Spear Phishing at a Higher Level: How to Spot Dangerous Scams
It's easy to think that key managers are immune to phishing and social engineering attacks because they hold leadership positions in their companies. But cybercriminals understand that no matter the role, managers and other higher-ups are human—and can therefore be manipulated.
When they are, the consequences can be significant, and not in a good way. According to estimates, targeted email scams cost companies up to two billion dollars annually. In this blog post, we'll reveal three popular ways scammers target leaders in your company.
Scam One: Professional Profile
An appeal to one's ego
Did you ever notice how some managers and executives seem to be making news on the business pages more than others? Their achievements and accolades are well chronicled online and on professional networking sites, like LinkedIn and Twitter. Simply googling the name of one of these individuals can paint a clear picture of who they are and what they've accomplished.
In the professional profile scam, cybercriminals use this freely available information, also known as 'open source information,' to craft a fake but convincing email from a legitimate entity. It's always an appeal to ego and usually reads something like:
"We'd like to feature you on our business news segment to discuss your keys to success," or
"You've been nominated for a profile in our magazine as executive of the year candidate."
These emails contain specific details from the scammer's research and are typically customized to look like they came from local or national news entities. And they always include a link for more information that, when clicked, can spell disaster.
The executive profile scam works because it preoccupies the target with the heady idea of celebrity attention instead of the risks of clicking a link.
Scam Two: Remember We Met?
An appeal to make a connection
Some executives advance in their careers by networking often and meeting many people. The 'remember we met' scam seeks to exploit this, banking on the likely fact that the target can't recall every person they have met.
Using open-source information available online and on social and professional networking sites, scammers will research an event or conference the target recently attended.
They'll also look online for personal information about the target, including family details, that can help them in their scam. Then they'll craft an email that might read something like:
"It was nice meeting you at last week's mixer and learning your son plays golf. If he's looking for some help with his game, my golf pro friend runs a clinic you can check out here."
By including a personal detail, the scammer preoccupies the recipient so that cybersecurity is the last thing they are thinking about. Of course, any link in the email is a cyberattack waiting to happen.
Scam Three: From the Top
An appeal to authority
Sometimes scammers will use an executive's clout to leverage a cyberattack. In these cases, they create an email that looks like it came from someone high up in the organization. Then they'll email it to a staffer in the hope that they will respond.
The email may include a request to wire funds to an account immediately due to a mix-up or an urgent request to download something important.
In a different approach that adds authenticity, the email may request speedy payment to cover travel costs for a colleague who joined them on a business pitch. A picture of the executive and the colleague pulled from the internet may also be included for reference.
These scams almost always happen when the leader is out of town, a fact the criminals checked out beforehand. This makes the email request extremely difficult to verify.
Staffers who fall for the scam end up wiring money to the thief's account or downloading malware that allows them to spy on the company or hold it hostage with ransomware.
While there are variations on each scam, they all have one truth in common. They work because human nature allows them to. Knowing more about them, however, can prevent them from succeeding and keep your business from becoming a spear phishing statistic.