Phishing Attacks on Executives are Rising
According to the FBI’s Internet Crime Complaint Center, phishing attacks and business email compromise crimes resulted in almost 50,000 victims in 2018 with combined losses of over $1.3 billion.* Clearly, attackers are going where the money is.
There are several types of phishing attacks targeting executives:
Spear Phishing targets high-value victims and organizations. These attackers spend time learning about their victim’s organizations and craft a message that resonates with the victim. They may reference an event the organization recently held or include an attachment with the organization’s name in the title.
Whale Phishing is even more targeted as attackers go after an organization’s top executives. Top executives have more authority and access to confidential information and funds. Attackers conduct more research to determine the types of discussions these executives have. Mergers and acquisitions involving funding are favorite phishing topics.
A Business Email Compromise (BEC) occurs when attackers take over or impersonate an organization’s CEO’s or CFO’s email account to target individuals in the finance, accounting, or human resources departments. An email looks like it comes from the executive, appears important and urgent, and requests funds to be wired to cover an acquisition or important vendor contract.
In all of these cases, the executives are targeted for their specific knowledge, approval authority, or role in the organization.
Attackers research their victims through news articles, company announcements, and social media. Announcements about promotions, proposed acquisitions, partnerships, attendance at conferences are all information that can be used to gain the confidence of victims.
1. An accounts payable clerk received a request from the President asking for funds to be wired to a bank in preparation for an acquisition. Our customer lost over $250,000.
2. A human resources director received a request from the company president asking for a list of employees, social security numbers, and W-4 (tax withholding) status for a compliance audit. The data was subsequently used for identity theft from the company’s employees.
In both cases, the bad guys didn’t hack into the company’s network – they had the company’s own employees do the work for them. There was no “unauthorized access” to the company systems.
What can you do?
Employee awareness training – The most cost effective defense is training your employees to be aware of and watch for phishing schemes. There are reasonably priced awareness programs available to teach
employees about the scams, show them examples, and test them. Your employees are your first line of defense.
Separation of duties / Limits of Authority – Put policies in place that require two people to approve specific financial transactions. Teach employees to double check information requests.
Alerts on high value transactions – Configure your financial systems to alert several people when high value or high risk transactions occur. This can provide a double check and help prevent future transactions.
Unusual Activity Monitoring – There are sophisticated monitoring systems available that use artificial intelligence (AI) to detect unusual trends and transactions and provide alerts. These are designed for large organizations with thousands or millions of transactions.
Blog written by: Rick Sutton, Managing Director of Consulting
* Source: 2018 Internet Crime Report (https://pdf.ic3.gov/2018_IC3Report.pdf)