This post has been modified to reflect new information since its original publication.
Cybercriminals can easily find your executives’ personal information online—which they use both to physically threaten executives and their families as well as to break into corporate IT systems. As such, you should make safeguarding your leadership team’s digital privacy an integral part of your executive protection plan.
Keep reading to learn how data gets exposed online, what threats exist, and what you can do to protect your team.
How data gets exposed online
The details of people’s lives are worth a lot of money. In fact, gathering and selling this data is now a 200 billion dollar industry, and unfortunately, this data can be misused in ways that threaten your executives.
Some of this information comes from people’s social media activity. Other items come from government or corporate records, news stories, personal devices, marketing databases, or charities or other organizations an individual works with.
On their own, each of these pieces of data is relatively worthless. However, when compiled by a data broker (also known as a “people-search company”) into a complete personal profile, they provide insights useful for attackers.
Some of the most common pieces of information that hackers can find about your executives include:
- Full name and those of family members
- Home address and previous addresses
- Phone numbers
- Financial information and work history
- Date of birth
These are just a few of the types of personal data that exist online. For a more comprehensive list, see our article How to remove yourself from the top people-search sites.
Physical security threats
Physical threats stemming from personal information have been an issue for years, but Coronavirus lockdown measures have exacerbated the situation, shifting many employees away from corporate offices and into their homes. Consequently, executives (and their families) are more vulnerable to physical attacks. After all, most home-based workers can’t rely on a badge system or a security guard like they could in an office setting.
“The private sector has pushed the threat into the home workplace … Most homeowners have very basic security in place. You’re lucky if you have staff that has an alarm system.”—Fred Burton, former counterterrorism agent with the US State Department.
This means that bad actors who want to assault, kidnap, or otherwise terrorize an executive (or a member of his or her family) only need to find the person’s address and the right opportunity to successfully carry out their plans.
To find someone’s address, all you have to do is enter the person’s name or other identifying information into the search field of a people-search site like Spokeo, Intelius, MyLife, or PeopleSmart. If you want to learn about the best time or place to ambush that person, all you need to do is monitor that person’s social media accounts to discover daily routines. Lots of people post about their favorite places—where they stop for coffee on the way to work, where they work out, their kids’ extracurricular activities, and so on. From their pictures and check-ins, it’s not hard to figure out when someone will be most vulnerable.
In 2019, for example, a man was able to identify which train station a Japanese pop star frequented by seeing the station reflected in her eyes in a selfie she posted to Instagram. All he had to do was zoom in on her eyes and use Google Street View to find out where she was when she took the picture. From there, he simply waited at the station until she showed up and then followed her home, where he assaulted her.
Another frightening example is that of a Stage 4 cancer patient who planned to kill three doctors he thought had treated him badly. After tracking down their home addresses, the man drove toward their homes with loaded guns in the car, though thankfully he was apprehended by police before he did any harm. He was charged with attempted murder.
Adding to the danger, the COVID-19 pandemic has caused many businesses to reduce their staff, cut wages, or close altogether. This economic disaster has led to a rise in disgruntled ex-employees directing their anger at their former employers and coworkers. In fact, a recent survey showed 69% of security and compliance executives reporting a significant, year-over-year increase in physical threat activity against their companies.
When you combine the new physical vulnerability of executives with the rising number of people who might want to do them harm, you have a recipe for disaster—unless you are actively taking steps to shield your executives’ personal data from exposure.
Another related threat that stems from a lack of online privacy—often using the same sources of information—is cybercrime. Executives make especially good targets for cybercrime because of their access to sensitive information, including confidential emails, customer databases, pending deals, and other materials that hackers can use for financial gain. This has resulted in executives becoming the linchpin in many cyberattacks, in addition to the more traditional risks of assault or kidnapping.
- 88% (PDF) of businesses had their executives targeted by cybercriminals in 2019.
- 65% of all cyberattack groups target specific email addresses as their main way of infiltrating companies.
The two main tactics cybercriminals use to target executives are spear phishing and impersonation.
In a spear-phishing scam, an attacker conducts online research about a powerful, highly placed individual and uses this data to craft a tailor-made email and/or telephone campaign designed to trick that person into revealing sensitive information. When successful, this type of phishing scam gives attackers access to a company’s computer system, allowing them to embezzle funds, steal information, or conduct blackmail.
Security consultant Chris Hadnagy describes just how easy it is to gain access in this way. In a proof-of-concept attack commissioned by one of his clients, he was able to quickly gain access to the client’s computer system using publicly available information online. He collected the following details about the CEO:
- His wife had survived cancer
- He was involved in cancer research fundraising
- His favorite sports team
- His favorite restaurant
Hadnagy then called the CEO, pretending to be a fundraiser and asking for support for a fake cancer drive, with prizes that included a free meal at his favorite restaurant and tickets to see his favorite sports team. The CEO was enthusiastic to get involved. Hadnagy asked him to look for an email with fundraising details in a PDF. Once the CEO opened the PDF, his computer was infected with malware that gave Hadnagy remote control.
