The C-Suite. They’re educated and seasoned professionals. They sit in big offices and make decisions that affect the future of the company. Why are malicious actors phishing the C-Suite— why do the executives keep biting? Why are we seeing so many reports like these:
Snapchat– An attacker pretended to be Snapchat chief executive Evan Spiegel and tricked an employee into emailing over 700 current or former employees’ information including their names, social security numbers, and wage data.
Mattel – a finance executive wired more than $3 million to the Bank of Wenzhou after the ‘new CEO’ requested a vendor payment. According to reports, Mattel quickly realized that it had been a victim of a fraudulent request and worked with Chinese authorities to get the money back.
FACC – Austrian aircraft parts maker, whose customers include Airbus, Boeing, and Rolls-Royce, fired their chief executive after cybercriminals stole 50 million euros ($55.7 million) in a so-called “fake president” email scam.
One reason more are biting is that the number of C-Levels that are being targeted is rising. 2016 started out with a 270% increase in CEO scams according to the FBI. Another reason, as Agari reports, is that “more than 85% of spear-phishing attacks are enabled by legitimate cloud services, and the majority do not contain a malicious link or attachment, which make them a lot harder to detect.” Then comes the way companies view the danger posed by human weakness, with only 30% rating it as a serious concern, according to the 2015 CompTIA report. Then couple that with “only 54% of companies offering some form of cybersecurity training, with the format most often being new-employee orientation or some kind of refresher course,” according to the same CompTIA report.
So, what’s the solution? Testing and training. Real-world testing and training. It shouldn’t be just for employee orientation or to check a box for the annual audit. It needs to be as close to what is seen in the wild as possible. It also needs to be regular and consistent. Use a managed service provider or have an in-house team run campaigns to the general population and send spear phish to the executives. Provide education on not only how to identify a phish but how to properly report the phish and make reporting mandatory. Get the executives to care about security and the rest of the employees will follow. Then you’ll start seeing the number of reports start dropping.