We know that phishing attacks are on the rise, but did you know that more and more executives are falling for these phishing emails every day? New phishing campaigns targeting executives are intelligently crafted and difficult to spot. Traditional hardware/software protection cannot keep up with rapidly evolving phishing methods. They easily bypass SPAM filters and Business Email Compromise protection solutions and successfully get executives to reply, click on links and open documents.
One blatant example according to Agari’s Cyber Intelligence Research, London Blue Report describes how a criminal organization, structured just like any modern organization created…
“a list of more than 50,000 finance executives that was generated over a five-month period in early 2018. This list was likely used by London Blue as a massive targeting repository for their BEC attacks. Among them, 71 percent held a CFO title, 12 percent were finance directors or managers, nine percent were controllers, six percent held accounting roles, and two percent had executive assistant titles”
According to Intermedia, 34% of executives/owners and 25% of IT workers themselves report being victims of a phishing email, more often than any group of office workers. -Intermedia, 2017
From my latest research speaking to customers whose executives were targeted successfully, the first emails that came in had NO links or files contained in them. The hackers are doing their research on these executives and their contact circles, so they can send simple emails from organizations and people that the targeted Executive has done business with or interacted with before. These first few emails are used to build trust, so that at some point in the future the target will click on a link, open a document or even worse, tell their assistant to respond on their behalf.
“By August 2018, at least 400 industrial companies were targeted by Spear-Phishing attacks disguised as legitimate procurement and accounting letters.” According to Kaspersky Lab, 2018
These folks are smart, very smart. They know that for lower amounts, fewer approvals are required so they will typically seek approvals for the release of funds under $50,000USD per transaction. Now add to this the fact that some organisations may not realise they have been phished until 5 months later and that makes for a scary proposition.
Evolving phishing attacks mean that criminals are continually looking for new ways to completely mask their malicious URLs, especially on mobile devices. They either hide them behind a page like Google Translate that users are already familiar with or completely trick users with custom web fonts and altered characters. One of the latest approaches is to create an Office 365 meeting invite that contains quiz buttons or a poll asking recipients to pick the topic or date for the next meeting; employees that end up clicking are presented with a fake Office 365 login page where they enter their O365 credentials and then lose control over their email account. Another approach is an email that comes from someone you know with a request to take a look at something for them. When you click on the link or attachment, malware installs on your system, takes over your email client and then emails the same message from you to all your contacts.
All is not lost however. There is a way to help prevent and thwart these attacks. You need a security awareness training program that instills a culture of security throughout your organisation starting in the boardroom and leading by example.
According to Cybersecurity Ventures 2019 Cybercrime Report: “Training employees how to recognize and defend against cyberattacks is the most under spent sector of the cybersecurity industry.”
If more than 92% of all breaches and hacks are due to phishing, then employees with an email address, social media account, phone or tablet are your organization’s largest attack surface. Millions of dollars are spent on hardware and software security measures yet still today, a single click from a single user can circumvent all the expensive protections in place. It may be time to rethink your approach to cybersecurity and start applying the Human Fix to Human Risk.
To effectively change phishing behaviors and build a security culture amongst executives and all employees, you need a comprehensive awareness program that is carefully planned, and which is based on your organization’s specific needs and objectives. This is difficult to achieve unless you apply a proven security awareness framework —an ongoing methodical approach…
Which should include these five steps:
Step 1 | Analyze
Analyze your organization’s needs and objectives and develop a cyber security awareness program that generates results.
Step 2 | Plan
Plan your campaigns to stay on track and engage your workforce as well as your stakeholders.
Step 3 | Deploy
Deploy an effective training initiative and witness behavior change as it happens.
Step 4 | Measure
Measure the performance of your campaigns against your objectives and demonstrate progress to stakeholders.
Step 5 | Optimize
Optimize campaigns accordingly and update your program to incorporate new insights
Without a framework it’s just hit and miss, and you will never get your users, whether they are executives or not, to change their risky behaviors with an unorganized approach. A framework is designed to take everything into consideration – especially how people learn, adopt and maintain new habits. Taking such a methodical approach ultimately leads to a culture of security awareness… with dramatically fewer human-related security breaches.
Malicious and fraudulent emails will continue to bypass filters and malware detection solutions for the foreseeable future, allowing cybercriminals to make more money. But there is hope if you leverage a tried and proven combination of phishing simulations targeting the C-Suite that include executive awareness training based on a pedagogical approach, continually reinforced with communication to change current behavior and help reduce your largest attack surface.
While human error continues to prevail as the leading cause of all breaches and security incidents, security professionals agree the most effective way to reduce human risk is with security awareness and phishing simulation training.
Read white paper PHISHING DEFENSE AND GOVERNANCE – How to Improve User Awareness, Enhance Controls and Build Process Maturity, for additional insight.