How to Stop Your CEO from Becoming a Phishing Target
Business fraud affects businesses of all types and sizes, and there are no individuals within your business that are truly immune from the possibility of a targeted attack. However, there are some people who are more prone to an attack, simply because of the high value of their knowledge or access to the information within the business. Accountants, finance leads and your CEO are some of the most commonly-targeted individuals when it comes to business email compromise (BEC) attacks, more commonly known as phishing attacks. Knowledge is power, and these tips will help keep your CEO from becoming the next victim of these vicious attacks.
What’s the Difference Between Phishing, Spear Phishing and Whaling attacks?
While phishing is the most common term that you may hear, there are two additional terms that are often used when it comes to upper executives or more targeted attacks: spear phishing or executive whaling. These more specialized attacks go beyond the broadscale spam of phishing attacks that are meant to net any type of “fish” who is willing to click a link. In a spear phishing or whaling attack, the hacker has researched your business and knows enough from either social media or your corporate website to target specific individuals. Cybercriminals spend the time and effort to find any key vendors for your business or some personal details that will inspire confidence in your executives. The assailants then leverage this information to create a highly specific and tempting message that feels more like a personal email from a known vendor partner or internal asset in an attempt to gain control of your systems or to get access to sensitive information. The term spear phishing generally refers to tactics that are specific to a few mid-level individuals in your payroll or accounting department while executive whaling is targeted directly at your CEOs and other C-suite leaders.
What’s the Potential Payoff for Cybercriminals?
This investment by the cybercriminal is expected to have a high-dollar payoff and there’s only one chance at success — so the hacker has a vested interest in taking the time to do it right the first time. Each subsequent request increases the potential of being discovered and reduces the possibility of a return on their investment of time. The fraudulent emails are often requesting that the recipient transfer a large number of funds, pay a massive invoice or otherwise release information to what the target thinks is a “trusted” party. The FBI estimates that a single targeted whaling attack can release upwards of $150,000 in funds to a cybercriminal, making this an extremely lucrative pastime for these malicious actors.
Your CEO Should Be Wary of These Tactics
Coaching your CEO to stay out of the way of cybercriminals starts with an ongoing dose of education. In this case, attackers tend to follow a pattern of sorts that is relatively easy to isolate as long as you’re actively looking for this type of interaction. Receiving an email from vendors that have already invoiced you for the month, or requesting a different payment method that they have not used in the past (such as a direct funds transfer) should be a big red flag for your senior executives. Be cautious of emails that come in from trusted individuals with a slightly different email address; e.g. “@Micros0ft.com” instead of “@Microsoft.com”, as hackers are now spoofing entire mail domains in an attempt to release funds and data from your organization. Funds aren’t the only things that are requested by these organizations — personal information such as tax records also command a high rate on the dark web. This quick flowchart from KnowBe4.com may be a helpful graphic to share with your executive team.
Protecting your organization from the tactics of cybercriminals is not a one-time problem or solution, but requires an ongoing and dedicated effort to foil the efforts of these actors. Keeping your finance teams and senior executives safe can save your organization hundreds of thousands of dollars in remediation and notification costs, not to mention the frustration and difficulties associated with handling a significant breach.