What is Whale Phishing?
by Kapua Iao
Whale phishing is a type of phishing attack in which a cyberattacker’s target is a high-profile executive in an organization.
Because of the victim’s status and access to “wealthy” information, hackers consider him/her a “big phish” or a “whale.”
Let’s explore phishing and whale phishing and its effects on covered entities (CEs) within the healthcare industry. This blog will then conclude with the importance of a strong cybersecurity program that safeguards protected health information (PHI).
The risks of phishing
Phishing is a malicious attempt to trick people into doing something unwillingly or unknowingly. It is a popular tool because employees of any organization are seen as the weakest link, especially within stressful industries like healthcare.
Accordingly, email is the number one utilized threat vector by cyberattackers, making email phishing the most well-known.
The healthcare industry is particularly susceptible because of its valuable data (i.e., PHI) combined with overworked employees, the reliance on smart devices, and the continual use of outdated computer systems.
Initially, phishing emails were easy to spot; today, however, hackers create well-crafted messages. Targeted phishing schemes can trick even the most security-conscious user.
In fact, Verizon’s 2020 Data Breach Investigation Report lists phishing as a top threat.
What is whale phishing?
Whale phishing uses the same targeted tactics as spear phishing. It is similar to BEC in that both types of attacks utilize executives; the difference is that BEC impersonates rather than victimizes these people.
Hackers consider high-profile employees more profitable. And CE executives generally have more information (including PHI storage locations) on their computers, or they at least have admin access to their networks.
Even though these higher-ups generally have more knowledge about cybersecurity, tricking one means a bigger payoff.
Last year, the Children’s Hospital of Eastern Ontario faced a BEC/whale phishing attack but were suspicious due to a similar whaling scam on the City of Ottawa a month earlier. According to the hospital’s chief executive, Alex Munter, “Our finance dept is now getting a couple emails weekly from fake me. So they’re ignoring my electronic messages and doing friendly visits instead.”
Unfortunately, not all CEs respond as such. This is why it is important to focus on prevention and protection against all types of phishing.
The importance of strong cybersecurity
HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. CEs that experience a breach and do not follow HIPAA guidelines may be found noncompliant and face an astronomical HIPAA fine.
Organizations should first focus their cybersecurity plan on employee awareness training. Training must be continuous, up-to-date, and constantly tested. Employees should know how to identify a phishing email.
Second, CEs must utilize a HIPAA compliant email solution that blocks phishing emails from even reaching an inbox.
Paubox Email Suite Premium provides this needed inbound security along with protection against domain name spoofing. It also comes with email archiving which is a crucial part of any business continuity plan.
And beyond these, CEs should ensure up-to-date/patched hardware and software, a strong antivirus software, and a firewall, among other things.
Even executives with cybersecurity knowledge need some added protection. Don’t let someone in your organization become a victim of whale phishing; give them the necessary cyber backup so that they can do their job effectively.