Cybercriminals Cast for the Big Phish: CEOs

Scammers target executives in hopes of a big payout

Aliah D. Wright By Aliah D. Wright September 6, 2016
Cybercriminals Cast for the Big Phish: CEOs

​Last year, San Jose, Calif.-based tech company Ubiquiti reportedly suffered a $46.7 million loss after its CEO was the victim of a phishing scam.

Soon after, Omaha, Neb.-based The Scoular Co., a 121-year-old employee-owned commodities trader, lost $17.2 million in an international e-mail scam.

In both cases, executives were tricked into sending the money to criminals.

It's not the first time this has happened, and it won't be the last, experts say, but there are steps HR can take to mitigate the risks of spear phishing, a type of social engineering scam also called whale phishing. It specifically targets executives.

Both are also known as CEO fraud or business e-mail compromise. They target those in charge—the so-called "big fish." Cyber thieves hope to trick executives ("whales") who have access to sensitive information or large amounts of cash into giving that information or funds away by making it seem as if the requests for funds or information comes from a legitimate source.

"As reported [in the Krebs on Security blog], for example, these types of scams are way up in the past year and are estimated to cost companies more than $2.3 billion over the past year with the average [being] $25,000 to $50,000," said Paul Everton, founder of the Chicago-based e-mail security company MailControl, in an interview with SHRM Online.

"One example is scams where they trick accounting or HR professionals into sending W2s and then [file] fraudulent tax returns on behalf of the company's employees," he said. "In fact, just a few months ago the IRS issued an alert about this to HR and payroll professionals after dozens of companies, including Snapchat and Seagate Technology, were victimized in February and March 2016."

In addition to tricking executives, cyber thieves will also pose as these executives to get money or information from unsuspecting employees.

Here's how it works:

Hackers often spy on executives, hack into their e-mail or use other methods of surveillance to gather data on victims before an attack. Then they use official company logos and "spoof" (that is, fake) e-mail signatures to avoid detection.

In a targeted attack, according to The Perils of Phishing: How Cybercriminals are Targeting Your Weakest Link, a white paper published by IBM last year, "most phishing methods use a form of technical deception in order to make a link in an e-mail and the spoofed website to which it actually points, appear to belong to a trusted organization."

If the user hovers his or her cursor over the visible link in an e-mail, most web browsers or e-mail providers will reveal the real destination. Often people click on links they think are real, but are malicious instead.

"Spear phishing has been associated with most of the largest cyberattacks in recent history including the widely publicized attacks on JPMorgan Chase & Co., eBay, Target, Anthem, Sony and various departments within the U.S. government," according to San Francisco-based cybersecurity company Cloudmark.

Respondents to Cloudmark's 2016 study: The Impact of Spear Phishing: Enterprise Survey Findings—which polled 300 IT decision makers in the U.S. and the U.K.—said these attacks were increasingly directed at C-suite executives.

Twenty-seven percent said CEOs were targeted, and 17 percent said chief financial officers were targeted. On average, the 300 respondents suffered 10 attacks involving the spoofing of a CEO for financial gain in the last 12 months.

Since 2015, cybercriminals have consistently targeted IT staff (43 percent) finance staff (43) percent and other executives because "these two departments control access to data/infrastructure and money, both of which can be solid gold to the attackers," according to Cloudmark.

The FBI points out that businesses worldwide have lost $3.1 billion since 2015 in subversions that compromised e-mail accounts. And a recent Verizon study revealed that 30 percent of people opened malicious e-mails last year.

IBM offered these tips for educating employees:

  • Most companies, banks and agencies never request personal information via e-mail. Don't fall prey to this most common type of phishing.

  • If you suspect an e-mail might be a spear phishing campaign within your company, report it to your IT department.

  • Be suspicious of e-mails with generic greetings like "Dear Customer" or with spelling and grammatical errors.

  • Don't trust e-mail attachments, even if they come from a trusted source. Unless you're expecting an e-mail with a document attached, call the sender and confirm he or she sent it. The computer might have been compromised and could be sending e-mails without the person's knowledge, or the e-mail address could have been faked.

  • Never reveal personal or financial information in response to an e-mail request, no matter who appears to have sent it.

Everton added that HR professionals should also:

  • Enable two-factor authentication to reduce the ability to send these types of e-mails from accounts if an executive's login and password are compromised.

  • Make sure all cybersecurity products are up to date, and consider adding specialized anti-phishing and anti-spymail services to existing spam filtering and anti-virus services.

  • Grant access to sensitive information only on a need-to-know basis



Hire the best HR talent or advance your own career.


HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.