When it comes to phishing attacks, senior executives are attractive targets. Their risk of falling victim to one of these invasion attempts is at least double that of other employees. First, like anyone else, they are targeted with run-of-the-mill phishing emails. The mass-produced, impersonal kind that still regularly persuades users to click on a link or attachment, which then downloads malware on to their system. This is one of the most common ways attackers sneak inside corporate networks.
But these executives are also targets of much more sophisticated attacks in terms of motive and approach. Emails meticulously crafted to appear legitimate and personalized, from one member of the leadership team to another, with objectives as general as planting malicious backdoor malware or as specific as convincing the recipient to wire money into their illegitimate accounts.
For National Cyber Security Awareness Month 2016, Stroz Friedberg is producing educational materials to remind readers about the best practices of cybersecurity. In this post, we provide guidance senior executives can use to ensure they’re not duped by an email into compromising the security of their firm.
Here’s how phishing tends to work: An employee receives an email purportedly from a trusted source. The email says something like, “Here’s the document you asked for.” The employee clicks on the attachment or link and inadvertently downloads malware that can lead to the exfiltration of any of the company’s data.
Often times, these phishing emails can be identified by a sense of urgency in the message, and telltale signs like typos, awkwardly worded sentences, emails written to one recipient but sent to multiple people, and requests out of context for the sender.
The attacks targeting executives, however, may not have any of these tells. The criminals conduct online reconnaissance using information from sources such as Google or LinkedIn to find information about the company’s senior executives and their relationships. This information is then used to carefully craft very compelling phishing emails. For example, recently I worked on a matter with a company involved in M&A activity where the attackers targeted the CEO directly, because they wanted to spy on the conversations between himself, the CFO, the general counsel, and other higher-ups involved. To do so, the attacker crafted an email from the CFO to the CEO with an attachment purported to be a financial analysis report. In reality, though, the file was actually malware giving the attackers the ability to monitor the CEO’s email.
A simple method to thwart these types of attacks is by tagging every leader-to-leader email that contains a link or attachment with a code known only among the group. The code can be a list of numbers, letters, characters, or a passphrase, similar to a password. If the recipient doesn’t see the code, they know not to click. This practice can be applied to all emails among the group or just those that include links or attachments. Executive assistants should also be made aware of this practice; they must be as vigilant as the executives themselves.
Another best practice is to be aware of common attack methods. For example, one particularly popular tactic involves professional conferences. Speaker lists and sometimes even attendee lists are often posted online. Attackers are known to mine these sources to identity targets for trade secret theft. The emails they send seem like thank you emails and include an attached set of slides, supposedly from a relevant presentation. This can be a very believable email for someone to receive, and being aware of this M.O. is the principal way to avoid it.
Executives should also watch for even the slightest evidence of aberrant behavior. For example, if someone generally sends you minutes for a weekly meeting in a doc file but sends it as a zip file, that’s a reason not to click on the attachment. Or, if someone directly sends you a file that is usually sent to a group, again, don’t click. Another subtle sign that should raise suspicion is if an email is sent from a personal email domain, such as Yahoo, Hotmail or Gmail, when normally it would come from the domain of the company. When it comes to the C-suite, it’s not as easy as spotting strange typos. Little details can signal a major attempt at a cyber attack.
When in doubt of the veracity of a message, contact the sender to confirm its legitimacy by phone or by starting a new email thread. You can also hover over any included links to see if the URL is the expected site. If you think you’ve been the target of a phishing attempt or you’ve clicked on a suspect link or attachment, contact your security department immediately.
Paul Jackson, Managing Director, Stroz Friedberg