Top level executives have become top targets for cybercriminals, but it’s not what you think. Instead of hackers trying to compromise the accounts of CEOs, CFOs, COOs and other C-level personnel, they are impersonating them to trick subordinates and vendors in order to gain access to funds and sensitive information. This is called spear-phishing. It’s a highly successful tactic that takes advantage of traditional hierarchal systems, preying upon those who unquestionably respond to what they think is a direct order from superiors. As a CEO (etc) it’s time to take responsibility and prevent this advanced form of phishing from wiping funds from your ledger and compromising data security. Here’s what you need to do.
5 Tips to Keeping Cybercriminals from Impersonating C-Level Executives to Steal Funds and Data from Your Company
1. Institute a Confirmation Policy for All Fund and Data Transfer Requests
The easiest and most effective way to keep staff and vendors from being tricked into giving up the goods is to institute a policy of “ask first”. If an email, SMS, or any form of digital communication requests a fund or data transfer, have them follow up directly with the purported sender via an alternative form of communication. This must not be via a direct reply to the original message. It must be completely separate and initiated through a secure and company sanctioned communications channel, or a simple knock on the door. This redundancy is the best line of defense against C-level spear phishing.
2. Have Recipients Double-Check Sender Emails
Staff and vendors must become accustomed to vetting supposed C-level emails that request data and fund transfers. They need to look for near-match sender email names and/or domains.
For example, let’s say your email address is email@example.com. A spear-phisher will buy a near-match domain, such as examples.com (note the “s”) and register firstname.lastname@example.org to use when sending their malicious email campaigns. Alternatively, they may have already hacked your company’s email hosting service and will create near-match sender email names, such as email@example.com (note the removed “s” from the email sender name) and do their dirty work from there.
While your “ask first” policy will prevent C-level impersonation, having staff vet email sender addresses will allow them to report the phishing campaign to IT security who can block emails coming from the source.
3. Create a More Open Corporate Culture
As alluded to in the introduction, spear-phishing is largely successful because the emails are often marked as urgent. To satisfy a potentially demanding C-level executive, staff or suppliers may respond accordingly because it has become ingrained in them to not question a thing. Creating this sort of corporate environment has never been a good idea. But, in the digital age, with the proliferation of online communications and corresponding cybercrime, it is downright dangerous. Institute an open door policy, so that staff feels comfortable questioning anything that seems out of sorts. Not only will this help protect your company, it will contribute to improved employee well-being and promote collaboration and innovation.
4. Get an Audit from an Outside IT Security Expert
Have an outside (and therefore unbiased) IT support company come in and audit your IT infrastructure, namely your digital communications systems so that they can check for vulnerabilities that allow phishing emails to penetrate in the first place. Managed Service Providers (MSPs) are armed with IT security tools that leverage artificial intelligence (AI) and machine learning along with enterprise-level productivity solutions (i.e. MS 365) that can identify inauthentic digital communications.
5. Get More Comprehensive Cyber Insurance Coverage
In the same manner that you should have an IT firm audit your IT infrastructure, you should receive a comprehensive assessment of your cyber insurance to look for vulnerabilities of a different kind – those that factor in liabilities and all of the damages that may come from cyber intrusion. View more on why you need cyber insurance. and please do contact Park Insurance today to schedule a consultation.