Before we deep-dive into how to detect and protect against executive phishing, let's start by defining what executive phishing actually is.
What You'll Learn In This Article.
- The communication methods that cyber criminals use to perform executive phishing attacks.
- How cyber criminals use spoofing to make executive phishing attacks appear legitimate.
- What the indicators of executive phishing are and how employees can be trained to detect them.
- How you can secure communication channels such as email, to prevent executive phishing.
What Is Executive Phishing?
It's a type of phishing attack that impersonates senior management within a business. These attacks can take place over email, SMS, voice call, video call, social media and even physical mail.
You've probably heard of spear phishing, well executive phishing is in many ways the same thing, but the key difference is impersonation. To simplify this, spear phishing attacks are personalised to an individual, whereas executive phishing builds on this by specifically impersonating someone that is in a position of trust or power over that individual, namely senior management.
Look at it from this perspective. If a cyber criminal wants to steal information or money from your business, they need to trick an employee into trusting them without question. Building this trust in a short email or text message is incredibly difficult, so cyber criminals look to abuse the implicit trust relationship employees have for their executive team.
To better understand how you can protect against these types of attacks, we'll first need to analyse how they can even take place.
How Can An Executive Be Impersonated?
When it comes to executive impersonation, the most important factor to consider is the communication method.
Some of the most commonly used communication methods have absolutely no method of authentication and are therefore inherently prone to attacks such as executive phishing.
Let's deep dive into these and outline under what circumstances a communication method could be abused.
Cyber criminals can impersonate executives by spoofing email display names, using lookalike sub-domains, using compromised email accounts or even by abusing a vulnerability in the way a domain has been configured to spoof the email address of an executive for phishing.
One of the most popular methods for impersonation-related phishing is to simply use a free gmail account. These attacks are conducted by updating the email display name, using a local-part address that has an executives name in it and then trying to trick the victim that they (the executive) have been locked out of their work account and need the victim to perform some time urgent action.
Something that surprises many people, is that SMS in its current form has no authentication mechanism to validate sender addresses. If you receive an unsolicited message from a legitimate or known phone number, it may actually be a spoofed SMS.
Thankfully, even though SMS senders can be spoofed, it isn't two-way. If you respond to or call the spoofed number, it'll actually be routed to whoever owns that number. In a nutshell, this is because phone numbers are linked to IMEI numbers. When you call or text an individual, your ISP locates the phone holding that IMEI and routes the text or call accordingly.
What does this mean? If you receive an unsolicited text, never trust it... even if it's from a seemingly known or trusted phone number. Always verify with the individual through an alternate communication method, this could be an email, call or even sending a text message back to the individual to clarify their request.
Voice Call Spoofing
As with SMS, voice calls have no mechanism for authenticating caller IDs. This type of spoofing is often referred to as caller ID overstamping or ID spoofing.
While it's worth mentioning, voice call spoofing is uncommon for executive phishing attacks, primarily due to the difficulties associated with impersonating the voice of an executive. This will likely change in the short future as AI-generated voice deepfakes are progressively becoming more realistic.
Finally, we have social media phishing and impersonation-related attacks. This type of attack has recently grown in popularity and is even being used to target cybersecurity researchers.
The idea with this type of attack is that a cyber criminal will create a fake social media (e.g. Twitter and LinkedIn) profile and attempt to engage a victim in conversation. Once engaged in a back-and-forth conversation, they'll typically attempt to take the conversation off the social media platform and then entice the victim to perform an action that will ultimately harm themselves or the organisation they work for.
Detecting Executive Phishing Attacks
No matter how many preventative tools or solutions we throw at this problem, attackers will always find a vulnerable communication method to contact employees and impersonate executives.
The best way to combat this is to train employees on how to detect when an executive phishing attack may be taking place. To enable this, we need to conduct regular phishing awareness training which outlines not only how executives can be impersonated but also what the objectives of cyber criminals are.
These goals and objectives can typically be boiled down to the following three:
- Information Theft: Depending on what type of industry your business operates within, information theft may be the primary goal of executive phishing.
- Information Blackmail: Information blackmail may take two different forms. Sensitive information may be encrypted through a ransomware-style attack and demand payment for decryption, or information may be stolen and held to ransom with the threat of public release.
