Executives have always been targets. They are central to brand reputation, they possess access to sensitive data and internal systems, and they have control of the purse strings. In recent years, the old executive threats – physical assault, hacktivism, blackmail – have been joined by a very modern form of digital risk: executive phishing (also known as “whaling”). Acts of executive phishing are almost always examples of spear phishing, the most targeted version of this threat.
What form do modern executive phishing attacks take? And how can enterprises protect themselves? (Hint: it requires more than a complicated password.)
The Rise and Rise of Executive Phishing
In January of 2020, the richest man on earth was revealed to have been spear-phished via WhatsApp. Jeff Bezos downloaded and played a video shared in a WhatsApp group conversation. The video released malware that penetrated Bezos’s cellphone and exfiltrated a tranche of data. There were allegations that the video had been sent by Mohammed bin Salman, the crown prince of Saudi Arabia.
Bezos suffered a classic spear phishing attack. Executive spear phishing of this kind is getting worse every year. Forbes reports that, in 2019, 84% of C-level executives were the primary targets of at least one cyber attack. Over half of these attacks were executive phishing attacks.
Executive phishing attacks can be devastating. Just recently, Israel suffered a cyberattack by a North Korea-linked hacking group. The hackers posed as a Boeing headhunter, and initiated the attack by sending a LinkedIn message to senior officials. As the New York Times reports, “the North Korean hackers penetrated [Israel’s] computer systems and were likely to have stolen a large amount of classified data. Israeli officials fear the data could be shared with North Korea’s ally, Iran.”
Digital Transformation Expands the Phishing Attack Surface
Executive phishing used to be confined to email – which nowadays benefits from a $3bn security industry. However, phishing attacks that target particular individuals at the corporate level are now a major problem on third-party cloud channels – channels that don’t typically receive anywhere near as much protection as email. Platforms like LinkedIn and Twitter aren’t only used for victim profiling; they are the attack vector itself.
The 2020 Verizon cybersecurity report discovered that 50% of cyber attacks involve social phishing (not email phishing). Executives were “12 times more likely to be the target of social incidents, and nine times more likely to be the target of social breaches.”
A key problem is that, unlike email, people instinctively trust what they encounter in social channels. Culturally, we have learnt to be wary of emails, and are familiar with the dangers of spam. But a DM? People still instinctively tend to see these as less threatening. A study by BlackHat found that 66% of social spear-phishing messages were opened by their recipients.
As Akamai lay out in a recent whitepaper,
the phishing landscape has evolved… the use of social networks and other non-email distribution channels are the new normal. Further exacerbating this alarming trend, devices are roaming and users generally access social network and messaging apps through mobile devices, which are typically the weakest link in an enterprise’s security structure.
On our Zero Hour podcast, Brian Honan of BH Consulting described a frighteningly successful red teaming test. Honan’s team targeted the CISO of the company whose security they were stress-testing. They discovered that the CISO had been tweeting about a talk he gave at a conference some months prior. After going through the tweets, Brian’s team created a fake LinkedIn profile, posing as a large cybersecurity conference. They reached out to the CISO and asked if he would be available as a keynote speaker. The CISO was responsive, sharing his email address and other details to receive a keynote speaker package as a PDF. Within 12 minutes, he was compromised.
The problem is getting worse and worse because platforms like Slack, Microsoft Teams and even WhatsApp have been widely adopted as key enterprise channels, and are now rivaling company email for the volume and density of communications. However, these cloud channels sit outside the traditional network perimeter. No firewall or email filter can protect your Facebook inbox. As a result, these channels offer a new way for employees to be phished, in communications invisible to most security teams. Worse still, these digital channels present a host of new accounts that can be compromised.
The susceptibility of cloud channels to executive phishing attacks has been exacerbated by the disruptions of 2020. Executives were already less office-bound than other employees. However, the COVID-19 pandemic drastically accelerated the rise of remote working. Many businesses are now talking about permanent WFH arrangements.
The problem with these out-of-office arrangements is that, as with other employees, executives’ home working environments are rarely optimized for cybersecurity. Even if their remote VPN transports are highly secure, home networks are often cursed with weaknesses such as legacy routers, PCs, and IoT devices.
Podcast: Listen to Brian Honan
on why cybersecurity isn't just an IT problem
How to Defend Against Executive Phishing
Company executives can hardly abandon the cloud channels that are now the epicenter of executive phishing attacks. They are public figures who need to cultivate their presence on LinkedIn, Twitter and elsewhere. The nature of their positions is such that the details required for victim profiling will always be easy to find.
On top of this, research shows that 74% of CEOs and other executive leadership figures routinely request more relaxed security protocols for their devices and apps. People hate any technology that gets in their way, and will intuitively trade safety for speed.
What enterprises need is technology that allows executives to feel unburdened by security protocols – so that they can build the brand, cultivate a network, and drive growth. However, they also need this technology to effectively protect executives from a potentially devastating form of digital risk.
Executive phishing attacks arrive via the cloud. Repelling them requires cloud-based defense that can halt attacks at the app level, and prevent these attacks from moving laterally into endpoints and enterprise networks. Effective technology must include:
- Maximum Visibility
- Security teams need the power to onboard all executive accounts for protection.
- They also need the power to inspect messages for malicious content, track new connection requests, and archive 100% of account activity.
- Real-Time Threat Detection
- Executive channels need to be monitored around the clock for suspicious activity and messaging. All files, attachments and links should be automatically scanned for malware. “Soft” threats, existing not in files or links but in language, also must be picked up.
- All connections should be evaluated for known or suspicious bad actors. This means bad actors are detected the moment they follow accounts.
- Incident Response
- Any threats detected within the executive ecosystem must be immediately quarantined in real time, at the app level.
- IOC notification details must be sent to SOC/SIEM for evaluation, and social attacks need to be correlated with EDR.
Protecting executives from spear phishers requires implementing software that is custom-built to deal with modern threats. Read about other leading digital risks, and how executives and organizations can best be protected: