Often, the most vulnerable are the least likely to realize their vulnerability. And that puts them at even more risk.
In security, we often think of the weak link as the junior level employee who stupidly clicks on a booby-trapped link in an email or inserts a thumb drive found in the parking lot. Let’s call them the bottom 1%. Every organization has them. This group is incredibly hard to reach. They don’t learn from training. Many are repeat offenders. Phishing emails were designed to exploit them.
But what about the top 1%? I could say exactly the same thing about them. The executives. The “smart” ones. Phishing that targets the 1% now goes by the fashionable name, “whaling.” To criminals, catching a whale is a hell of lot more valuable than catching a guppy.
And let’s face it: sometimes, the stupidest employee in the company is an executive. This “top 1%” problem, the whaling problem, creates special challenges. This vulnerable group is often the last to know just how dangerous the open sea is.
I recently moderated a panel on security training; it was focused entirely on phishing, and why not? It’s a massive problem, getting worse. Attacks are becoming more refined all the time. So-called spear phishing is rampant. A study by Proofpoint found that social media-based phishing attacks jumped 500% at the end of 2016. GreatHorn’s 2017 Spear Phishing Report said that 91% of corporate phishing attacks display real names, and claimed cubicle workers are hit with “least one risky email per day.”
Phishing is so bad that a cottage industry has grown up around the concept of firms “phishing” their own employees via fire drill-like exercises, then using public (or HR) embarrassment to create a teachable moment for workers who click. These programs do work, if temporarily. But they don’t work if “special” people are exempt from the fire drills.
We all know that many CEOs won’t sit for their own “mandatory” training programs, and panelists said this was true for security training. I asked a question that was burning inside me.
“Would you phish the CEO?”
After some nervous laughter, the panelists said yes, but only if the firm had the right “culture,” and they’d never embarrass the executive in front of employees.
That’s too bad, because many of these executives – these top 1%rs – need the training the most. An executive who falls for phishing — rather, who falls for whaling — has the potential to create a whole world of pain.
The problem is real – so real the FBI actually issued a warning about it not long ago. The bureau said it had seen a 270 percent increase in one year from CEO scams. It said more than 7,000 U.S. companies that have been victimized—with total dollar losses exceeding $740 million—and “That doesn’t include victims outside the U.S. and unreported losses.”
“They know how to perpetuate the scam without raising suspicions,” FBI Special Agent Maxwell Marker, said back in 2015. “They have excellent tradecraft, and they do their homework. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud. The days of these e-mails having horrible grammar and being easily identified are largely behind us.”
A whaled CEO account is powerful for a hacker because whatever the CEO can to, the hacker can do. Like ordering the assistant to wire money overseas for an emergency order. In an oft-cited example of what’s sometimes called business email compromise, The CEO of an Austrian aircraft parts manufacturer was fired after the company lost €40.9 million to a whaling attack.
Looking at his Pitchfork database of stolen cyber prints, Insedia’s Dan Clements sees examples of executives who’ve surrendered their credentials all the time. We’ve decided not to embarrass any of them here.
“We have seen some extremely high level people get phished. One was the head of a three letter intelligence agency,” he told me. “Another was a President of a major news organization and a third was a C-level executive at a major entertainment company. When we say ‘extremely’ high level, we aren’t kidding. Bagging the elephant does happen!”
But why? Few people get to the top of large organizations without understanding the value of privacy and security, let alone information advantage. But don’t forget: Human beings have moments of weakness all the time. Even security pros forget their paranoia once in a while. How else might someone explain Michael Flynn getting caught via a monitored phone calls to Russians? Or John Podesta coughing up passwords to a faux Google reset email?
You might find a more satisfying answer in a recent study published by H.R. Rao at the University of Texas at San Antonio. Along with all the other factors that make whaling work — look-alike emails, fake urgency, casual mention of the dog’s name — a phisher’s best tool is confidence. Over-confidence, actually.
“A big advantage for phishers is self efficacy,” Rao, a UTSA College of Business faculty member, said. “Many times, people think they know more than they actually do, and are smarter than someone trying to pull off a scam via an e-mail…In any of these situations, overconfidence is always a killer.”
Many people just don’t believe they could ever fall for a phish. And if the bottom 1% employee is over-confident, imagine how foolishly prideful executives can be. If you think you can’t fall for a phish, you are exactly the mark criminals hope to find. And if you are a person who can write big checks, that goes for you – perhaps 1 million times more.
Don’t think it can’t happen to you. That could be a whale of a mistake.
Follow this story: AlertMe
If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Buy something from my NEW LIBRARY AND E-COMMERCE PAGE, click on an advertisement, or just share the story.