Executive phishing — the newest security threat sweeping the nation

In any enterprise, keeping your team abreast of the newest and most nefarious security threats is paramount to both operations as well as your bottom line. According to IBM’sCost of Data Breach Study‘, “the global average cost of a data breach is up 6.4 percent over the previous year to $3.86 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8 percent year over year to $148.” To most businesses, that’s a lot of money; money those businesses would most likely prefer to invest in new products, people, perks, etc. To that end, we wanted to let our clients (or perspective clients) know about one of the biggest and more insidious threats we’re seeing today: executive phishing.

What is executive phishing?

Just as a quick refresher, phishing is “the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an electronic communication.” They’re one of the more common types of cybersecurity attacks, and is responsible for some of the largest data disasters in history (usually giving a hacker or hacker group access to a larger system that they then ransack).

Executive phishing is a particularly devious version of a phishing attack in which the hacker researches you or your organization, finds out who one of your managers or bosses is, poses as that boss in an email to you, and then makes the request they’re after.

If you’re anything like most employees, when you see your boss’ name in the ‘from’ line on an email, your immediate reaction is to try and satisfy his/her request — not inspect the email address to ensure it matches they’re actual work email address.

This is exactly the reaction this type of attack counts on.

Our experience with executive phishing

As a managed IT services provider, we routinely perform tests on our clients’ behalves to both test them for vulnerabilities as well as arm them for future attacks from actual threat agents. Knowing that executive phishing represented such a novel (and dangerous) mode of attack, we ran simulations on our own client base to see how prepared they were for the attacks.

We tested over 1,000 users in our client base — more than 90%, or >900 users, fell for the phishing scam.

What’s more, executives were more likely to fall for it than managers or team members (we sent emails from lateral positions to executives; we posed as executives when sending emails to their direct or indirect reports).

That’s a staggeringly bad success rate when it comes to cybersecurity. But, we can only get better and arm the front lines of cyber defenses (people) through knowledge and training.

So, be on the lookout for executive phishing scams coming your way. Take a breath before you respond or do anything when you get an email from your boss or colleague to make sure the ‘from’ email address is the actual email address associated with the name the email is supposedly from.