Danger at the top: cyber threats aimed at C-levels
When discussing social engineering fraud and scams targeted against a specific company, most people usually imagine that the biggest dangers are always geared towards lower-level employees. However, what few people realize is that the upper management of a company also faces these threats.
There are several types of threats aimed specifically at C-levels, that is, members of the upper management, or those directing the company’s affairs. They form an enticing target for cybercriminals as they have wider access and greater privileges within the company. As such, believe it or not, the C-levels may be as unprotected as their subordinate colleagues.
Since they are already dealing with a highly agitated and stressful routine, they sometimes don’t adhere to some of the company’s cybersecurity measures. A recent study by MobileIron interviewed several C-level executives and noted that 58% felt “intimidated” by the complexity of cybersecurity demands and 62% stated their devices become “less useful” when complying with these regulations. At the end of the day, C-levels may be more vulnerable to cyber threats than a company’s operational staff.
Fishing for big fish
A category of attack that is usually targeted at the upper management of a company is called ‘whaling’. The term refers to hunting whales and is basically a more sophisticated and complex form of phishing.
The first step in a successful whaling attack is the recognition phase. Cybercriminals study their targets, learning who’s who inside a company, studying their relationships (using photos and other personal details posted on social networks) and establishing an accurate means to communicate with them.
Once the analysis is done, a cybercriminal can either break into or falsify a legitimate e-mail or messaging app account. Next, the attack is staged. Personifying a company CEO, a supplier, an attorney or even a customer, the fraudster approaches the victim, usually someone at the C-level, and requests the transfer of an exorbitant sum or for a spreadsheet with sensitive data, always accompanied by an urgent tone. The victim, taken aback by the urgency of the tone and the supposed authority established by the e-mail, immediately rushes to do what they are told.
Criminals in suits and ties
While whaling is the name given to a scam aimed at upper levels of management, the con known as BEC, short for Business E-mail Compromise, has a somewhat different objective.
BEC involves a scammer personifying a C-level executive to trick staff at any other hierarchical level of a company. In this case, however, it’s the operational employees, who tend to trust executives, that make up the bigger portion of victims.
Scammers usually request a cash transfer or sensitive files for future attempts at fraud. The thing is, there are several ways cybercriminals can trick you.
High-level protection
These and other scams are aimed at C-levels and can be mitigated with an efficient program to raise awareness about information security – and, of course, this shouldn’t be limited to only full-time and junior positions, but senior and upper management positions, too. The entire company must be aware of the risks and the best ways to identify them, which includes paying attention to the e-mail address of a sender and checking via other means (a phone call, for example) before performing a high-risk transaction.
Article originally written in Portuguese by Perallis Security Content Team: Perigo no topo: as ameaças cibernéticas que visam os C-levels — Perallis Security