What Is An Executive Phishing Attack? And How To Protect Against Them

In this article, we'll talk about what an executive phishing attack is, how they're performed, how they can be detected, and how they can be prevented.

A CanIPhish branded graphics which says What Is An Executive Phishing Attack? And How To Protect Against Them
Author Profile Photo
Sebastian Salla Last Updated: December 27, 2023
Follow:

Picture an aerospace giant renowned for its precision and technological prowess, grounded not by an engineering failure but by a well-executed executive phishing scam. This is not a hypothetical scenario but the real-life story of FACC, an Austrian aerospace manufacturer, in 2016.

In an executive phishing attack, cybercriminals masquerading as the company's CEO managed to siphon off a staggering US$55 Million! The successful phishing attack highlighted their organization's lack of financial and security protocols; in an ironic twist, the impersonated CEO was dismissed along with the CFO for the oversight!

Before deep-diving into how to detect and protect against executive phishing, let’ start by defining it.

What You'll Learn In This Article.

  • The communication methods that cyber criminals use to perform executive phishing attacks.
  • How cyber criminals use spoofing to make executive phishing attacks appear legitimate.
  • What are the indicators of executive phishing, and how can employees be trained to detect them?
  • How can you secure communication channels such as email to prevent executive phishing?

What Is Executive Phishing?

It's a type of phishing attack that impersonates senior management within a business. These attacks can occur over email, SMS, voice calls, video calls, social media, and even physical mail.

A graphic showing types of executive phishing these are, physical mail, video calls, voice calls, social media, email and sms

Spear phishing is a term you might already be familiar with. Executive phishing, while similar, has a key distinction: it involves impersonation at a higher level. In spear phishing, attacks are personalized and targeted at specific individuals. Executive phishing takes this a step further by impersonating someone in a position of trust or authority, typically a senior management figure.

Look at it from this perspective. If a cyber criminal wants to steal information or money from your business, they need to trick an employee into trusting them without question. Building this trust in a short email or text message is incredibly difficult, so cyber criminals look to abuse the implicit trust relationship employees have for their executive team.

To better understand how you can protect against these types of attacks, we'll first need to analyze how they can occur.

How Can An Executive Be Impersonated?

When it comes to executive impersonation, the most crucial factor to consider is the communication method. Many commonly used communication methods lack any form of sender authentication, making them particularly vulnerable to attacks like executive phishing.

Let's explore these and outline under what circumstances a communication method could be abused.

Email Spoofing

Cyber criminals can impersonate executives by spoofing email display names, using lookalike sub-domains, using compromised email accounts or even by abusing a vulnerability in the way a domain has been configured to spoof the email address of an executive for phishing.

One of the most popular methods for impersonation-related phishing is to use a free Gmail account. These attacks are conducted by updating the email display name, using a local-part address that has an executive's name in it, and then trying to trick the victim that they (the executive) have been locked out of their work account and need the victim to perform some time urgent action.

A graphic showing an email executive phishing attempt. what is using domain spoofing

SMS Spoofing

Something that surprises many people is that SMS, in its current form, has no authentication mechanism to validate sender addresses. If you receive an unsolicited message from a legitimate or known phone number, it may be a spoofed SMS.

Thankfully, even though SMS senders can be spoofed, it isn't two-way. If you respond to or call the spoofed number, it'll be routed to whoever owns it. In a nutshell, this is because phone numbers are linked to IMEI numbers. When you call or text an individual, your ISP locates the phone holding that IMEI and routes the text or call accordingly.

A graphic showing how SMS spoofing works particularly the way SMS spoofing is not two-way

What does this mean? If you receive an unsolicited text, never trust it... even if it's from a seemingly known or trusted phone number. Always verify with the individual through an alternate communication method; this could be an email, call, or even sending a text message back to the individual to clarify their request.

Voice Call Spoofing

As with SMS, voice calls have no mechanism for authenticating caller IDs. This type of spoofing is often referred to as caller ID overstamping or ID spoofing.

While it's worth mentioning, voice call spoofing is uncommon for executive phishing attacks, primarily due to the difficulties associated with impersonating the voice of an executive. This will likely change in the short future as AI-generated voice deepfakes are progressively becoming more realistic.

A shoutout text based graphic that says AI-generated voice deepfakes are progressively becoming more realistic.

Social Media Impersonation

Finally, we have social media phishing and impersonation-related attacks. This type of attack has recently grown in popularity and is even used to target cybersecurity researchers.

