The top 3 cyberthreats for executives all involve personal information

This post has been modified to reflect new information since its original publication.

Just like businesses research their target demographics, cybercriminals scour the web to identify and learn the best ways to attack high-value targets, like C-suite executives.

These executives are already targets for thieves and scammers because of their access to valuable business intelligence and corporate networks. However, because criminals will naturally choose the easiest marks, executives who have readily accessible personal data online are at even greater risk.

They are especially vulnerable to these three types of crimes.

1. Social engineering

Over 90% of cyberattacks begin with a phishing email that leverages the information criminals can find online about a person to trick him or her into doing something risky, like clicking on a link or downloading a file. The goal of these attacks is often to steal the individual’s credentials or to get him or her to download malware.

Phishing attacks targeting high-level executives are called whaling attacks. In these scenarios, hackers try to get individuals to reveal valuable business information like bank account data, credit card numbers, employee records, or customer lists. They also try to convince executives to make wire transfers.

According to research by MobileIron, 78% of IT managers believe C-suite employees are the ones most likely to be targeted for this kind of attack.

Some examples of social engineering attacks against executives include:

• Online retailer CEO—In 2018, someone knew enough about this individual to get him to open a WhatsApp group message. Unfortunately, that message contained a video file infected with malware that stole large amounts of data, including his photos and private communications, from his iPhone.

• CISO—A security company stress-testing the defenses of a client business found tweets by that company’s CISO describing his experience speaking at a conference. The security firm used this information to tailor a scam to steal the executive’s credentials. First, they created a phony LinkedIn profile for a cybersecurity conference. Then, they messaged the CISO through this fake profile, asking if he wanted to be a keynote speaker. He quickly agreed and exchanged several emails with the fake conference organizer. One of the messages included a link to a page designed to capture the executive’s email credentials and other personal information. It only took 12 minutes to compromise his email.

2. Impersonation

Having unsecured personal data online makes your executives vulnerable to hackers looking to impersonate them for financial gain. This is sometimes called CEO fraud.

One popular impersonation tactic is a business email compromise (BEC) attack. A type of phishing attack, BEC attacks involve taking over a C-level executive’s email account. This isn’t hard to do if the executive’s credentials are for sale on the dark web or if he or she posts enough personal details on social media for hackers to guess his or her passwords.

Once a bad actor has access to the account, he or she can use it to ask lower-level employees to transfer funds into a certain bank account or send files containing employee W2 data. Because the email comes from the executive’s account and the hacker has researched the executive online, most people trust the authenticity of the message and promptly comply with these requests.

In 2020, business email compromise (BEC) attacks cost businesses more than $1.8 billion, with the real estate and financial sectors being especially hard hit. In fact, 76% of financial companies experienced a BEC attack in 2020.

Here’s one example of a successful BEC scam:

• Nonprofit executive —In late 2020, criminals hacked into this woman’s email account and used it to steal $650,000 from her organization. Posing as the executive, the scammers emailed an organization that was waiting for a loan, telling them to expect a delayed payment. The hackers then sent the woman several invoices purportedly from the organization, with instructions to wire the money to a new bank in another state. Because of the first email telling the organization about a delay, the executive didn’t find out the money was missing until much later.

However, impersonation doesn’t always involve emails. Here is one instance in which scammers used a phone call:

• CEO of a British energy company—Criminals used AI to impersonate the boss of a UK-based energy firm’s CEO over the phone. The fake voice on the call asked the CEO to transfer $243,000 within the hour to one of the company’s suppliers. Because the CEO recognized his superior’s slight German accent and manner of speaking, he sent the money as requested.

3. Extortion

As ransomware attacks have increased in recent years, so too has the number of extortion attempts aimed at senior executives. In some instances, ransomware gangs steal data from an executive’s computer to obtain sensitive (or sensational) data they can leverage to pressure the individual into approving payment of the ransom they are demanding to unencrypt the company’s files.

In other instances, cybercriminals threaten to reveal (or sell to a competitor) a business’s intellectual property, client lists, deals in progress, or key financial records—or an executive’s potentially embarrassing emails—unless the executive sends them a large amount of bitcoin.

Criminals can also extort executives using data garnered from search engines, social media, and even routine background checks.

Here’s one example of executive extortion:

• Businessman—A man threatened to publish unflattering content about a Utah businessman unless he paid him $500,000. When the victim threatened to contact the police, the extortionist posted insinuations of sexual misbehavior by the executive on Instagram. The extortionist was eventually arrested during a sting operation.

As you can see from the examples above, C-level executives face a host of cyberthreats, especially if bad actors can easily find information about them on social media, blogs, articles, people-search sites, or other online sources. This is why it’s so important for companies to ensure their top executives follow the strictest data-protection protocols, including removing their personal information from the internet.

If you need assistance in locking down your executives’ privacy, we offer an ExecutivePrivacy solution that automates the process for your team. Please give us a call. We are happy to provide complimentary consultations regarding your unique situation.

To learn more about keeping your leadership team safe, see the following articles:

• 6 best practices for digital executive protection
• The unique executive threats from each of the top social media sites
• Real-world examples of executives being targeted due to online personal information
• Why online privacy is vital to executive protection