This post has been modified to reflect new information since its original publication.
Executives make for tantalizing hacking targets, since a successful infiltration of their accounts can lead to a huge payoff—whether financial, or in terms of information gathering, or both.
Executives often have access to many data systems, and many demand exceptions to company security regulations from their IT departments when they perceive them as too burdensome. It is easy to see, therefore, why attackers are increasingly focusing on social engineering techniques that involve tricking a company executive into granting system access.
Below, we’ll take a look at some of the most common social engineering ploys used to compromise executives, as well as what you can do to prevent them.
Since executives often travel for work, knowledge of their travel plans makes it easy to impersonate them. No one, after all, would be suspicious of an email request from the CEO when everyone in the office knows that he or she is presenting at a conference.
Often, attackers use impersonation to request money or access to IT systems, with the claim that they can’t use the company’s normal channels for whatever reason: a flaky VPN connection, a lost phone that prevents two-factor authentication, etcetera.
These ploys often work because the personal details included in the email make sense. The attackers have detailed knowledge of the executive, as well as knowledge of his or her relationships to other people in the company, obtained through research on people-search sites and social media. These details, when combined with the executive’s business and travel information, make the requests look natural and legitimate.
Phone phishing or vishing usually takes one of two forms. The first of these is a sophisticated version of wire fraud or some other money transfer scam. In order to validate the legitimacy of the transaction, attackers will set up a phone operator who appears to work with a trusted third-party source, such as the company’s bank or accounting firm. When the executive calls the scammer, the details of the transaction are confirmed as expected and the executive’s trust is won over.
The second form of phone phishing is an unsolicited call that attempts to extract key information from the target. A scammer might call an executive claiming that a corporate account had been compromised and asking the executive to confirm key account details and security questions. The hacker then uses this information to defeat security challenges and access the desired systems.
Compromised social media accounts
People tend to trust what their friends do on social media, which is why savvy social engineers will attempt to take over a social media account owned by a friend of the executive. Once the social media account has been compromised, the attacker can impersonate the friend and ask the executive questions. In this way, the executive can be tricked into disclosing sensitive information or downloading malware.
Hobbies and interests scams
Savvy social engineers will conduct research on their executive targets to find out what their interests are and how to leverage these for exploits. For example, a survey of people-search sites can uncover philanthropic and political donations made by the executive, which is then triangulated to information found on social media or the websites of various professional organizations.
Using this verified interests profile, the attacker can contact the executive with a request that is tailored to his or her interests. For example, the attacker might ask for donations to a charity that the executive supports, and in the process ask for personal information that can be used to compromise the company IT systems. Alternatively, once trust has been built with the executive, the attacker might send a confirmation email that includes a malicious attachment. In both cases, the attacker wins over the executive through personal affinity and then encourages him or her to do something risky.
According to a global survey by PwC, slightly more than 20% of social engineering attacks against companies stem from malicious insiders, whether people who currently work at the company or past employees who still have access to IT systems. They will use their personal connections and knowledge of the company’s workings to trick executives into sharing information or access. Usually, these types of scams are conducted as a way to gain leverage in job negotiations or for the purposes of corporate espionage.
Most companies interact with a large number of outside contractors, so it is not uncommon for hackers to pose as contractors when mounting an attack on an executive. After uncovering which contractors the company has recently used, the hacker can send an email to the executive with a subject along the lines of “outstanding balance, payment not received.” The email will purportedly include a copy of the contractor’s invoice, but this document will contain malicious code.
Combatting executive social engineering
Executives move fast, have access to a lot of systems, touch many aspects of a company’s activities, and can be resistant to security protocols that they perceive to be slowing them down. That’s why the most effective defense against executive social engineering is the scrubbing of online personal data that hackers use to personalize their attacks.
After all, if hackers can’t find the validating details that they need to make their attacks look innocuous, then they generally won’t spend the time to mount an attack. Executive social engineering is a laborious and time-consuming process, so before deciding on a target, hackers want to be relatively certain that they’ve got a strong chance of success.
The two main ways to scrub this personal data are to remove the executive’s information from people-search sites and lock down social media accounts. Combined with general knowledge of the more common approaches used by social engineers, this scrubbing process can go a long way toward protecting your executives and the integrity of your IT systems.
For more information on how ReputationDefender can help protect your executives’ online privacy and thwart social engineering attacks, check out our ExecutivePrivacy product page or schedule a consultation with one of our privacy experts.