By Miguel Angulo, Channel Engineer and Evangelist, Check Point Software.
The C-suite is the most important and influential group of individuals within a company. Executive positions come with a lot of power and authority, and executives often have access to sensitive information, and therefore, are a very attractive target for cyber criminals. In order to protect C-Suite executives from becoming victims of cyber crime, it is important they are aware of tactics and techniques that cyber criminals use in phishing campaigns.
To celebrate Cyber Security Awareness Month, I would like to provide as much insight as possible regarding what C-Suite leaders should know to recognize and report phishing.
What is phishing? Phishing is a type of attack where cyber criminals use fraudulent emails to trick victims into disclosing sensitive information, such as login credentials or financial information. Attackers will often pose as a legitimate company or individual in order to gain the trust of victims. The most common phishing types that C-Suite executives should be aware of are:
Spear Phishing: This is a fraudulent email targeted to a specific group of people, or person, for example, executives or those on the board of directors. The email comes from a source that appears to be legitimate and trustworthy, such as a well-known company or individual. The email generally contains personal information about the recipient, which is used to gain their trust.
Whaling: This is another type of phishing attack targeting high-profile employees, such as CEOs, CFOs and other top executives. These types of attacks are usually more sophisticated than spear phishing, as they often contain fake website URLs or emails that appear to be from legitimate companies. Whaling can have a significant financial impact on the victim and their company.
CEO Fraud: Also known as Business Email Compromise (BEC), the attacker poses as the CEO of the company in order to trick employees into transferring money or sharing sensitive information. This type of scam is particularly dangerous as it can be difficult for victims to spot due to the high level of sophistication.
SMiShing: With this phishing technique, the cyber criminal sends an SMS message to the victim, impersonating a legitimate company or service. The message will generally contain a link to a fraudulent website or app. This type of phishing is often used to steal login credentials or financial information.
Vishing: This is similar to SMiShing, but instead of sending a fraudulent SMS message to the victim, the attacker uses voice calls. The caller will generally spoof the caller ID to make it appear as though they are calling from a legitimate company. They will then attempt to trick the victim into disclosing sensitive information, such as login credentials or financial details.
As it is important to be aware of the types of phishing schemes that cyber criminals use against people, it is also very important to understand why people may fall for them. Cyber criminals are the masters of persuasion. Through social engineering tactics (that is, lies and deception), cyber criminals tap into people’s subconscious biases to manipulate their emotions. By doing this, they gain their trust to make them take an action, such as clicking on a malicious link or downloading a malicious file.
The most common unconscious biases cyber criminals exploit are:
Halo Effect: The positive impression of a person, brand, or product. The cyber criminal sends a phishing email to the C-Suite executive, pretending to be from a trusted conference group, with an invitation to speak at an upcoming event.
Hyperbolic Discounting: The inclination to choose a reward that gives immediate results rather than a long-term equivalent. The cyber criminals exploit people’s desire for immediate reward and personal gratification.
Curiosity Effect: The desire to resolve uncertainty. The C-Suite executive receives an email about exclusive access to an event and a URL link is provided for more information. The URL may lead to a bogus website that belongs to the hacker or it may lead to a direct link indicating that the executive should download a malicious document.
Recency Effect: The tendency to remember recent events and for them to influence behavior. Phishing attacks increased 220% during the COVID-19. People had a hard time discerning legitimate COVID-19 communications from fraudulent ones.
Authority Bias: This refers to people’s willingness to defer to the opinions of an authority figure. The cyber criminal sends a phishing email impersonating a senior manager or C-Suite executive, asking the recipient to open a malicious document or to follow a URL link to initiate transfer of funds to the hacker’s bank account.
To recognize phishing emails, pay attention to the following signs:
Urgency: Cyber criminals send phishing emails with a high level of urgency in order to get victims to take action without thinking. For example, the subject line of the email may read “Change of Password Required Immediately” or “All Employees: Update your Healthcare Info.”
FOMO: Using the Fear Of Missing Out to get victims to take action, cyber criminals send phishing emails with promotions that are “to good to be true.”
Authority: Using the victim’s trust in authority figures, the cyber criminal sends a phishing email as the CFO of the company, authorizing the payment of a fake invoice.
Language & Grammar: Cyber criminals can come from anywhere. When they are non-English speaking, the greetings are often very generic or ambiguous, the body of the email may be poorly written and it may present with grammatical errors.
URL links & Downloads: Cyber criminals will always provide malicious URL links and attachments that they want you to open.
Sender’s Email: The sender’s email does not match the company that they claim to represent.
It is important to be aware of these social engineering tactics. If you receive an email that contains any of the red flags mentioned above, do not hesitate to contact your IT department or security team to verify its legitimacy. You can also report phishing from your email client such as Outlook, Gmail, Yahoo or Mac Mail. Just click on the links below to learn how to report phishing through your email application or CISA.
Mac Mail (link)
Yahoo Mail (link)
In order to avoid cyber attacks, proceed with the following:
- Participate in security awareness programs regularly.
- Use a strong password on all of your corporate applications, social media, email, and internet accounts.
- Use unique passwords on all corporate applications, social media, email, and internet accounts.
- Enable multi-factor authentication (MFA) on all of your corporate applications, social media, email, and internet accounts.
- Avoid public WiFi.
- Keep the anti-virus software and operating system updated on all of your devices.
Finally, Think Before You Click! Building a culture of cyber security will help your business be more competitive. Customers and clients expect your organization to safely handle and store the information that you collect from them. By following guidelines and best practices, and using Gen V security controls, you can prevent and contain zero-day and unknown attacks. If your business has a strong cyber security culture with a solid cyber security framework, your brand will grow in value and enhance its reputation.
For more premium CyberTalk.org phishing insights, please see this recent article. Lastly, to receive cutting-edge cyber security news, reports, best practices and analyses in your inbox each week, please sign up for the CyberTalk.org newsletter.