- Money Theft: Attackers will often look to imitate executives during a money theft attack and entice employees working in payroll or procurement to send money to a bank account that the attacker controls. Once received, the money is laundered and often unrecoverable.
Now that we understand the common set of goals and objectives, we need to understand how these attacks are typically performed and what indicators an employee can look for.
What Are The Indicators Of An Executive Phishing Attack?
An Urgent Message Subject. Phishing attacks in general try to apply a time pressure on victims. This is designed to force victims to skip much of the critical thinking they normally apply when analysing an unsolicited email or message.
A Fraudulent Sender Address. Depending on the communication method in-use, this can be harder said than done. With email for example, we should always look at the domain an email appears to come from. If the domain is unknown or appears to have typos, then it's likely a lookalike phishing domain. For social media, we should use critical thinking - check to see if the individual has common connections, can you see if there is a sudden burst of recent activity with nothing historic. For SMS and voice calls, don't give any weight to the sender address as it can be spoofed to look identical to a legitimate address.
An Engaging Message Body. Once an attacker has enticed you to open the email or message, they're half way there. From here, they'll try and use known mannerisms or vocabulary to make their request seem unsuspecting. It's critical at this stage to make a note of the action they're requesting from you. Do they want you to open an attachment? click a link? respond to them? or simply send money to a bank account?
When educating employees on how to spot these types of attacks, we need to reinforce the importance of using the above detection mechanisms in aggregation. Looking at one factor in isolation can often be counter-productive, but when combined it can paint a clear picture on whether something seems off.
Keen to see some live examples of simulated phishing? Take a look at our Email Inbox Simulator.
How Can You Prevent Executive Phishing?
Unfortunately there is no magic bullet to prevent against executive phishing attacks. As we've seen, these attacks can take place over a variety of communication methods and depending on how an attack is performed, there may be a variety of tactics and techniques in-use.
The most effective mitigation is to train our employees, but there are some technical steps we can take to reduce both the number and effectiveness of phishing attacks our employees receive.
Email Domain Hardening: Using SPF, DKIM and DMARC
If your business domain isn't hardened in-line with industry best practices, attackers may be able to masquerade as someone within your business (e.g. an executive) and spoof your domain.
Attackers will typically abuse issues within your SPF and DMARC records to perform these attacks. One commonly abused misconfiguration is an inadequately hardened DMARC record which can enable what's referred to as an SPF-bypass attack. An SPF-bypass attack works by creating misaligned sender information in the message envelope and body. Depending on the email client in-use the victim may see differing information but it typically makes the sender address look legitimate.
If you're wondering whether your business domain is vulnerable to this type of attack, the team at CanIPhish have created a free domain scanning tool which can detect these vulnerabilities, along with 12 others.
Using Secure Email Gateways
A Secure Email Gateway or SEG for short, is an appliance that many businesses deploy in front of their email servers to scan both in-bound and outbound emails for suspicious behaviour.
This scanning typically involves checks for malicious content, fraudulent sender addresses, known phishing websites, malicious attachments and much more. They work by assigning each email a reputation score and if an email has a score over a certain threshold, the email goes to a quarantine folder for further analysis.
Over recent years, the effectiveness of SEGs has been put to question, due to the number of phishing emails which seemingly bypass these checks. But one thing is for certain, it's better to have one than to go without.
We hope you learned a few new things from reading this step-by-step breakdown. Here are some final tips to help you protect against executive phishing attacks.
- Modern businesses aren't just using a single mode of communication. Ensuring best practices are followed needs to be instilled in the security culture of your business.
- Conduct regular phishing awareness training. This will help to prepare your employees for the eventual phishing attacks they'll receive. Even if you just focus on one form of training (e.g. simulated email phishing), this will empower employees to spot phishing across all communication methods they use.
- Prevention solutions such as SEGs shouldn't be your only line of defence. SEGs are great for reducing the total number of phishing attempts your employees receive, but don't lean too heavily on these. Ensure you have a solid defence-in-depth security strategy.
- Don't instil a culture of fear in your employees. You want to train them on how to detect executive phishing attacks, without reducing their operational efficiency in conducting business. Find a middle ground that suits the unique needs of your industry.
If you have any questions or would like additional insights into how you can run an effective simulated phishing and security awareness training program, please contact the team at CanIPhish!