Cyber defence is often focused on protecting the digital assets of an organisation, such as its networks, endpoints and databases, as well as assets exposed on the internet, such as company websites. However, what many fail to realise is that there is yet another class of assets that need to be considered – company executives. In fact, some hackers find that targeting the chief executive officer (CEO), chief operating officer (COO), or chief financial officer (CFO) directly through a sophisticated social engineering attack is their easiest and most successful way to gain access to the valuable corporate network.
Shifting the focus
According to Verizon*, social engineering attacks represent 33 percent of all attacks and therefore dominate the threat landscape. While many organisations spend time focusing on protecting their customers from social engineering attacks, they often forget that their own executives fall victim to phishing. Indeed, sensitive information relating to company executives is hot property for cybercriminals, who are always on the hunt for material they can use in their efforts. Once aware of someone’s name, likeness and online habits, criminals can either sell that information to other bad actors or find ways they can use it themselves in impersonation efforts. The two most common methods used to leverage personal information are spearphishing and whaling.
Spearphishing vs whaling attacks
Spearphishing attacks involve targeting individuals or groups of employees with emails that seem to come from an executive and asking for some sort of action to be taken, while whaling attacks target executives directly. With spearphishing, if the attacker is lucky, employees will fall for the scam and follow the instructions they are given, which often entails giving away access to valuable company data. Attacks like this are often successful, as talented hackers will make sure to have more information on the executive they are impersonating than anyone outside the organisation should, which means they come across as incredibly convincing.
With whaling attacks, hackers construct emails using information – such as addresses, titles, family names, and colleagues’ names and titles – to fool executives into giving up personal information and company secrets. In some cases, the information provided to the criminal can be used to target executives and their family members for extortion or abduction and real-world ransom.
Countering the threat
Whaling and spearphishing attacks represent a challenge for security professionals, as they are a menace with one foot in the cybersphere and one foot in the physical world. Though initiated online through the described targeted campaigns, security teams must consider the physical vulnerabilities to their executives. With that in mind, companies must be able to defend their executive team both online and physically, however this requires a completely new approach – a collaborative and comprehensive security stance that spans both the digital and physical worlds.
An effective security approach starts with internet-scale visibility to counter internet scale threats. It is crucial that organisations are cognisant of, and have a real-time picture of, how their executives appear across the internet. To guarantee safety, all information must be strictly controlled without allowing any identifying pieces of information to slip out into the net, as cybercriminals can – and will – find them. For example, a regional branch of a company may, through a marketing campaign, detail where an executive went to school. While seemingly innocuous, such information can snowball into attackers knowing an executive’s information well-enough to fool company employees in an email scam.
Collaboration is key
The next stage of combating social engineering campaigns is ostensibly simple – introducing the physical and digital security teams. Large organisations will tend to have both, however these vital assets will only be dimly aware of the other’s activity.
Spearphishing and whaling attacks represent a threat that spans their worlds and it is crucial they act in collaboration. A digital security team can maintain recognisance of what information is where and how it might be used. Using this information, the physical security team can then protect whatever vulnerability that might have been exposed. Like in all things, close collaboration between teams creates the best, most holistic results.
The phrase ‘email scam’ can belie the severity of danger social engineering campaigns may represent to an organisation and the personal safety of its senior executives. A portion of the battle is recognising the sophisticated and sweeping nature of the threat. Once these threats are taken seriously, an organisation must look to better control the distribution of information online and ensure the collaboration of its digital and physical security teams to guarantee continuing protection.
* https://enterprise.verizon.com/resources/reports/dbir/2019/introduction/