The most pernicious aspect of a phishing attack is that it only takes one successful attempt. Hackers can try and try with as many approaches as they can think of until one of them works. And when it does work, the results can be catastrophic. Unfortunately, phishing attacks have increased by 350% since the start of COVID-19.
Another increasingly common executive targeting technique is impersonation, otherwise called a whaling attack. In this scenario, the attacker impersonates the CEO or other high-ranking executive (the whale) and then tricks another executive into wiring funds or disclosing information that he or she normally wouldn’t. The FBI estimates that these types of scams cost businesses in excess of $200 million annually.
In 2014, the commodities trading company Scoular Co. lost $17.2 million when its controller received fake emails from what appeared to be the company’s CEO, asking the executive to wire the funds to a Chinese bank. The attackers knew the company was considering a Chinese acquisition. They also knew that Scoular used the accounting firm KPMG.
In their email to the controller, they asked him to wire money for a Chinese acquisition via the accounting firm, and to refrain from discussing the transaction through other channels due to SEC regulations. The contact at KPMG was a real employee, but the email address and phone number were fake, set up by hackers with email addresses created in Germany, France, and Israel via Russian computer servers.
When the controller called the scam number, someone answered with the correct name and was familiar with the transaction. The controller wired the funds as instructed and only later discovered the fraud. The authorities never caught the attackers or recovered any of the funds.
According to FBI interviews with the Scoular Co. controller, he “was not suspicious of the three wire transfer requests” because there were elements of truth in every part of the scam.
Tips to safeguard your executives’ online privacy
As in any element of executive protection, thorough preparation is the most important activity in securing your team’s online privacy.
“Personal information is like money. Value it. Protect it.”—National Cyber Security Alliance (NCSA)
Yet digital privacy protection is not about the absolute obliteration of all data—a nigh-impossible task. Rather, it’s about making your executive an unappealing target by suppressing the vast majority of personally identifiable materials. Online scammers are constantly vetting large numbers of prospective marks. If the amount of content out there is too thin, then an attack on your executive will look like too much effort and they’ll aim for someone else.
To keep your executives’ private data safe, the first thing most people suggest is to lock down devices, and that’s certainly an important step, but it does nothing to protect against information that is accessible through third-party online sources. You’ll also need to incorporate the following additional steps into your executive protection routine.
Opt out of people-search sites
The vast majority of online people-search sites have an opt-out process that allows you to remove personal information from their databases. They often make the process complicated and opaque, but you should definitely conduct as many opt-outs as you can. See our article How to remove yourself from the top people-search sites for step-by-step instructions.
Here are some key tips to keep in mind as you remove your data:
- Search for name variations: These sites often create separate records for all variations on a name. For example, you would need to search for both “John Smith” and “J. Smith.”
- Monitor monthly: People-search sites will recreate new records automatically if they find any variations of your executives’ personal data. Therefore, you need to audit your removals monthly and resubmit removal requests as necessary.
There’s no denying that opting out of these sites is a lot of work. If you are looking to outsource the effort, consider our ExecutivePrivacy service, which completes the entire process for you, including regular monitoring and repeating opt-outs when needed.
Research data sources
You should also conduct regular web searches for other sources of personally identifiable information (our ExecutivePrivacy reports will make this job easier), then take action according to the type of site:
- Sites you control: Make sure the company website, the executive’s personal site, and other company assets like a LinkedIn or Medium blog do not give away too much information about your executive. Things like his or her interests, future plans, or extracurricular ventures can all be used in an attack. Of course, you shouldn’t try to scrub everything—these items have value for marketing purposes and other company activities. However, you should work with other stakeholders to find a safe balance between disclosure and protection.
- Accessible third-party sites: If the executive is a member of any nonprofit organizations or industry groups, ask them to remove or minimize the presence of his or her personal information on their websites.
- Social media: Audit the social media presence of the executive and his/her family across all major networks (Twitter, Facebook, LinkedIn, Instagram, Pinterest, etc.). If you find any unsecured profiles, then you should lock them down so that personal information is not available to the public.
- Sites you can’t change: News media, government organizations, and other third parties may not be receptive to requests to have information about your executive removed from their sites. In these cases, your best bet is education. Compile a list of threats based on the information available on these sites and discuss it in your briefings with the executive and other security staff.
It’s shockingly easy for a malicious individual to leverage your executives’ personal data to harm them, their loved ones, and your company. And as we’ve seen with the examples above, from barely thwarted murders to successful and costly cyberattacks, online personal information is often the key that transforms a nefarious plan into reality.
The reasons why digital privacy is crucial to executive protection keep growing daily. Do you have a plan in place? If you need help getting started, give us a call. One of our privacy experts would be happy to talk through your digital privacy needs and guide you in the right direction.