While you may be more familiar with phishing attacks as mass dissemination of cookie-cutter messages encouraging recipients to open malicious URLs or attachments, that approach does not make up all phishing campaigns. Broader awareness of those common scams has seen many email users adopt an increasingly cautious approach. As a result, some hackers have adapted their methods to focus their campaigns on people in positions of wealth or power – a phenomenon known as ‘whaling’. Instead of generic requests, hackers compose highly tailored communications using information gathered about the individual from online background research.
Executives are vulnerable
As people well-paid for their work and with the ability to make decisions around high-value transactions, company executives are particularly vulnerable to phishing attacks. In 2018, Forbes estimated that companies across the US, the UK and Europe lost in excess of US$12 billion over a five-year period due to unsuspecting company leaders falling victim to these types of attack.[1]
Threat actors know that hacking the accounts of senior managers not only gives them access to personal information that could be leveraged for financial gain but also gives them the opportunity to make money from the individual’s employer – for example, by gaining control of a business account and making requests for transfers of large sums to a third party account under the guise of a legitimate business payment. Similarly, high-level executives are usually high-privilege users or have access to confidential and sensitive corporate materials which, once compromised, could lead to financial, reputational or regulatory issues.
Gone phishing
Let’s consider the hypothetical case of Mr McBride, the CEO of an asset management firm based in London, who receives the following message from a hacker:
Mr McBride undergoes quarterly cyber security training and considers himself to have a good understanding of the risks posed to his business. He is not suspicious in this case, however, because the email is personalized and shows familiarity with his family members and their backgrounds. Mr McBride’s daughter has spoken fondly of her art teacher and he is keen to help, and so he opens the link to what he believes is a fundraising page. In doing so, he has inadvertently accessed a malicious website, that downloads and executes malware, and accidentally just granted a hacker access to his work email account. From there, the hacker seeks out emails in his sent items to the company’s accounts department and uses these as a template to request the “urgent” transfer of GB£225,000 to a Hong Kong-based vendor. The finance clerk sees the request from ‘Mr McBride’, notes the urgency, and transfers the funds immediately.
Easy online pickings
Traditional phishing and network attacks normally involve foot-printing, such as collecting information about an organisation’s IP address and domains, scanning its systems to attribute these IPs and enumerating the services and ports on the company’s systems. However, the threat actor behind the attack on Mr McBride adopted a much simpler approach: exploiting information available from online sources and social media. The hacker was able to collect all the relevant information for his phishing email by conducting relatively straightforward background research:
- The identity of Mr McBride’s daughter, school and art teacher was identified on a recent post about a student art exhibition found on his wife’s Facebook profile.
- The identity of Mr McBride’s wife was determined through media reports covering the couple’s attendance at a charity event.
- The identity of the headteacher was found on the school’s website.
These are not the only tools at the threat actor’s disposal; more sophisticated approaches may involve sourcing personal information from land registry filings, electoral roll records, marriage registries, repositories of leaked credentials or use of similar online resources.
Limit the information spread
Proactively detecting and mitigating these vulnerabilities is crucial to limiting the possibility of targeted attacks. To do this, executives need to conduct reviews of their online security position and take steps to limit the amount of publicly available personal information. This might involve adjusting security settings on online accounts or requesting third parties to remove personal information from their websites. Where information will stay public, its important that executives are aware that information they consider personal is in fact public record so as to not fall victims to the type of attack set out above.
A priority on the board’s agenda
Targeted hacks enabled by use of information available in the public domain are only likely to increase in number, as their effectiveness attracts more sophisticated and dangerous adversaries. Proactive detection of these vulnerabilities is key and should be a priority for senior executives and board members at every company, in every industry, at any time.
Aon’s 2020 Cyber Security Risk Report identified Executives as a key cyber risk area facing organizations. Download the full report for information on actions organizations can take to secure their executive team outside of physical and digital walls.
Author: Tom Roch and Ana Pereu
[1] https://www.forbes.com/sites/dantedisparte/2018/12/06/whaling-wars-a-12-billion-financial-dragnet-targeting-cfos/#c626d3d7e52e; https://www.ft.com/content/25bbd39c-f4ed-11e8-ae55-df4bf40f9d0d
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.
