4. Use common sense with social networking.
Facebook, LinkedIn, and other social networking sites have become valuable tools for building business contacts and for online collaboration and recruiting. But they're also places where whalers go to gather information that they can use in attacks.
"The criminals behind whaling are doing their research on company websites, finding key individuals to pose as and following up their research on Facebook and LinkedIn to make the phishing emails more personal," says independent consultant Siciliano.
Some companies ban business use of social networking outright. For example, Ocean Bank doesn't allow employees to use sites such as Facebook and YouTube for any work purposes, and it blocks access to these sites from its corporate network. When people need access to social networking sites from work, they must first gain permission from the information security department, says Ocean Bank's Pinon. This applies even to senior executives.
For most organizations, blocking or curbing social media activity is not realistic. Still, there are things you can do to avoid helping out the whalers. As websites such as LinkedIn recommend, don't link to people you don't know or trust whoever sends an invite, even if it sounds like a potential customer or business partner.
Be sensible about what you post: "Not revealing too much information on the publicly visible portions of social networking profiles can help significantly," says Intrepidus's Belani. "If an attacker is able to determine from someone's Facebook profile -- without being connected as a friend -- where they grew up, their marital status, date of birth, etc., they can craft a message that is very appealing and win over their confidence easily to act on the email link."
Practice safe browsing to avoid viruses and keystroke-capture programs, says SystemExperts' Gossels: Keep your antivirus/malware detection software up to date, keep your browser updated to automatically block known attacks and known bad sites, separate work and play (consider using a separate browser for each), and if you must download content be sure to scan it for malware before running it.
5. Use security technology to help thwart attacks.
Sure, whalers can get around some security systems. But companies should still take advantage of the capabilities of available security technology such email-embedded digital signatures. The use of digitally signed email allows people to create their own trusted contacts and can increase the privacy of the their emails, says Sonalyst's McCusker. Other security tools, such as spam filters, firewalls, and intrusion detection and prevention systems, can help incrementally reduce the threat, he says.
Event aggregation and correlation products can be used to identify whaling and related behavioral activities. Emerging intelligent response tools such as Mandiant's Intelligent Response agent can help minimize the impact of a whaling attack after it occurs.
"Response technologies provide actionable and collective intelligence that can increase an organization's ability to mitigate whaling-based attacks and decrease the time to recover their critical business processes [and] decrease their chances for reinfection after the first attack," McCusker says.
Some security products such as firewalls can be fine-tuned with additional rule sets to look out for potential whaling activities and other suspicious anomalies, McCusker says. Security forensics systems can also be used to analyze what took place during an attack, so companies can be aware of an ongoing attempt to compromise corporate systems, he says.
But as InfoWorld's security columnist Roger A. Grimes notes, you can't rely on automated security tools to safeguard your user, information, and network -- you have to do hands-on investigation and monitoring as well.
Whaling is a serious threat that preys on users' benign faith
Experts say whaling should be taken seriously as a threat. "Most of us go through life feeling that we are anonymous -- just another face in a crowd, and that no one is specifically watching us," says SystemExperts' Gossels. "Whaling preys on that human trait. It takes only seconds to learn names, roles, email addresses, and phone numbers. Suddenly, someone is capable of watching you and you don't know it."
To reduce the chances of being whaling victims, those in key roles need to recognize that they are potential targets and behave defensively.
This story, "How to stop your executives from being harpooned," was originally published at InfoWorld.com. Follow the latest developments in computer security at InfoWorld.com. For the latest developments in business technology news, follow InfoWorld.com on Twitter.