As a CEO, it’s important for you to understand a harsh and terrifying reality: Your company is under constant attack from hackers, thieves, and other cybercriminals. They are looking for a way into your network so they can steal information or money, spy on you, and possibly cause havoc up and down the line. And they are using you and other high-level executives as bait.

First Phishing…

The most common form of cybercrime involves tricking the recipient of a message into clicking on a link – once it is clicked, the bad guys are past the front gates and able to burrow into the computer and spread through a network. This has been traditionally called “phishing,” a play on the word “fishing.”

The term is primarily associated with spam emails that are sent en masse to millions of inboxes – an estimated 156 million per day. According to a report by Verizon, some 30 percent of phishing emails are opened and 12 percent of recipients click the links.

Then Spear Phishing…

While this threat still exists and continues to increase, phishers have also sharpened their weapons and tactics. A subset of phishing, called spear phishing, has been targeting individuals and large companies specifically, using more sophisticated methods of deception. These criminals will study their targets carefully, including scouring social media accounts and other data to make their requests to the target seem as real or logical as possible.

A recent example is the now notorious hack(s) of the DNC emails before the 2016 election. There were actually two separate events, the first in 2015, when 1,000 DNC staffers were sent emails with malicious attachments; one or more of these attachments was opened, which allowed the theft of thousands of internal communications. The second hack involved sending a phony Google reset password notice to Clinton campaign chairman John Podesta; Podesta followed the link, resetting his password on a phony site, which was then used to compromise his account.

And Now… Whaling!

In yet another iteration of phishing, thieves have set their harpoons higher up the chain of command. Keeping with the nautical theme, this is often referred to as “whaling” – aka spear phishing at C-level executives (the FBI calls it business email compromise (BEC).

These attacks can be cleverly implemented and devastating to all. Whaling attacks usually involve what appears to be a legitimate communication from the CEO to other high-level execs, sometimes asking to wire money. The message may have a sense of urgency and may express familiarity, using information gleaned from social media websites.

In 2016, the newly hired CFO of Mattel received a message from what she thought was her new boss requesting a $3 million transfer to a bank in China; not wanting to ruffle feathers, she complied. Due to a stroke of luck – the attack occurred over a Chinese bank holiday – the money was held up and returned.

Attacks like these are increasing at an alarming rate – the FBI reports that there has been a 270 percent increase in BEC scams since 2015, usually involving millions of dollars, and the fallout is just as tremendous. In 2016, Australian airplane part manufacturer FACC fired its CEO of 17 years after the company lost $54 million dollars in a scam; although he had not been responsible for the actual breach, the board felt he must take the blame and relinquish his post. Hard drive maker Seagate was sued by their employees after someone in HR fell for a fake message from the CEO and emailed the detailed personal information of thousands of workers.

These whaling/BEC scams are getting increasingly sophisticated. Texas-based AFG Corp’s CFO fell prey to scammers that knew the familiarity he had with his CEO; this scam also involved a phone call with a pseudo-attorney who gave instructions to wire $480,000 to China.

The FBI estimates that, from October 2013 to February 2016, more than $2.3 billion has been stolen.

Security Awareness

Awareness Begins at the Top

For all these reasons, it is essential that security awareness and training involve the entire organization, beginning (and ending) with you. Many C-level executives think they are too busy and/or immune from attack; as we have tried to show, this is clearly not the case.

True diligence and vigilance can be achieved only if a company hires a security training firm that can help educate and test en masse across all departments and levels. The smart thing to do is to lead by example.

That’s where InfoSec Institute comes into the picture. We are one of the most respected information security companies in the industry. To help companies train employees and reduce the threat of phishing, spear phishing, whaling, or any future scheme, we’ve created SecurityIQ.

The Security IQ platform consists of PhishSIM, a phishing simulator, and AwareED, a series of learning modules that explain how to prevent from becoming victim to a scam, including several awareness modules specifically created for C-level managers. Both PhishSIM and AwareED can be automated. For example, a series of phony phishing emails can be sent out to the entire company over a period of time specified by you. Those that click on the link can be asked to enroll in AwareED. All results are viewable in the main dashboard.

We encourage you to take this crucial step towards your company’s health and security – as well as your own – and enroll for a free trial account right now.

Sources:

http://gizmodo.com/the-number-of-people-who-fall-for-phishing-emails-is-st-1697725476

https://archives.fbi.gov/archives/news/stories/2009/april/spearphishing_040109

http://abcnews.go.com/Technology/PCWorld/story?id=4652965

http://www.securityweek.com/phishing-attacks-hit-c-suite-high-value-scams

http://www.zdnet.com/article/seagate-sued-by-angry-staff-following-phishing-data-breach/

http://www.securityweek.com/austrian-firm-fires-ceo-after-56-million-cyber-scam

https://www.fbi.gov/contact-us/field-offices/phoenix/news/press-releases/fbi-warns-of-dramatic-increase-in-business-e-mail-scams

https://www.americanbar.org/content/dam/aba/administrative/litigation/materials/2017_insurance_coverage/written_materials/3_fake_president_fraud_what_is_it_thomson.authcheckdam.pdf

https://blog.watchpointdata.com/spear-phishing-examples

http://thehill.com/policy/cybersecurity/310234-typo-may-have-caused-podesta-email-hack

https://en.wikipedia.org/wiki/2016_Democratic_National_Committee_email_leak

Be Safe

Section Guide

Stephen
Moramarco

View more articles from Stephen

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Stephen
Moramarco

View more articles from Stephen