Is the CEO immune to the effects of phishing?
Numerous online scams continue to lure individuals into divulging their personal information or financial details. With over 2 million websites employing deceptive tactics, 18 million fraudulent emails circulated daily, and common SMS messages offering access to enticing content, such as photos of «attractive individuals». Scammers even resort to phone calls impersonating bank security services. These and other forms of phishing attacks are likely familiar to many readers of our blog.
Even those who possess basic knowledge of cybersecurity can't help but feel vulnerable to phishing attacks. The typical victim of a phishing scam is often depicted as an office worker who unknowingly clicked on a link from a supposed business partner, revealing the company's banking information to a fraudulent website. Alternatively, one might imagine a young office manager who tried to save money by purchasing discounted furniture using a corporate credit card, only to divulge sensitive data to a fake vendor. Another common scenario is a sales employee who received a threatening message from a purported client demanding immediate payment of a supposed debt, leading them to pay the fraudulent claim via the financial department.
The tendency to stereotype phishing victims is a shared concern, not limited to just us. Even business owners, CEOs, and top-level managers tend to think they are immune to phishing attacks, based solely on their high status. Unfortunately, this assumption is misplaced. Cybercriminals are becoming more sophisticated in their tactics, particularly when it comes to "whaling," or targeting high-value individuals. These scammers are cunning, resourceful, and have an uncanny ability to gain trust. The consequences of a successful attack can be devastating, resulting in significant financial and reputational harm that can be difficult for an organization to overcome.
Spies and actors
Targeted attacks on high-level executives or business owners are not commonplace, and thus, cybercriminals who specialize in whaling are considered the elite of their field. To excel in this craft, hackers must be meticulous and detail-oriented, leaving no stone unturned. Each attack is preceded by months of careful planning and research, with the hacker gathering as much information as possible about the victim's personal and professional life. The tactics used in whaling attacks continue to leverage emotional responses from the victim, but are much more subtle and sophisticated than those seen in mass phishing attempts. By playing on the victim's emotions in a more nuanced way, attackers can achieve the desired result with greater success.
For example, during the height of the global financial crisis in 2008, several high-level executives at major financial institutions in the western United States received an email containing a link to what appeared to be a scanned subpoena from the San Diego District Court, along with instructions for preparing for a jury trial. The timing and content of the email were carefully crafted by the hackers, who capitalized on the turbulent climate of bank failures, disgruntled investors, and lawsuits. Fast forward to 2023, and a similar scenario could easily occur again, leaving businesses vulnerable to whaling attacks that take advantage of current events and public sentiment.
During the financial crisis, the American justice system was working overtime to protect citizens, which may have contributed to the success of the phishing attack. In a more peaceful period, the electronic form of a subpoena may have raised suspicion, but in the chaos of the time, the victims were more likely to download the fake scan without question. Unfortunately, by doing so, they unwittingly installed a keylogger and backdoor Trojan on their computers, giving the hackers complete control. The extent of the data obtained by the attackers and whether it was successfully used in subsequent attacks remains a mystery.
Another strategy employed by whaling hackers involves completely impersonating the victim and stealing money from their company account. This approach requires a high degree of empathy, as the hacker must convincingly play the role of another person without arousing suspicion. To achieve this, the hacker conducts extensive research on the victim's personal and professional contacts, sometimes even recruiting an insider to assist in the attack. For example, the hacker may target the personal assistant of the target, who has the authority to send emails on behalf of the boss, and install software on their computer or smartphone to facilitate the attack.
Indeed, the attackers' ultimate goal is to obtain access to the company's financial resources, and they use various techniques to achieve this, including mimicking the top-level executives to trick the financial department into transferring money to the attackers' accounts. To succeed in this type of attack, the hackers must have excellent communication skills, knowledge of the company's internal structure and procedures, and the ability to manipulate the victim's emotions and behavior. Once the attackers gain access to the company's financial resources, the damage can be severe, and the recovery can be very difficult or even impossible. Therefore, it is essential for companies to raise awareness about these types of attacks and implement robust security measures to prevent them.
Countering the «whalers»
To be practical, completely eliminating spear phishing is unattainable. However, it is achievable to defend against it. Below are some suggestions for measures that can lower the probability of becoming a target of spear phishing attacks to some extent.
Refrain from clicking links or downloading attachments
It's important to remember that the majority of phishing attacks involve a call to action that is typically accompanied by an emotionally charged message that urges an immediate response. Any links provided in the message should be approached with caution and it's recommended to double-check their legitimacy. This can be done by copying the link and pasting it into the address bar of the browser to carefully examine the URL. Is it really the correct website address, or does it merely resemble it?
