Just like businesses research their target demographics, cybercriminals scour the web to identify and learn the best ways to attack high-value targets, like C-suite executives.
These executives are already targets for thieves and scammers because of their access to valuable business intelligence and corporate networks. However, because criminals will naturally choose the easiest marks, executives who have readily accessible personal data online are at even greater risk.
They are especially vulnerable to these three types of crimes.
1. Social engineering
Over 90% of cyberattacks begin with a phishing email that leverages the information criminals can find online about a person to trick him or her into doing something risky, like clicking on a link or downloading a file. The goal of these attacks is often to steal the individual’s credentials or to get him or her to download malware.
Phishing attacks targeting high-level executives are called whaling attacks. In these scenarios, hackers try to get individuals to reveal valuable business information like bank account data, credit card numbers, employee records, or customer lists. They also try to convince executives to make wire transfers.
According to research by MobileIron, 78% of IT managers believe C-suite employees are the ones most likely to be targeted for this kind of attack.
“These attacks historically have a high success rate … There are many campfire stories of the executive who fell for the travel rewards phishing attack, the one that asked for special privileges on their computer. Each one of these stories usually ends up with the executive becoming the victim of some type of cyber attack, and in some instances results in a data compromise at the company level.”—Wayne Lee, chief cybersecurity architect at West Monroe Partners
Some examples of social engineering attacks against executives include:
- Jeff Bezos—In 2018, someone knew enough about Jeff Bezos to get him to open a WhatsApp group message. Unfortunately, that message contained a video file infected with malware that stole large amounts of data, including his photos and private communications, from his iPhone. According to investigators, the person behind the attack was likely the crown prince of Saudi Arabia, Mohammed bin Salman.
- CISO—A security company stress-testing the defenses of a client business found tweets by that company’s CISO describing his experience speaking at a conference. The security firm used this information to tailor a scam to steal the executive’s credentials. First, they created a phony LinkedIn profile for a cybersecurity conference. Then, they messaged the CISO through this fake profile, asking if he wanted to be a keynote speaker. He quickly agreed and exchanged several emails with the fake conference organizer. One of the messages included a link to a page designed to capture the executive’s email credentials and other personal information. It only took 12 minutes to compromise his email.
Having unsecured personal data online makes your executives vulnerable to hackers looking to impersonate them for financial gain. This is sometimes called CEO fraud.
One popular impersonation tactic is a business email compromise (BEC) attack. A type of phishing attack, BEC attacks involve taking over a C-level executive’s email account. This isn’t hard to do if the executive’s credentials are for sale on the dark web or he or she posts enough personal details on social media for hackers to guess his or her passwords.
“With access to an executive’s email, there is no limit to what a criminal can do. Not only can they send out phishing emails on behalf of the exec to defraud the company or its customers, but they can set up email rules which automatically forward emails to an external email address. These rules will remain functioning even if the account password is changed.”—Javvad Malik, security awareness advocate at KnowBe4
Once a bad actor has access to the account, he or she can use it to ask lower-level employees to transfer funds into a certain bank account or send files containing employee W2 data. Because the email comes from the executive’s account and the hacker has researched the executive online, most people trust the authenticity of the message and promptly comply with these requests.
“The attackers patiently research companies to pinpoint the right executive. They analyze the company’s website and other publicly available information to identify senior personnel, determine the chain of command, track important customers, even study the email style of the executive they target, sometimes researching for as long as a month or more.”—Colin Bastable, CEO of Lucy Security
In 2020, business email compromise (BEC) attacks cost businesses more than $1.8 billion, with the real estate and financial sectors being especially hard hit. In fact, 76% of financial companies experienced a BEC attack in 2020.
Here’s one example of a successful BEC scam:
- Sherry Williams—In late 2020, criminals hacked into the executive director’s email account and used it to steal $650,000 from her organization, the San Francisco-based nonprofit One Treasure Island. Posing as Ms. Williams, the scammers emailed an organization that was waiting for a loan from One Treasure Island, telling them to expect a delayed payment. The hackers then sent Ms. Williams several invoices purportedly from the organization, with instructions to wire the money to a new bank in Texas. Because of the first email telling the organization about a delay, Ms. Williams didn’t find out the money was missing until much later.
However, impersonation doesn’t always involve emails. Here is one instance in which scammers used a phone call:
- CEO of a British energy company—Criminals used AI to impersonate the boss of a UK-based energy firm’s CEO over the phone. The fake voice on the call asked the CEO to transfer $243,000 within the hour to one of the company’s suppliers. Because the CEO recognized his superior’s slight German accent and manner of speaking, he sent the money as requested.
As ransomware attacks have increased in recent years, so too has the number of extortion attempts aimed at senior executives. In some instances, ransomware gangs steal data from an executive’s computer to obtain sensitive (or sensational) data they can leverage to pressure the individual into approving payment of the ransom they are demanding to unencrypt the company’s files.
In other instances, cybercriminals threaten to reveal (or sell to a competitor) a business’s intellectual property, client lists, deals in progress, or key financial records—or an executive’s potentially embarrassing emails—unless the executive sends them a large amount of bitcoin.
Criminals can also extort executives using data garnered from search engines, social media, and even routine background checks.
Here’s one example of executive extortion:
- Trevor Milton—Jonathan Howard Robb threatened to publish unflattering content about Nikola’s then-chairman unless he paid Robb $500,000. When Mr. Milton threatened to contact the police, Robb posted insinuations of sexual misbehavior by Mr. Milton on Instagram. Robb was eventually arrested during a sting operation.
As you can see from the examples above, C-level executives face a host of cyberthreats, especially if bad actors can easily find information about them on social media, blogs, articles, people-search sites, or other online sources. This is why it’s so important for companies to ensure their top executives follow the strictest data-protection protocols, including removing their personal information from the internet.
If you need assistance in locking down your executives’ privacy, we offer an ExecutivePrivacy solution that automates the process for your team. Please give us a call. We are happy to provide complimentary consultations regarding your unique situation.
To learn more about keeping your leadership team safe, see the following articles: