Hook, Line and Sinker: How Even the Big Boss Can Get Phished.

Email scammers are aiming for high returns and aren’t afraid to go for the big bucks or the big names. Even with advanced malware protection and security solutions, celebrities and C-level executives can get caught up in scams. Fortunately, there are several easy ways to guard against these attacks.

By Tim Pritchett

Barbara Corcoran, one of the celebrity judges on Shark Tank, almost fell for a spear phishing scam. Spear phishing is a targeted email scam directed at an individual based on their role and access to resources in an organization.

The scheme wasn’t that complex. Hackers in China created a fake email address that was so close to one in Corcoran’s company that no one noticed. Using that email, they requested a $400,000 transfer for a “construction project” and almost got it, until a few people realized there was something wrong with the email address.

Celebrities are one thing, but despite advanced security solutions this happens to C-level executives all the time, mainly because their names and profiles are public. I’ve seen bad actors try to scam school superintendents, CTOs, and even payroll processing employees. Many of these scams involve tricking the high-level employee to authorize a monetary transaction or change direct deposit information on a bank account.

Better policies = better cybersecurity

While advanced malware protection, security software and other cybersecurity technology can help, consistent company security policies with executive buy-in are the most effective strategies.

For example, say the CFO of a company sets an automatic out-of-office (OOO) message to let clients and co-workers they’re on vacation. The information revealed in these messages can raise your level of risk and even serve as an invitation for hackers to orchestrate an attack. If hackers learn the CFO is out of town, they could impersonate the CFO via email and ask company employees to change bank details or transfer funds, with a message like, “Since I’m out of town, do you think you could help me with this?”

A couple of security policies could help thwart this type of targeted phishing attack.

• 1. Consider different OOO messages for different audiences. Many email systems (Outlook and Gmail are examples) allow users to craft different messages for senders depending on whether the email is external or internal.
• 2. Designate someone in the company to handle the executive’s email account. A second pair of eyes should see what goes in and out, what requires action and what doesn’t.
• 3. Tighten policies around money. Those with access to payroll and other payment functions should know what to do when they are asked to make an atypical transaction, change passwords to bank accounts, or reveal direct deposit details. For example, a policy might specify that no one can change bank account information via an email message. That policy could easily thwart a spear phishing scheme.

Although we work as managed IT services providers, our job always brings us back to the human factor. Do companies understand the risk? Will they follow the policies put in place? We’ve found that when we work in a strategic partnership with a business, we can customize security checks and policies that keep people sane, that don’t slow down business practices, but that also allow them to be cautious in a world where cyberattacks are common.

If you’d like to see how your policies measure up, contact us for a free cybersecurity assessment. We’ll learn more about what you currently have in place and provide feedback based on our experience. We have security solutions for SMBs as well as for enterprise-level companies. Have your company executives been targeted by a phishing attack? What happened?