Executive Phishing: Tips To Defend Your Company

Executive phishing, also known as whaling (or CEO fraud) is targeted cyber-attacks on enterprise's high-level executives to steal sensitive company information.

Povilas M.

Security Expert

We at Kraden believe that every executive must learn to recognize a potential phishing attack and how to defend themselves against them. Stats back that up as the FBI’s Internet Crime Report shows that cybercrime inflicts close to $3 billion in damages each year. And the stress caused? That’s immeasurable. Phishing is one of the most common types of cybercrime. Executives are the main target for spear-phishing. In this article, we want to address this issue and help businesses understand how they can better defend themselves and their execs!

What is executive phishing?

Executive phishing, also called whaling (and sometimes – spear-phishing) is targeted, personalized cyber attacks that use the executive’s interaction with other members of the organization or service providers. There are many ways to conduct and begin this, but usually, hackers are after sensitive company info (e.g. payroll info, bank account logins, upcoming deals, etc.) or money. They can obtain the latter by gaining access to the banks or financial holdings (through executives) or by ransom. Criminals obtain it by deceit and social engineering, with a little bit of malware knowledge as well.

Phishing attacks are part of a bigger cyber web of scams known as social engineering techniques that are aforementioned. It is one of the most commonly used techniques by cybercriminals because it’s cheap, simple to create, and very effective. That’s because it targets the weakest link in the security architecture – the user. To give you an idea of how executive phishing can be conducted, see this example:

The executive receives an email from the financial department about his latest paycheck or bonus. The email contains a link that directs him to enter his username and password on a fake website made to look like the official one of the bank or company’s payroll site. The executive thinks he is using an official website, but he actually enters his login details into a fake one.

Boom, now the hacker has access to the credential of the high-ranking user and can access data.

How to spot and prevent executive phishing?

Here is a chart that sums up some great tactics and decisions that can help avoid, stop and/or prevent an executive phishing attack.

Teach your executive employees about the risk of spear-phishing.
Implement strict and very concise policies and rules about data exchange and protection.
Where possible, try and implement MFA, 2FA protection on processes and access.
Introduce a dedicated memo about how irresponsible social media use can lead to phishing.
Purposefully, additionally, add flags to all emails coming from outside of the company.
Run monthly security awareness sessions or use 3rd party software like KnowBe4.

So, executive phishing is a dangerous and common type of cybercrime, but if you arm yourself with knowledge and take the right precautions, your executive team can help prevent executive phishing or at least minimize the losses if they do incur.

Spotting phishing attacks is quite difficult, especially on the executive level. That’s largely because execs get a ton of emails and are very busy, making their attention very easy to exploit. However, implementing policies and training can help reduce these risks. If you’d like to learn more about executive phishing or want to protect your executive employees from it, you can hire a consultant or a consultant firm to help you out in setting this up.

Phishing emails usually come from outside of the company and companies should be aware of email spoofing. But executive phishing emails may come from inside or out, and that makes defending against this type of cybercrime very difficult. That’s why executive training is necessary to avoid executive phishing.

If one of your employees or execs find out that they have been targeted by a phishing scam, they should always refer to the company’s IT staff for assistance. In addition, if there is an external party involved and being posed as, you can reach out to that party (bank, service provider, etc.) to get their support and to inform them. The cyber police departments are also worthy of informing, if the attack is really threatening the security of your company and the integrity of your reputation.

Can private end-to-end encrypted communication reduce the risk of spear-phishing?

End-to-end encrypted communication is a great way to boost intra-company data security.

Although it doesn’t make executive phishing impossible, it can reduce the risk of executive spear-phishing by making messages more resistant to man-in-the-middle attacks (MITM) and spoofing.

A simple example of how MITM attacks work.

Multimedia messaging (MMS) attachments are very popular with hackers because they allow them to inject malware into them in order to access executive devices and data. Private end-to-end encrypted communication creates a secure environment, which makes it much harder for hackers to access executive credentials and sensitive information.

Kraden is a cutting-edge solution for both private users and corporate representatives to utilize a secure environment for communication, text, voice, image, video file exchanging. Using Kraden should help create an environment that is much less prone to phishing in general.

Conclusion

Executive phishing is a very common type of cyberattack, but there are steps that can help more organizations avoid it or minimize the damages caused by it.

Companies should always have executive training to reduce executive phishing risk because these attacks don’t exploit systems, they exploit people and their lack of awareness in these kinds of situations.

End-to-end encrypted communication, like what we do with Kraden, is a great way to boost privacy of communications and to avoid external security threats such as executive phishing.