Remain calm
Phishing attackers often utilize emotional triggers in their messages, such as urgent, dangerous or super important requests, to create a sense of impending doom if immediate action is not taken. However, it's important to resist such emotional appeals and remain level-headed, especially if you hold a high-level position in your organization. As the CEO or someone in a leadership role, you have the authority to make important decisions, and any decisions made based on emotional impulses could have serious consequences. Instead, take a moment to gather your thoughts, activate your critical thinking skills, and approach any urgent-sounding emails with a calm and composed mindset.
Check all errands
If you receive a request from your CFO to transfer a significant amount of money to an offshore account or a sudden request from a department head to move customer data to a public cloud, it's essential to proceed with caution. If the request appears suspicious, it's best to reach out to the manager who made the request and verify its legitimacy. While your colleagues may view your actions as paranoid, it's always better to prioritize the safety of your company's data and finances. Your diligence could potentially prevent a serious breach or financial loss.
Reduce the quantity of personal information shared online
The concept of having an "open mind" is a popular trend among top executives who seek to build and promote their personal brand. However, it's important to be mindful that phishers often exploit personal information that is readily available on social media platforms like Facebook, Twitter, and LinkedIn. Therefore, it's crucial to strike a balance between maintaining a degree of publicity and ensuring reasonable privacy. Seeking advice from experts can help in understanding what information should be made public and what should be kept private, even from close friends on social media platforms. By being cautious and selective about the information shared online, executives can safeguard their personal brand and protect themselves from phishing attacks.
Engage in cybersecurity training on an equal basis with employees
Investing in a comprehensive anti-phishing training course is an excellent step towards enhancing your organization's cybersecurity. Your employees will undoubtedly appreciate the opportunity to learn, as this knowledge will not only benefit them in the office but also in their personal lives. It's important not to overlook these training courses yourself as well. Research indicates that such training can reduce the risk of falling prey to phishing attacks by up to 60%. Therefore, it's a wise investment that can pay dividends in terms of safeguarding your company's data and finances.
At BGT, we believe that having the right mindset is the key to effective cybersecurity. While having advanced tools and a competent information security director is important, they are not enough to fully protect your organization from attacks. Therefore, we place great emphasis on the importance of attentiveness, caution, and critical thinking. In addition to utilizing advanced information security solutions, we recommend adopting these practices to safeguard against phishing attacks. By being mindful and employing a critical eye when handling potentially suspicious emails, you can effectively protect yourself and your organization from falling victim to phishing scams.
Numerous online scams continue to lure individuals into divulging their personal information or financial details. With over 2 million websites employing deceptive tactics, 18 million fraudulent emails circulated daily, and common SMS messages offering access to enticing content, such as photos of «attractive individuals». Scammers even resort to phone calls impersonating bank security services. These and other forms of phishing attacks are likely familiar to many readers of our blog.
Even those who possess basic knowledge of cybersecurity can't help but feel vulnerable to phishing attacks. The typical victim of a phishing scam is often depicted as an office worker who unknowingly clicked on a link from a supposed business partner, revealing the company's banking information to a fraudulent website. Alternatively, one might imagine a young office manager who tried to save money by purchasing discounted furniture using a corporate credit card, only to divulge sensitive data to a fake vendor. Another common scenario is a sales employee who received a threatening message from a purported client demanding immediate payment of a supposed debt, leading them to pay the fraudulent claim via the financial department.
The tendency to stereotype phishing victims is a shared concern, not limited to just us. Even business owners, CEOs, and top-level managers tend to think they are immune to phishing attacks, based solely on their high status. Unfortunately, this assumption is misplaced. Cybercriminals are becoming more sophisticated in their tactics, particularly when it comes to "whaling," or targeting high-value individuals. These scammers are cunning, resourceful, and have an uncanny ability to gain trust. The consequences of a successful attack can be devastating, resulting in significant financial and reputational harm that can be difficult for an organization to overcome.
Spies and actors
Targeted attacks on high-level executives or business owners are not commonplace, and thus, cybercriminals who specialize in whaling are considered the elite of their field. To excel in this craft, hackers must be meticulous and detail-oriented, leaving no stone unturned. Each attack is preceded by months of careful planning and research, with the hacker gathering as much information as possible about the victim's personal and professional life. The tactics used in whaling attacks continue to leverage emotional responses from the victim, but are much more subtle and sophisticated than those seen in mass phishing attempts. By playing on the victim's emotions in a more nuanced way, attackers can achieve the desired result with greater success.
For example, during the height of the global financial crisis in 2008, several high-level executives at major financial institutions in the western United States received an email containing a link to what appeared to be a scanned subpoena from the San Diego District Court, along with instructions for preparing for a jury trial. The timing and content of the email were carefully crafted by the hackers, who capitalized on the turbulent climate of bank failures, disgruntled investors, and lawsuits. Fast forward to 2023, and a similar scenario could easily occur again, leaving businesses vulnerable to whaling attacks that take advantage of current events and public sentiment.
