Executive Phishing is a scam where cybercriminals spoof company email accounts and impersonate executives to try and fool employees into executing unauthorized wire transfers or sending them confidential tax information. It takes aim at personally identifiable information, rather than simply tricking accounting staff into scheduling fraudulent wire transfers.
Executive Phishing is a form of Business Email Compromise (BEC) where a cybercriminal impersonates a high-level executive (often the CEO). Once they convince the recipient of the email (employee, customer or vendor) that they are legitimate, they then attempt to get them to transfer funds or confidential information. BEC attacks are also called whaling or man-in-the-email. They are a way of tricking employees into turning large amounts of money over to cyber attackers.
There Are 4 Executive Phishing Attack Methods
1. Phishing. Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources–often with legitimate-looking logos attached.
2. Spear Phishing. This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users.
3. Executive Whaling. The bad guys target top executives and administrators, typically to syphon off money from accounts or steal confidential data.
4. Social Engineering. LinkedIn, Facebook and other venues provide a wealth of information about organisational personnel. This can include their contact information, connections, friends, ongoing business deals and more.
Who Is At Risk Of Executive Phishing?
The CEO isn’t always the one in a criminal’s crosshairs. There are four other groups of employees who are considered valuable targets given their roles and access to funds and confidential information.
- Finance. The finance department is especially vulnerable in companies that regularly engage in large wire transfers.
- Human Resources. HR represents a wonderfully open highway into the modern enterprise. After all, it has access to every person in the organisation, manages the employee database and is in charge of recruitment.
- The Executive Team. Every member of the executive team can be considered a high-value target. Many possess some kind of financial authority.
- IT Management. The IT manager and IT personnel with authority over access controls, password management and email accounts are also high-value targets.
How Can You Prevent Executive Phishing? Follow These 8 Prevention Steps
(Many of these steps must dovetail closely together as part of an effective prevention program. )
1. Identify Your High-Risk Users
These include C-level executives, HR, Accounting and IT staff. Impose more controls and safeguards in these areas.
- Review social/public profiles for job duties/descriptions, hierarchal information, out of office detail, or any other sensitive corporate data.
- Identify any publicly available email addresses and lists of connections.
2. Institute Technical Controls
- Email filtering
- Two-factor authentication
- Automated password and user ID policy enforcement
- Comprehensive access and password management
- Whitelist or blacklist external traffic.
- Patch/update all IT and security systems.
- Manage access and permission levels for all employees.
- Review existing technical controls and take action to plug any gaps.
3. Set A Security Policy
Every organisation should set a security policy, review it regularly for gaps, publish it, and make sure employees follow it. It should include such things as:
- Not opening attachments or clicking on links from an unknown source.
- Not using USB drives on office computers.
- Password management policy (no reusing passwords, no Post-it Notes on screens as password reminders, etc.)
- Required security training for all employees
- Review policies on Wi-Fi access. Include contractors and partners as part of this if they need wireless access when onsite.
4. Develop Standard Procedures
IT should have measures in place to:
- Block sites that are known to spread ransomware.
- Keep software patches and virus signature files up-to-date.
- Carry out vulnerability scanning and self-assessment using best practice frameworks such as US-CERT or SANS Institute guidelines.
- Conduct regular penetration tests on Wi-Fi and other networks to see just how easy it is to gain entry.
- Domain Spoof Protection
- Create intrusion detection system rules that flag emails with extensions that are similar to company emails.
5. Cyber-Risk Planning
- Develop a comprehensive cyber-incident response plan and test it regularly. Augment the plan based on results.
- Executive leadership must be well informed about the current level of risk and its potential business impact.
- Management must know the volume of cyber incidents detected each week and of what type.
- Understand what information you need to protect. Identify the corporate “crown jewels,” how to protect them and who has access.
- A policy should be established as to thresholds and types of incidents that require reporting to management.
- Cyber-risk MUST be added to existing risk management and governance processes.
- Best practices and industry standards should be gathered up and used to review the existing cybersecurity program.
- Consider obtaining comprehensive cybersecurity insurance that covers various types of data breaches.
6. Training For All Users
No matter how good your prevention steps are, breaches are inevitable. User education plays a big part in minimising the danger so start here:
- Train users on the basics of cyber and email security.
- Train users on how to identify and deal with phishing attacks with new-school security awareness training.
- Implement a reporting system for suspected phishing emails.
- Continue security training regularly to keep it top of mind.
- Frequently phish your users to keep awareness in mind.
7. Continuous Simulated Phishing
- Run an initial phishing simulation campaign to establish a baseline percentage of which users are Phish-prone.
- Continue simulated phishing attacks at least once a month. (twice is better).
- Once users understand that they will be tested on a regular basis and that there are repercussions for repeated failures, behaviour changes. They develop a less trusting attitude and get much better at spotting a scam email.
- Randomise email content and times they are sent to different employees. When they all get the same thing, one employee spots it and leans out of the cubicle to warn the others.
8. Stay Aware of Red Flags
Security Awareness Training should include teaching people to look for red flags. Here are the most common things to watch out for:
- Awkward wording and misspellings
- Slight alterations of company names such as Centriffy instead of Centrify or Tilllage instead of Tillage
- Spoofed email addresses and URLs that are very close to actual corporate addresses, but only slightly different
- Sudden urgency or time-sensitive issues
- Phrases such as “code to admin expenses,” “urgent wire transfer,” “urgent invoice payment” and “new account information” which are often used according to the FBI.
Find out what percentage of your employees are Phish-prone with a free phishing security test from CTECH. If you don’t do it yourself, the bad guys will. Take the first step now to significantly improve your organisation’s defences against CEO Fraud and cybercrime.
CTECH Consulting Group is focused on providing reliable and secure IT solutions with the best value for our clients in Calgary. For more information contact us at (403) 457-1478 or email firstname.lastname@example.org.
If you found this article helpful, we have many more in Our Blog.