C-Level Spear Phishing – Don’t Take the Bait!

by | Aug 5, 2020 | Uncategorized

Top level executives have become top targets for cybercriminals, but it’s not what you think. Instead of hackers trying to compromise the accounts of CEOs, CFOs, COOs and other C-level personnel, they are impersonating them to trick subordinates and vendors in order to gain access to funds and sensitive information. This is called spear-phishing. It’s a highly successful tactic that takes advantage of traditional hierarchal systems, preying upon those who unquestionably respond to what they think is a direct order from superiors. As a CEO (etc) it’s time to take responsibility and prevent this advanced form of phishing from wiping funds from your ledger and compromising data security. Here’s what you need to do.

5 Tips to Keeping Cybercriminals from Impersonating C-Level Executives to Steal Funds and Data from Your Company

1. Institute a Confirmation Policy for All Fund and Data Transfer Requests

The easiest and most effective way to keep staff and vendors from being tricked into giving up the goods is to institute a policy of “ask first”. If an email, SMS, or any form of digital communication requests a fund or data transfer, have them follow up directly with the purported sender via an alternative form of communication. This must not be via a direct reply to the original message. It must be completely separate and initiated through a secure and company sanctioned communications channel, or a simple knock on the door. This redundancy is the best line of defense against C-level spear phishing.

2. Have Recipients Double-Check Sender Emails

Staff and vendors must become accustomed to vetting supposed C-level emails that request data and fund transfers. They need to look for near-match sender email names and/or domains.

For example, let’s say your email address is worldsgreatestboss@example.com. A spear-phisher will buy a near-match domain, such as examples.com (note the “s”) and register worldsgreatestboss@examples.com to use when sending their malicious email campaigns. Alternatively, they may have already hacked your company’s email hosting service and will create near-match sender email names, such as worldgreatestboss@example.com (note the removed “s” from the email sender name) and do their dirty work from there.

While your “ask first” policy will prevent C-level impersonation, having staff vet email sender addresses will allow them to report the phishing campaign to IT security who can block emails coming from the source.

3. Create a More Open Corporate Culture

As alluded to in the introduction, spear-phishing is largely successful because the emails are often marked as urgent. To satisfy a potentially demanding C-level executive, staff or suppliers may respond accordingly because it has become ingrained in them to not question a thing. Creating this sort of corporate environment has never been a good idea.  But, in the digital age, with the proliferation of online communications and corresponding cybercrime, it is downright dangerous.  Institute an open door policy, so that staff feels comfortable questioning anything that seems out of sorts.  Not only will this help protect your company, it will contribute to improved employee well-being and promote collaboration and innovation.

4. Get an Audit from an Outside IT Security Expert

Have an outside (and therefore unbiased) IT support services company come in and audit your IT infrastructure, namely your digital communications systems so that they can check for vulnerabilities that allow phishing emails to penetrate in the first place. Managed Service Providers (MSPs) are armed with IT security tools that leverage artificial intelligence (AI) and machine learning along with enterprise-level productivity solutions (i.e. MS 365) that can identify inauthentic digital communications.

5. Get More Comprehensive Cyber Insurance Coverage

In the same manner that you should have an IT firm audit your IT infrastructure, you should receive a comprehensive assessment of your cyber insurance to look for vulnerabilities of a different kind – those that factor in liabilities and all of the damages that may come from cyber intrusion. View more on why you need cyber insurance. and please do contact Park Insurance today to schedule a consultation.

Recent Posts

Do You Have Adequate Auto Insurance Coverage?

Do You Have Adequate Auto Insurance Coverage?

Government responses to the pandemic fundamentally changed the way many professionals use their home. Those who continue to leverage their home as an office or workspace have had to update their homeowners insurance to account for this. What many of these same...

Is There Lead in the Water Pipes of Your BC Home?

Is There Lead in the Water Pipes of Your BC Home?

  We spend a lot of time discussing water damage from a homeowners' insurance perspective. We even dive into the health implications, in the context of mold and mildew when excessive moisture has worked its way into the walls and floorboards. However, there is...

Going on a Road Trip? How to Safely Pack Your Roof Rack

Going on a Road Trip? How to Safely Pack Your Roof Rack

Summer is here and it's road trip time for tens of thousands of BC residents. You're car has been tuned up, you've mapped out the route(s), snacks have been packed, and your luggage and emergency kit have been tucked in the trunk. At this point it doesn't seem like...