Phishing scams remain one of the most popular ways a cyberattacker can target a small business. The strategy typically involves sending a fake invoice or masquerading as a business manager to obtain sensitive business information or credentials, and the tactic has security experts warning of the importance of proper employee cybersecurity training.
But a new tactic from phishers reveals how vulnerable the C-suite is, too.
In a new report from IT consulting firm Switchfast, researchers pointed to the emerging trend of “whaling” — a way for phishers to apply their strategy to upper-level executives within the enterprise in search of greater rewards.
Switchfast’s “Cybersecurity Mistakes All Business Employees Make, from Entry Level to the C-Suite” report found an array of areas in which small business managers and leaders are failing to safeguard their companies — including a lack of two-factor authentication when using business email, which makes it easier for scammers to hack into a C-suite executive’s email account and use it to send out phishing messages.
But the phishing scam is also evolving to target the C-suite itself.
“Just like with phishing, attackers will spoof emails to look like they come from trustworthy individuals in an attempt to get high-profile executives to divulge sensitive information,” Switchfast explained in its report. Employees should be trained to identify phishing scams, but the whaling tactic highlights the need for businesses to train their leadership teams, too.
Small business leaders failing to set an example on cybersecurity for the rest of the company leads to added vulnerability for their firms. According to Switchfast, while everyone should be trained and take proactive measures to safeguard company data and systems, the effort often begins with the leadership.
“When small businesses maintain a lax attitude towards cyber threats, it often leads to reactive policies that do little to mitigate damage when disaster strikes,” the report concluded.