplicity and flexibility.
This unique offering provides a powerful 256-bit encryption tool that requires no additional work from the receiver’s end. Another key benefit is that it doesn’t store any sent documents on the cloud or on any server.
Frama RMail is easy to install with no IT intervention – it is simply added to a company’s current email client – and there are also a number of additional features, such as e-signature and large file transfer.
With cyber-attacks showing no signs of slowing down, all businesses need to take steps to secure their email communication with clients and implement a system able to prove that these measures are being adhered to.
Frama RMail provides an easy-to-use solution for the transmission of sensitive and financial data via email while giving businesses the confidence that the data has been sent securely and can provide an audit trail for GDPR compliance.