If Captain Ahab were a modern cybercriminal, his Moby Dick might well be an enterprise CEO. In a type of focused phishing attack called whaling, hackers target high-level end users through individually tailored campaigns designed to trick their marks into surrendering access, information or both.
“People who are at high levels in an organization are also those who, by the nature of their roles, are very publicly visible,” said Nicholas Davis, CISO for the University of Wisconsin System. That visibility, he added, makes them more vulnerable to personalized attacks, known as spear phishing.
Editor’s note: This is the second part of a two-part series exploring the importance of security awareness training. In part one, take a deep dive with phishing simulation tools, and learn how they can improve cybersecurity across the enterprise. Part one addressed the importance of security awareness training for employees.
High-value targets mean big bang for the buck
Linda McGlasson, information security awareness lead at e-discovery software company Relativity, added that executives’ broad and deep access to sensitive data and financial assets makes them high-value marks, a fact not lost on cybercriminals. According to Verizon’s 2019 Data Breach Investigations Report, whaling attacks are on the rise, with senior executives nine times more likely to be targets of social engineering attacks than they were in previous years. And, compared with other employees today, senior executives are 12 times more likely to be targets of cybercriminals.
“They do extensive background research on their targets through social media — LinkedIn, Facebook, Instagram, Twitter — anywhere they can get a foothold,” she said. “They want to learn people’s habits, what they like, what restaurants they eat at or even the wine they like to drink.”
Linda McGlassonInformation security awareness lead, Relativity
A cybercriminal might then use this information to craft a convincing social engineering campaign — an enticing promotional email that appears to come from a CEO’s favorite steakhouse, for example. With just one quick click, an end user opens the door to a disastrous data breach.
“Cybercriminals use those hooks to build trust,” McGlasson said. “It’s happening because it works.”
She added, however, that targeted security awareness training for executives also works, by helping leaders recognize whaling attacks and react appropriately to potential threats.
Whaling attacks: Don’t take the bait
McGlasson recommended starting security awareness training for executives by communicating why they make attractive phishing targets, based on their visibility and the value of the data they can access.
“Some people think, ‘Why would they want my information?'” she said. “Well, your information is a lot more valuable than you think.”
Once senior end users understand the importance of their role in keeping company data secure, McGlasson said she works to instill in them a healthy sense of skepticism and doubt.
“We want them always questioning in the back of their minds, ‘Why did somebody send me this email? Is this somebody I know and have had personal, face-to-face interaction with?'” McGlasson said, adding that interactions over the phone should receive the same level of scrutiny as digital messages. The mere fact that a caller knows a senior end user’s extension does not mean they’re credible.
Finally, she suggested keeping security awareness training for executives as short and concise as possible.
“Their time is very limited, so it has to be a very focused, quick hit of information,” she said.
As part of its broader security awareness strategy, Relativity’s cybersecurity team uses a phishing simulation program that exposes all employees — from entry-level to C-level — to ongoing mock phishing campaigns. They base the simulation email on recently intercepted, real-world examples, thus creating realistic training exercises that keep pace with the ever-evolving tactics of cybercriminals. The fail rate — the percentage of recipients that click on a suspicious email — also offers valuable insight into organizational risk levels and security training needs.
Each month, McGlasson’s team also runs more narrowly focused spear phishing or whaling campaigns that specifically target what she calls “high-value user groups” — executive leadership, as well as others with access to sensitive data, such as executive assistants and managers in finance and HR.
“We’re seeing good results,” she said.
Everyone is a target
Both McGlasson and Davis stressed, however, that everyone in an organization is at risk, from entry-level hires all the way up to the CEO.
“In some ways, executives might actually represent less of a threat than the average worker because they don’t have day-to-day operational access to the payroll systems that an accountant does or the travel reimbursement systems that a midlevel administrator might,” Davis said.
Ultimately, McGlasson said, everyone needs to learn to stay alert for messages that threaten or flatter or have a particular sense of urgency.
“You have to educate them in advance,” Davis agreed. “Everybody is vulnerable.”