Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

CEO Phishing: Hackers Target High-Value Data

Humans like to click on links. Some of us are better at resisting the urge, some worse. In any case, you’d also expect that people in the higher reaches of...
Michael Buckbee
2 min read
Published April 15, 2016
Last updated October 14, 2022

Humans like to click on links. Some of us are better at resisting the urge, some worse. In any case, you’d also expect that people in the higher reaches of an organization — upper-level executives and the C-suite — would be very good at resisting phish bait.

Harpooning the whale

Alas, even the big phish like to chomp on the right links.

We now have even more evidence that cyber thieves are getting better at fine tuning their attacks against high-value targets — known as “whale phishing”.

Get the Free Pentesting Active
Directory Environments e-book

The security firm Digitalis tells us that attackers are using social media to research executive habits–say an interest in cricket — to then forge an email (embedded with a malware payload)  from a business associate — also discovered through social media — mentioning the cricket match.

This is business-class phishing!

The attraction of the corporate whale is that they are likely to have incredibly valuable information on their laptops. Not the commodity PII that are involved in most data breaches, but intellectual property and other sensitive data – deals in progress, key customers, confidential financial data, or embarrassing emails.

It’s the kind of information that could be sold to competitors or, better yet, doxed unless a ransom is paid.

We’ve long known that phishing attacks that are based on better research are very effective. The more the attacker knows about you, the more likely you are to trust the sender.

Which would you click on: an email sent by a Nigerian finance minister regarding unclaimed funds, or an email from your bank — from your local branch — saying there’s been an adjustment to your balance, and you’ll need to look at the attached PDF?  Enough said.

Executive privacy

Digitalis also found that executives, like the rest of us, are not very good about their privacy setting on Facebook and other social networking sites. They found that less than half of those surveyed restrict who can see their profile. And only 36% keep up with their social settings.

Should executives simply forgo social media?

I’ve heard experts say if C-levels and other execs don’t set up their own account, the hackers will do the work for them by establishing a forged identity and squatting on their property.  This can then lead to very sophisticated phishing.

My advice: as an executive, you should take charge of your social persona. This leads to one of the points of the Digitalis Research: executives (and the rest of us as well) should never reveal more than they have to in these social networks.

As in the file system world, always change from the default “everyone” setting, and restrict information to just friends.

And since social networking companies — well at least one — have had a bad habit of tweaking these settings, you should, as Digitalis suggests, periodically revisit your account.

Concierge security?

Security pros have pointed out that social networks, by design, will always share some information by default, and this typically includes who your friends are.

Even with very restrictive settings, a smart attacker can still use this friend information to make very good guesses about the habits, interests, and preferences of the target account—say, the CFO of the company.

Welcome to our world!

There are no easy answers here when it comes to protecting executives from attacks. It’s essentially the problem organizations face with hackers in general: they will get in!

The more important point is to monitor and detect for unusual system and file events to reduce the risks.

In a past blog post, I’ve said its worth devoting IT security resources to monitoring the computer activities of corporate VIPs. With this latest research, I’ll double down on that position.

And if the company is large enough, this could include dedicated staff — perhaps a security concierge service.

In any case, it does make sense to take any alarms and notifications involving the computer accounts of C-levels very seriously. Don’t view them as likely false positives.

It’s worth tracking them all down until they’re resolved.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

how-to-use-microsoft-teams-safely:-security-and-compliance-basics
How to Use Microsoft Teams Safely: Security and Compliance Basics
Microsoft Teams is the Office 365 chat portal. While it enhances productivity, it also introduces some risk — read on to learn how to reduce these risks
protect-your-data-with-super-easy-file-security-tricks!
Protect Your Data With Super Easy File Security Tricks!
But if you drill down a little in your thinking, it’s easy to see that data security is ultimately protecting a file somewhere on your system—whether desktops or servers. While data security is a good umbrella term, we need to get into more details to understand file security.
21-free-tools-every-sysadmin-should-know
21 Free Tools Every SysAdmin Should Know
Knowing the right tool to the right job is something that can save you hours of extra work and tedium. We’ve compiled a list of of some of the best...
what-is-azure-active-directory?-a-complete-overview
What is Azure Active Directory? A Complete Overview
Azure Active Directory is a new way to manage users in the cloud. Read on to learn some details and some how-tos as you migrate to Azure AD.