During the financial crisis, the American justice system was working overtime to protect citizens, which may have contributed to the success of the phishing attack. In a more peaceful period, the electronic form of a subpoena may have raised suspicion, but in the chaos of the time, the victims were more likely to download the fake scan without question. Unfortunately, by doing so, they unwittingly installed a keylogger and backdoor Trojan on their computers, giving the hackers complete control. The extent of the data obtained by the attackers and whether it was successfully used in subsequent attacks remains a mystery.
Another strategy employed by whaling hackers involves completely impersonating the victim and stealing money from their company account. This approach requires a high degree of empathy, as the hacker must convincingly play the role of another person without arousing suspicion. To achieve this, the hacker conducts extensive research on the victim's personal and professional contacts, sometimes even recruiting an insider to assist in the attack. For example, the hacker may target the personal assistant of the target, who has the authority to send emails on behalf of the boss, and install software on their computer or smartphone to facilitate the attack.
Indeed, the attackers' ultimate goal is to obtain access to the company's financial resources, and they use various techniques to achieve this, including mimicking the top-level executives to trick the financial department into transferring money to the attackers' accounts. To succeed in this type of attack, the hackers must have excellent communication skills, knowledge of the company's internal structure and procedures, and the ability to manipulate the victim's emotions and behavior. Once the attackers gain access to the company's financial resources, the damage can be severe, and the recovery can be very difficult or even impossible. Therefore, it is essential for companies to raise awareness about these types of attacks and implement robust security measures to prevent them.
Countering the «whalers»
To be practical, completely eliminating spear phishing is unattainable. However, it is achievable to defend against it. Below are some suggestions for measures that can lower the probability of becoming a target of spear phishing attacks to some extent.
Refrain from clicking links or downloading attachments
It's important to remember that the majority of phishing attacks involve a call to action that is typically accompanied by an emotionally charged message that urges an immediate response. Any links provided in the message should be approached with caution and it's recommended to double-check their legitimacy. This can be done by copying the link and pasting it into the address bar of the browser to carefully examine the URL. Is it really the correct website address, or does it merely resemble it?
Remain calm
Phishing attackers often utilize emotional triggers in their messages, such as urgent, dangerous or super important requests, to create a sense of impending doom if immediate action is not taken. However, it's important to resist such emotional appeals and remain level-headed, especially if you hold a high-level position in your organization. As the CEO or someone in a leadership role, you have the authority to make important decisions, and any decisions made based on emotional impulses could have serious consequences. Instead, take a moment to gather your thoughts, activate your critical thinking skills, and approach any urgent-sounding emails with a calm and composed mindset.
Check all errands
If you receive a request from your CFO to transfer a significant amount of money to an offshore account or a sudden request from a department head to move customer data to a public cloud, it's essential to proceed with caution. If the request appears suspicious, it's best to reach out to the manager who made the request and verify its legitimacy. While your colleagues may view your actions as paranoid, it's always better to prioritize the safety of your company's data and finances. Your diligence could potentially prevent a serious breach or financial loss.
Reduce the quantity of personal information shared online
The concept of having an "open mind" is a popular trend among top executives who seek to build and promote their personal brand. However, it's important to be mindful that phishers often exploit personal information that is readily available on social media platforms like Facebook, Twitter, and LinkedIn. Therefore, it's crucial to strike a balance between maintaining a degree of publicity and ensuring reasonable privacy. Seeking advice from experts can help in understanding what information should be made public and what should be kept private, even from close friends on social media platforms. By being cautious and selective about the information shared online, executives can safeguard their personal brand and protect themselves from phishing attacks.
Engage in cybersecurity training on an equal basis with employees
Investing in a comprehensive anti-phishing training course is an excellent step towards enhancing your organization's cybersecurity. Your employees will undoubtedly appreciate the opportunity to learn, as this knowledge will not only benefit them in the office but also in their personal lives. It's important not to overlook these training courses yourself as well. Research indicates that such training can reduce the risk of falling prey to phishing attacks by up to 60%. Therefore, it's a wise investment that can pay dividends in terms of safeguarding your company's data and finances.
At BGT, we believe that having the right mindset is the key to effective cybersecurity. While having advanced tools and a competent information security director is important, they are not enough to fully protect your organization from attacks. Therefore, we place great emphasis on the importance of attentiveness, caution, and critical thinking. In addition to utilizing advanced information security solutions, we recommend adopting these practices to safeguard against phishing attacks. By being mindful and employing a critical eye when handling potentially suspicious emails, you can effectively protect yourself and your organization from falling victim to phishing scams.