Spear-Phishing: Even the Mightiest Can Get Crushed
In a cyber incident reported to us last week, a senior employee in the insured’s finance department discovered their email address had been compromised; when a phishing email was broadcast from their email address to their entire contact list. Luckily they were on the ball. They contacted their broker as soon as they discovered the incident and are currently working hard to contain the damage and the reputation hit.
This incident ,and the many thousand mirror copies that occur each day, highlight the role and responsibility all levels of the firm play in ensuring the security of their own company’s assets. C-Suite email credentials are for sale on the dark web from $250 per user. Phishing is becoming increasingly commoditized. As an example, cybercriminals have created a phishing kit featuring fake Microsoft Office 365 password alerts as a lure to target the credentials of chief executives, business owners and with ‘chief financial something’ in their title. Security specialist, Trend Micro, has identified several dark web forums selling compromised Office 365 credentials for executives at a cost of $250 to $500 per user. Leader Courage - "It won’t happen to me!" Unfortunately, this type of threat isn't always easy to get across to senior executives. You probably still come across top executives sometimes that view email security mechanisms or policies as “an inconvenience to them”. The attackers know this and target high profile employees who may not be as technically—or cybersecurity—savvy, and may be more likely to be deceived into clicking on malicious links. If an executive is tricked into giving away their credentials – the criminals can use those details to conduct additional attacks. In our incident last week, business email compromise (BEC) was the desired outcome; targeting other employees and third-party partners in the executive’s address book with a mission to phish them as well. What do you think is behind the gusto? We asked why some executives behave in this risky manner. We distilled it down to three points – I am sure you have others.
Some executives believe that they are immune to being duped, even though "they are well aware that phishing techniques have evolved,” said one.
For others, they may not have yet experienced a significant breach, meaning the perception of the risks are not as real as they should be.
Some executives also use a personal assistant to go through emails, which can impact the individual’s ability to spot suspicious messages
So, what to do? Here’s the choice for top operators at your clients’ firms:
Spend an extra minute or two each day to be a bit more vigilant with what they click on, and become a role model for others in the firm.
Continue being cavalier and risk being at the end of a spear-phishing attack; resulting in reputational damage and costs.
Hang on. Got to go. Just received an urgent email request to update my Office 365 password.
CEO & Co-Founder of BOXX Insurance Inc.
For more information, please feel free to contact the following members:
Vishal Kundi: Vishal.Kundi@boxxinsurance.com
Michelle Diniz: firstname.lastname@example.org
Chris Masaki: email@example.com
Mike Senechal: firstname.lastname@example.org