The C-suite and board of directors are composed of an organization’s most senior-level executives. These officers are responsible for crafting, spearheading, and overseeing the organization’s business strategy. In so doing, they have deep access and wield great power and authority, which is why digital attackers target them so frequently.
One of the most common attack methods that malefactors employ against executives is the “whaling email.”
As defined by SearchSecurity, whaling is a type of spear-phishing attack in which bad actors seek to benefit financially and/or steal sensitive company information. Nefarious individuals zero in on a high-ranking individual at a company and gather information about them. They then use this info to send out personalized emails that appear to come from a trusted source, such as another executive or someone the target knows personally. The email most often contains a malicious attachment or link that installs malware on the target’s device or directs the recipient to a website designed to trick them into surrendering passwords, credit-card details, and/or sensitive personal information.
Such a whaling attack is a significant digital threat by itself, but criminals rarely stop once they’ve achieved a successful phish against an executive.
Business email compromise
If they are able to acquire access to the officer’s work email, they often search through the compromised email account for “invoice,” “deposit,” and other keywords associated with wire transfers. They then initiate a “business email compromise” (BEC) scam if they find a promising piece of correspondence. At that point, they contact someone in the financial department posing as the executive whose account they’ve compromised and authorize a fraudulent wire transfer to a bank account under their control.
According to the FBI, BEC scams cost more than 40,000 organizations worldwide a combined total of $5.3 billion in losses between October 2013 and December 2016. That’s why the Bureau isn’t taking these types of attacks lightly. Special Agent Martin Licciardo, a veteran organized crime investigator at the FBI’s Washington Field Office, explained in an article on the FBI site: “BEC is a serious threat on a global scale. And the criminal organizations that perpetrate these frauds are continually honing their techniques to exploit unsuspecting victims. The ability of these criminal groups to compromise legitimate business e-mail accounts is staggering. They are experts at deception.”
It’s important that executives take BEC scams seriously by implementing measures that help their organization defend against attacks such as spear-phishing emails. Investing in helpful technology, such as email security solutions, is a good place to start. However, they shouldn’t stop there. Christopher Budd, senior threat communications manager at Palo Alto Network, explained that executives need to do more, because the underlying threat of a BEC scam is social in nature.
Who’s who, what’s what
“One of the most notable things about BEC scams is that they rely so heavily on human and organizational factors to succeed,” said Budd. The most effective BEC scams, he noted, are ones that are backed with a knowledge of how the target organization operates and leverages that knowledge to be so effective. “In some ways,” he said, “the technology angle is almost secondary: these are scams that are rooted in understanding who’s who and what’s what in the target organization.”
With that in mind, executives should focus on developing companywide digital security policies that make BEC scams difficult to pull off. For instance, they should consider requiring the financial department to receive verbal authorization from a C-level executive before they process a wire transfer. Concurrently, officers should institute ongoing security awareness training for employees as a means of preventing successful spear-phishing attacks and BEC scams.
Wesley Simpson, COO of (ISC)2, is an advocate of employee security awareness training. As he told TechRepublic: “Using internal phishing exercises is a very inexpensive tool that helps fight the risk and is an investment in staff’s knowledge and education. It’s not something that should happen once a year—it should be continuous.”
To make anti-phishing training truly successful, thought, executives need to do more than just show employees their performance on related exercises. They also need to show the entire workforce that no one is above a phish and that everyone is susceptible by participating in the training sessions themselves.
Kimberly Verska, partner and CIO at Culhane, revealed to SC Magazine that this process starts when executives decide to be frank about their own digital-security shortcomings: “The executives who joke that they ‘are helpless with all this new technology stuff,’ may end up being the weak link that creates a major hole in a company’s security systems.” It’s a responsibility, she noted, that board members increasingly know they must consider and to which they are beginning to respond.
Executives can serve as examples to the staff by confessing their own weaknesses when it comes to abiding by the organization’s digital security policies and approaching security officers, managers, and staff in conversation about what is expected of everyone under those procedures. By discussing phishing, BEC scams, and other digital threats, executives don’t just lead the workforce in engaging the organization’s security policies, they lay the foundation for additional digital-security strategizing. They can use those conversations, for instance, to meet who’s responsible for maintaining the company’s approach to digital security, create new security assessments for potential vendors and partners, and identify opportunities to leverage government entities and threat-intelligence networks for support.
Spear-phishing attacks and BEC scams ultimately single out executives because they are the most important cogs in the corporate wheel. Clearly, executives aren’t powerless against those digital threats. They can leverage their position to unite the organization’s workforce around digital security and, in turn, cultivate a more robust and comprehensive digital security strategy.