We know that phishing attacks are on the rise, but did you know that more and more executives are falling for these phishing emails every day? New phishing campaigns targeting executives are intelligently crafted and difficult to spot. Traditional hardware/software protection cannot keep up with rapidly evolving phishing methods. They easily bypass spam filters and Business Email Compromise protection solutions, and successfully get executives to reply, click on links and open documents.
One blatant example, according to the Agari Cyber Intelligence Division's London Blue Report, describes how a criminal organization, structured just like any modern organization, created “a list of more than 50,000 finance executives that was generated over a five-month period in early 2018. This list was likely used by London Blue as a massive targeting repository for their BEC attacks. Among them, 71 percent held a CFO title, 12 percent were finance directors or managers, nine percent were controllers, six percent held accounting roles, and two percent had executive assistant titles.”
According to Intermedia, 34 percent of executives/owners and 25 percent of IT workers themselves report being victims of a phishing email, more often than any other group of office workers.
From my latest research speaking to customers whose executives were targeted successfully, the first emails that came in had NO links or files contained in them. The hackers are doing their research on these executives and their contact circles, so they can send simple emails from organizations and people that the targeted executive has done business with or interacted with before. These first few emails are used to build trust, so that at some point in the future the target will click on a link, open a document or, even worse, tell an assistant to respond on his or her behalf.
By August 2018, at least 400 industrial companies were targeted by spear-phishing attacks disguised as legitimate procurement and accounting letters, according to Kaspersky Lab.
These folks are smart – very smart. They know that for lower amounts, fewer approvals are required, so they will typically seek approvals for the release of funds under US $50,000 per transaction. Now, add to this the fact that some organizations may not realize they have been phished until five months later, and that makes for a scary proposition.
Evolving phishing attacks mean that criminals are continually looking for new ways to completely mask their malicious URLs, especially on mobile devices. They either hide them behind a page like Google Translate that users are already familiar with or completely trick users with custom web fonts and altered characters. One of the latest approaches is to create an Office 365 meeting invite that contains quiz buttons or a poll asking recipients to pick the topic or date for the next meeting; employees that end up clicking are presented with a fake Office 365 login page where they enter their O365 credentials and then lose control over their email account. Another approach is an email that comes from someone you know with a request to take a look at something for them. When you click on the link or attachment, malware installs on your system, takes over your email client, and then emails the same message from you to all your contacts.
All is not lost, however. There is a way to help prevent and thwart these attacks. You need a security awareness program that instils a culture of security throughout your organization starting in the boardroom and leading by example.
According to Cybersecurity Ventures 2019 Cybercrime Report, “Training employees how to recognize and defend against cyberattacks is the most underspent sector of the cybersecurity industry.”
If more than 92 percent of all breaches and hacks are due to phishing, then employees with an email address, social media account, phone or tablet are your organization’s largest attack surface. Millions of dollars are spent on hardware and software security measures, yet still today, a single click from a single user can circumvent all the expensive protections in place. It may be time to rethink your approach to cybersecurity and start applying the Human Fix to Human Risk.
To effectively change phishing behaviors and build a security culture among executives and all employees, you need a comprehensive awareness program that is carefully planned, and which is based on your organization’s specific needs and objectives. This is difficult to achieve unless you apply a proven security awareness framework—an ongoing methodical approach – which should include these five steps:
Step 1 – Analyze your organization’s needs and objectives and develop a cybersecurity awareness program that generates results.
Step 2 – Plan your campaigns to stay on track and engage your workforce as well as your stakeholders.
Step 3 – Deploy an effective training initiative and witness behavior change as it happens.
Step 4 – Measure the performance of your campaigns against your objectives and demonstrate progress to stakeholders.
Step 5 - Optimize campaigns accordingly and update your program to incorporate new insights.
Without a framework, it’s just hit and miss, and you will never get your users, whether they are executives or not, to change their risky behaviors with an unorganized approach. A framework is designed to take everything into consideration – especially how people learn, adopt and maintain new habits. Taking such a methodical approach ultimately leads to a culture of security awareness … with dramatically fewer human-related security breaches.
Malicious and fraudulent emails will continue to bypass filters and malware detection solutions for the foreseeable future, allowing cybercriminals to make more money. But, there is hope if you leverage a tried and proven combination of phishing simulations targeting the C-Suite that include executive awareness training based on a pedagogical approach, continually reinforced with communication to change current behavior and help reduce your largest attack surface.
Editor’s note: For more insights on this topic, download the Phishing Defense and Governance white paper, released by ISACA in partnership with Terranova Security.