You might think that your existing security measures are enough to keep your C-suite executives (and your business) safe from social engineering attacks. However, your efforts won’t fully protect your leadership team if you fail to eliminate this additional threat: the personal information available online about your executives.
Personal information makes it easier for cybercriminals to convince your executives to trust them enough to hand over valuable business information or their account credentials, or even worse, wire money to a fraudster’s bank account.
Here are some security best practices businesses follow to protect their executives from social engineering—and how these practices fail if businesses don’t also secure their executives’ online privacy.
One of the best things you can do for corporate security is to use privileged access management (PAM) tools like password vaults, also called password managers. These tools store a variety of passwords under a single login, making it easier to adhere to good password hygiene.
However, these tools aren’t invulnerable. Executives who post personal information (like in the image below) give social engineers the ammunition they need to break into your company’s password vault.
Armed with enough knowledge about your leadership team (like their hobbies, organizations they belong to, or people they engage with), cybercriminals can create convincing emails that manipulate your C-suite into downloading malicious apps that fool password vaults into giving away valuable credentials. In fact, a 2020 study showed that 40% of password vaults are vulnerable to being hacked this way.
“Our study shows that a phishing attack from a malicious app is highly feasible – if a victim is tricked into installing a malicious app it will be able to present itself as a legitimate option on the autofill prompt and have a high chance of success.”—Siamak Shahandashti, of the University of York’s Department of Computer Science
These imitation apps can also use brute force to break into your company’s password vault. For four-digit PINs, it only takes a few hours to unlock an account.
Multi-factor authentication (MFA)
Multi-factor authentication requires an extra security step during login. This zero-trust access management tool is so good at preventing attacks that the National Cyber Security Alliance included it in its safety education and awareness campaign. However, if bad actors can easily find your executives’ personal information (like their phone numbers, birthdates, and home addresses) on the internet, then they can use social engineering tactics to circumvent the MFA process.
“One issue with multifactor authentication is that many users share personal data across social media platforms, giving cybercriminals an opening to figure out how to break knowledge-based authentication.”—Shahrokh Shahidzadeh, CEO of security vendor Acceptto.
For example, a cybercriminal can spoof an executive’s phone number to call a company’s tech support line and ask for help logging into his or her account. The malicious actor can then provide the target’s home address or date of birth to prove his or her identity.
This “proof” of identity, coupled with a criminal’s urgent need to access his or her account, claims of losing his or her MFA token, or inability to remember his or her password can convince support personnel to grant access to the hacker, enabling him or her to access the executive’s account.
“Thinking that MFA magically makes you unhackable is even more dangerous than not using MFA. Unfortunately, most MFA implementers and certainly most users don’t understand this.”—Roger Grimes, defense evangelist at KnowBe4.
Social engineering awareness training
You already know that providing social engineering awareness training to C-suite executives doesn’t make them immune to these kinds of scams. But, you might assume that it provides more protection than it actually does.
The reality is that social engineers are experts in psychological manipulation. They are so good at what they do that they were able to carry out successful attacks on 74% of American businesses in 2020.
Moreover, social engineers are launching increasingly sophisticated attacks that leverage the vast troves of personal and professional data available online about your executives to gain their trust.
“Combining the data gained from an organization’s team page, a LinkedIn profile, a Twitter profile, and a Facebook profile, a criminal can usually capture quite a detailed picture of their victim. They might use your name, information about where you work, who you bank with, a recent payment you’ve made, information about your family and friends, and any other private information they can find.”—Oz Alashe, CEO of CybSafe
Further, because executives are often pressed for time and tend to skim emails, they are more likely than lower-level employees are to fall for phishing emails.
In one example, Barbara Corcoran, the founder of the Corcoran Group and host of ABC’s “Shark Tank,” recently fell for a phishing email containing a fake invoice for a real estate renovation. Because the scammers knew she often invests in real estate, Ms. Corcoran wasn’t suspicious of the invoice and paid the fraudsters nearly $400,000. It was only after her bookkeeper spotted a misspelled address in the email chain that Ms. Corcoran realized she’d been scammed.
Social media posting policy
Having a corporate social media posting policy that specifies what employees can and can’t share is a good first step in preventing your C-suite from posting sensitive information that social engineers can use to harm them and your business.
However, your leadership team’s private, personal information can come from a variety of outside sources not under your control, including their friends’ and family members’ social media accounts.
Other people’s social media accounts can reveal a lot about your executives, including:
- Their full name
- Their birth date
- The names of people in their family
- Their hobbies and interests
- Information about their job
- Where they live
- Where their kids go to school
This information undermines the goal of your social media posting policy by enabling scammers to easily pretend to be someone your executive knows or an organization he or she trusts.
“If you’ve got millions of dollars at stake, and you are doing corporate espionage and want to steal secrets or money, you don’t go after your target only, you go after everyone in your target’s network, too.”—Jayson Street, security consultant and CIO at Stratagem 1 Solutions
To reduce the risk of social media-enabled social engineering attacks, you need to go beyond simply setting a use policy. Instead, you need to actively monitor the publicly accessible portions of the profiles of each executive’s close connections. That way you can provide your executives with individualized reports that detail likely threat vectors caused by information that their friends and family have shared.
Installing anti-phishing software lets you filter incoming messages into “whitelists” and “blacklists” to help your employees avoid opening emails that are likely to be social engineering attempts.
However, the most effective cyberattacks employ a combination of phishing and malware to compromise individual email accounts. Criminals then use real email addresses and convincing personal information to fool their marks.
If an attacker can find enough personal details online to guess one of your executives’ email credentials, then that individual can take over your executive’s account, which will easily pass through your anti-phishing filters.
The attacker can then use this highly privileged account to conduct social engineering attacks on other members of your leadership team. Often, these attacks come from the CEO’s account and are known as CEO fraud or business email compromise (BEC) attacks.
This type of fraud cost American businesses $1.8 billion in 2020 (PDF).
One victim of a BEC attack is the Toyota Boshoku Corporation, a Japanese auto parts supplier. In 2019, the company lost $37 million when hackers used the legitimate email of an executive in the firm’s finance department to ask another employee to transfer money to a fraudster’s account.
As you can see, there are no silver bullets that will completely protect your executives from social engineering attacks. However, you can reduce the odds of your executives (and your company) becoming victims by removing as much of your C-suite’s personal information as you can from the internet.
To learn more about protecting your executives, please give us a call. We are happy to offer free advice customized to your particular situation.
If you’re looking for ways to automate the process, we offer an ExecutivePrivacy service that finds, removes, and monitors your leadership team’s online information for you.
You can learn more about executive privacy and social engineering in these articles:
- Corporate social engineering: What makes for an appealing mark?
- Why online privacy is vital to executive protection
- Six common approaches to executive social engineering
- Real-world examples of executives being targeted due to online personal information
- It’s not personal: How people-search sites create threats for businesses