Senior executives are the latest target for malicious hackers and cyber criminals looking to take advantage of businesses. This is in part because they are likely to be in control of valuable information and sensitive data that can be stolen. Executives are typically well-protected inside a corporate network, but when they step outside of that network, they become an easy target. It’s so important for executives, and their EAs and PAs, to be aware of the various ways they can be the target of a data breach so they can stay alert and better protected.
Dakota Murphey has taken a good look at the principal target routes taken and how best to combat these potential cyber threats.
What are the key areas of hackers targeting executives?
1. Whaling’ campaigns
The strategy that many criminals adopt when targeting executives is known as ‘whaling’ (a play on the term phishing, but going after the bigger fish). This has become a significant risk for organisations around the world. Studies suggest that between 2020 and 2021, there was a 131% increase in whaling campaigns. These tactics cost businesses billions. And the sophistication of the attacks has forced businesses to really take a look at their cybersecurity measures to protect themselves.
Whaling is different from phishing, where criminals use malicious attachments or links in emails to target a broad number of people. Whaling is a social engineering attack that targets the identity of key corporate figures, such as CEOs or executives. They may send out an email with an urgent-sounding subject to encourage the recipient to take action quickly, luring them into handing over data or login details. Or they may reference them with a focus on a sensitive company concern, unwittingly getting them to expose data, passwords or servers.
Social engineering relies on the human instinct to believe what appears on the surface to be true. Hackers will do their research into the individual they’re targeting to make their communications look as genuine as possible to give the illusion of legitimacy.
2. Targeting home devices
An executive’s home network is a popular target for cyber criminals because these are usually more vulnerable and less protected. A breach may even go unnoticed for some time, leaving hackers with more time to abuse the data they have access to.
Once a hacker knows the IP address of the target, they can scan the network for exposed devices and gain access. This can happen through Wi-Fi routers, out of date firewalls and any IoT devices like home automation systems or security alarms. High value devices, in particular, such as business laptops or modems pose a huge risk because they provide a hacker with direct access to data and corporate accounts.
3. Gaining access to personal accounts
From personal email accounts to social media and messaging accounts, hackers have their pick of various platforms to gain access to. They can then impersonate the executive in question to develop attacks on other executives or employees. A compromised LinkedIn account, for example, could quickly escalate to compromise several other accounts and lead to a corporate breach in next to no time.
Hackers may also seek out passwords that have been reused on other accounts. For example a retail account that may seem harmless and insignificant to a business but can quickly help a criminal gain access to corporate data if the same passwords have been used on Teams, Slack or other work accounts. Attackers may also use spear-phishing tactics to trick an executive into signing into an account using a fake login page to steal their information and harvest passwords.
4. Aggressive document extortion
Another technique that cyber criminals use when targeting executives is document extortion, which is something that comes along with personal account takeovers but needs to be recognised as its own threat because there has been a steady rise in these types of attacks in recent years. Hackers are becoming more aggressive when it comes to document extortion, so executives need to be on their guard when it comes to these types of attempts.
Document extortion is the process of having a hacker hunt down sensitive documents or files that would be embarrassing for an executive to have revealed or which would compromise the reputation of them or their business, from legal documents to tax records or medical files. They may also do the same with text messages and emails, or sensitive account subscriptions.
What can executives do to combat these targeted hacker attacks?
-
Be cautious of what you’re reading
The first step is to be very cautious of everything you read and don’t immediately trust that the content of an email or a message is what it says it is. If urgent action is necessary, make sure you take an extra couple of minutes to call the person you’ve received it from and confirm that they have sent the email themselves before actioning it. This not only validates the action but signals to your IT team that the company is potentially under a cyber attack so they can be prepared.
-
Carry out regular assessments
Some vulnerabilities can’t be detected by automated software tools. These give hackers a chance to exploit vulnerabilities that evade automated assessments. Regular assessments with ethical hacking and penetration testing will spot those potentially hidden vulnerabilities that could put executives under threat. Penetration testing is a form of ethical cyber security assessment. This identifies and safely exploits vulnerabilities affecting computer networks, systems, applications and websites. Testing also uncovers any weaknesses can be addressed before they’re targeted by a malicious attack.
-
Keep on top of your education
Threats are evolving at a quicker pace than many people realise. Stay on top of trends and concerns. This will keep executives protected and give them a chance to adapt their protective measures accordingly. Potential targets, whether that’s executives or the team around them, need to be trained to be able to spot a risk or threat, and know how to follow the right processes if a threat is observed.
-
Be mindful of ‘typosquatting’
This common tactic involves hackers sending the recipient a link where the URL looks official at first glance but won’t look quite right when you delve closer. For example, the domain of an official website may be .net rather than .com. Or there might be a slight spelling error in a brand name. These links will then link through to a malicious file or download malware. Executives, and every member of the team, would be wise to pay close attention to the links they click on, making sure they are genuine and not clever copies.
-
Check privacy settings
Social media profiles and similar accounts can be a popular target for hackers trying to gain access to an executive’s data. Make sure that your privacy settings are as strong as possible to prevent a breach. This can be done by limiting the number of people who can see the data you’ve published on social media platforms. This will reduce the risk of it falling in the wrong hands. Be careful who you accept connection requests from. Make sure that the people you have in your network are genuine contacts you can trust.
CEOs and executives send thousands of emails every year and manage multiple tasks as part of their senior position. It is therefore no wonder that they have become a popular target for cybercrime. Better understanding the tactics that criminals use to gain access to sensitive data and networks is key. Executives can then be better prepared and protected against this type of criminal behaviour.
Working From Home exposes higher risks for companies and most need to tighten their cyber security.
