Financial Whaling and Phishing Advisory Header Image

Financial Whaling and Phishing Advisory

GDPR

 

It is your responsibility to report a data security breach to the Information Commissioners Office (ICO), based on the guidance provided by the Information Commissioner. Impact Computing does not provide guidance on whether a breach should be reported.

 

Fraud, Cyber Crime and Phishing Attempts

 

Where you have been the victim or fraud, cyber-crime or a phishing attempt, you can report it to the police using the following site: Action Fraud UK Police Report. We advise with any security incident that you also inform your bank.

 

Financial Whaling/Phishing

 

Whaling is a highly targeted phishing attack - usually aimed at senior staff (especially those with access to company bank accounts) - masquerading as a legitimate email. Whaling is digitally enabled fraud through social engineering, designed to encourage victims to perform a secondary action, such as initiating a bank transfer of funds. 

Phishing is a less individually targeted, more widely sent attempt to obtain sensitive information.

If you are the victim of a Whaling/Phishing attack, please keep the following points in mind:

 

What you need to do:

  • Where funds have been sent or there has been any kind of financial involvement, contact your bank as a matter of urgency.
  • If you have entered username/password details in any sites linked to in this scam, please let us know as soon as possible.
  • Where the criminal has registered domains or e-mail addresses that are similar to your company (IE, imagine your site is mycompany.co.uk and the criminal has registered a misspelling like mycommpany.co.uk in an effort to trick people) we would recommend that you take action to have those accounts / domains removed. You can either do this yourself by contacting the domain/accounts abuse team (please ask us if you need help to identify who this is) or we can complete the process for you for a charge (your contract does not cover time spent as a result of criminal activity).
  • If the criminal has sent communication that shows an insight into internal company communication (for example, they have managed to obtain a copy of your e-mail signature, they have knowledge of your client base, they know the roles of internal staff, they have information they should not be privy to like bank details/letterhead design etc) then please let us know to discuss your options as soon as possible.

 

What we will do:

  • If you report to us that you have entered username or password details into any phishing site, we will perform an immediate reset of all passwords on services that we look after.

 

What you should be aware of:

  • These types of scams are not just attempted by e-mail, they can be via phone call, letter, fax or even face to face.
  • Always verify a request for change of bank details or a request for payment by telephoning the company/person directly and confirming them with a trusted contact. This includes requests that appear to be internal (IE, as the accounts contact you receive an e-mail that "appears" to be from your managing director asking you to make a payment, purchase or any other money related tasks).
  • We recommend against publishing e-mail addresses and job roles on your company website or any social media.
  • We can offer additional paid Office 365 services, for example Advanced Threat Protection, that will improve security for your entire organisation - please contact us for details.
  • We offer a paid for phishing test service where we send out a test phishing scam to people within your company to help identify any training required - please contact us for details.