As stated in Verizon's 2019 Data Breach Investigations Report (DBIR), C-suite executives are the prime targets for social media related incidents and social breaches, 12x and 9x, respectively.
Why are business leaders major targets of social engineering scams? And, how can companies prevent them from falling victim to cybersecurity traps? Read on to find out.
Bullseye on Business Leaders
While responsibilities vary across titles and business structures, there is a common thread among the C-suite party: access and information.
Executives are crucial gatekeepers to the most sensitive business information and have access to critical systems, making them attractive candidates to cybercriminals aiming to garner data and infiltrate networks. Additionally, officials that hold the highest level of approval are capable of circumventing corporate policies and can sign-off on significant requests, contracts and payments. These are just some of the qualities that make the C-suite ideal targets of social engineering scams.
Let's examine a couple of scenarios where cybercriminals target business leaders and explore what went wrong:
The Time-Starved Business Leader
Faced with frequent meetings and insurmountable deadlines, an executive may allocate a small window to review emails quickly. We can assume that the probability of the time-starved leader inadvertently opening a spam email and clicking around grows convexly large as free time diminishes.
In the case of spear phishing attacks, a form of a phishing scam, threat actors dedicate considerable time researching their targets and tailoring messaging germane to the recipient’s interests or career. Some of these attacks involve sending a malicious file with an enticing title so that recipients are motivated to download it. Another example would be an email that refers to an event the recipient recently attended and includes a link to view conference photos, but in actuality, it directs the user to a credential-stealing website.
A spear phishing attack targeting an executive who’s pressed for time is a recipe for disaster, especially if the company hasn’t implemented a formal cybersecurity program and administered company-wide security training.
Negligent Executives and CEO Fraud: A $12 Billion Scam
Cybercriminals are honing their impersonation skills, conducting a thorough investigation and zeroing in on human frailties to unlock sensitive business data and hack accounts. Criminals will leverage the information they’ve collected to impersonate the CEO of a company, utilizing their name and creating a phony email address to contact employees.
In their messaging, the threat actor would typically express urgency, communicating they are consumed by another project or engaged in a meeting and need your help with a priority. Then they request that the employee act immediately, such as emailing sensitive documents, transferring money, or changing the name on a payment. If the attacker is successful, then the victim will have completed the job of unintentionally transferring cash to a cybercriminal or granting them access to the organization.
CEO fraud is growing into a popular and lucrative business because users are far more likely to trust emails from a known source, as well as interpret a request from their CEO seriously. Demonstrating this is a recent report by the FBI that stated CEO fraud is now a $12 billion scam, with instances confirmed in all 50 states and 150 countries.
Now, let’s imagine a CEO fraud scam targeting an executive at a business that incentivizes quantity, or volume of output. The likelihood of the manager carrying out the task right away without any questions is high, particularly when contractually motivated by potential reward and uninformed about cybersecurity best practices.
How to Identify and Avoid Phishing Attacks
With a wealth of sensitive data and access to critical systems, C-level executives are prime targets for breaches and social engineering attacks. However, this does not mean that lower-level management is immune to cyber-attacks. Safeguarding the protection of your organization’s intellectual property (IP) and personally identifiable information (PII) is everyone’s responsibility.
To avoid clicking on phishing links, we recommend that organizations employ a combination of technical safeguards and security awareness training company-wide. Empowering your team with threat intelligence and making cybersecurity a top-line priority will help eradicate negligence and poor security practices.
How can your business make cybersecurity a top-line priority?
Contact one of our cybersecurity experts for business solutions and best practices by clicking here.