When it comes to fraud and ongoing cyber threats against executives, “It’s not a matter of if the criminals will target the C-Suite, but when.” As we highlight National Fraud Awareness Week this week, it’s time to talk about the rise in executive targeting as part of a cybercriminal’s overall plan.
To do this, we called on the expertise of ZAG’s Manager of IT Security & Compliance Eric Regnier, who said that cybercriminals are smart, often doing a lot of research into an organization’s hierarchy and strategically targeting high-level execs to gain more access to sensitive data.
Targeted whaling attacks
“Whaling is a real thing,” Regnier said as we discussed the rise in focus on senior-level leaders. The term whaling refers to a highly targeted phishing attack aimed at senior executives within a company. According to the National Cyber Security Centre, “whaling is digitally enabled fraud through social engineering, designed to encourage victims to perform a secondary action, such as initiating a wire transfer of funds.”
Spear phishing and social engineering
Additionally, these criminals are aimed at impersonating these executives using information they’ve gathered to make the ask more authentic in something that’s referred to as CEO fraud or business email compromise (BEC).
This can be costly. According to the FBI’s 2021 Internet Crime Report, BEC scams caused a $2.4 billion loss for organizations.
For example, criminals will send an email that appears to come from a high-ranking executive – they do this by changing the display name (when the email clearly does match), adding a fake signature, or using domain name deception to create a similar email address. Then, they use this to ask a mid-level finance person to send a wire transfer immediately using a false sense of urgency or asking for sensitive information related to payroll.
Since the request is coming from someone high up in the company, oftentimes employees will comply, leaving the company open to more risk. The criminals may seek to gain additional access to personal data, create fake invoices for clients, or install ransomware on a network system for the company or vendor partners.
Personal risks
While business risk certainly exists, there are also criminals who aim to gain access to personal accounts to access business data, which is why individuals need to protect all aspects of the data they share. Protecting personal accounts with the same rigor and best practices that a business account is protected with becomes a key component for executives aiming to protect their organizations from risk.
How to recognize fraud attempts
So what can you do to help identify these attempts?
- Look for demanding language. Anything that creates a false sense of urgency should be considered a red flag.
- Requests that are out of the ordinary. If your CEO or any of the company’s C-suite don’t tend to ask you to purchase gift cards on their behalf or wire money quickly, then proceed with an extra dose of caution.
- If you’re still not sure, double-check that the email matches the company’s domain name. There are some good fakes out there that can be created to look like a company’s brand, but being detail-oriented might mean the difference between becoming a victim or being the hero.
What businesses can do to protect themselves
While it’s important to understand the risks, all hope is not lost. There are things that companies can do to better protect themselves from the fraud risks mentioned above. Things like:
- Using a password manager to protect login credentials
- Enabling multi-factor authentication (MFA) across personal and business accounts to add an additional layer of security for important accounts
- Engaging in employee cybersecurity awareness training that includes C-suite executives, as well
- Implementing advanced email security software that can better identify phishing attempts and scams
- Ensuring finance and HR departments have best practices in place to call and verify with known contact information before engaging in any ACH or wire transfers
- Leading from the top and demonstrating to team members that the security of the organization is paramount
As we highlight the importance of National Fraud Awareness Week, ZAG provides full-scale security reviews that aim to better highlight where risk exists in an organization, along with a plan on how to address this risk. Click here to learn more about where to start.