The idea with this type of attack is that a cyber criminal will create a fake social media (e.g. Twitter and LinkedIn) profile and attempt to engage a victim in conversation. Once engaged in a back-and-forth conversation, they'll typically try to take the conversation off the social media platform and then entice the victim to perform an action that will ultimately harm themselves or the organization they work for.

A graphic showing an executive phishing attempt over social media.

Detecting Executive Phishing Attacks

No matter how many preventative tools or solutions we throw at this problem, attackers will always find a vulnerable communication method to contact employees and impersonate executives.

The best way to combat this is to train employees to detect when an executive phishing attack may occur. To enable this, we need to conduct regular phishing awareness training which outlines how executives can be impersonated and the objectives of cyber criminals.

These goals and objectives can typically be boiled down to the following three:

  1. Information Theft: Information theft may be the primary goal of executive phishing, depending on the industry your business operates within.
  2. Information Blackmail: Information blackmail may take two different forms. Sensitive information may be encrypted through a ransomware-style attack and demand payment for decryption, or information may be stolen and held for ransom with the threat of public release.
  3. Money Theft: Attackers will often look to imitate executives during a money theft attack and entice employees working in payroll or procurement to send money to a bank account that the attacker controls. Once received, the money is laundered and often unrecoverable.

Now that we understand the typical set of goals and objectives, we need to understand how these attacks are typically performed and what indicators an employee can look for.

What Are The Indicators Of An Executive Phishing Attack?

An Urgent Message Subject. Phishing attacks, in general, try to apply time pressure on victims. This is designed to force victims to skip much of the critical thinking they usually apply when analyzing an unsolicited email or message.

A Fraudulent Sender Address. Depending on the communication method, this can be harder said than done. With email, for example, we should always look at the domain an email appears to come from. If the domain is unknown or appears to have typos, it's likely a lookalike phishing domain. For social media, we should use critical thinking - check to see if the individual has common connections and see if there is a sudden burst of recent activity with nothing historic. For SMS and voice calls, don't give any weight to the sender contact information as it can be spoofed to look identical to a legitimate contact.

An Engaging Message Body. The next step for an attacker, after successfully enticing you to open an email or message, is to present an engaging message body. At this point, they're halfway to achieving their goal. To make their request appear genuine and unsuspecting, they will often mimic known mannerisms or vocabulary. It is crucial to pay close attention to the action they are asking of you. Are they urging you to open an attachment, click a link, respond to them, or transfer money to a bank account?

A graphic showing what the indicators of an executive phishing email are

When educating employees on spotting these types of attacks, we must reinforce the importance of using the above detection mechanisms in aggregation. Relying on a single factor in isolation can be misleading or ineffective. However, when these factors are considered together, they can collectively provide a more accurate and clear indication of any suspicious activity.

Keen to see some live examples of simulated phishing? Take a look at our Interactive Phishing Email Simulator.

How Can You Prevent Executive Phishing?

Unfortunately, there is no magic bullet to prevent executive phishing attacks. As we've seen, these attacks can take place over a variety of communication methods, and depending on how an attack is performed, there may be a variety of tactics and techniques in use.

The most effective mitigation is to train our employees. Still, there are some technical steps we can take to reduce both the number and effectiveness of phishing attacks our employees receive.

Email Domain Hardening: Using SPF, DKIM and DMARC

If your business domain isn't hardened in-line with industry best practices, attackers may be able to masquerade as someone within your business (e.g. an executive) and spoof your domain.

Attackers will typically abuse issues within your SPF and DMARC records to perform these attacks. One commonly abused misconfiguration is an inadequately hardened DMARC record, which can enable what's referred to as an SPF-bypass attack. An SPF-bypass attack works by creating misaligned sender information in the message envelope and body. Depending on the email client, the victim may see differing information, but it typically makes the sender's address look legitimate.

If you're wondering whether your business domain is vulnerable to this type of attack, the team at CanIPhish have created a free domain scanning tool which can detect these vulnerabilities, along with 12 others.

A graphic showing the free CanIBeSpoofed domain scanning tool webpage

Using Secure Email Gateways

A Secure Email Gateway or SEG for short, is an appliance that many businesses deploy in front of their email servers to scan both inbound and outbound emails for suspicious behavior.

This scanning typically involves checks for malicious content, fraudulent sender addresses, known phishing websites, malicious attachments, and more. They assign each email a reputation score; if an email has a score over a certain threshold, it goes to a quarantine folder for further analysis.

Over recent years, the effectiveness of SEGs has been questioned due to the number of phishing emails seemingly bypassing these checks. But one thing is for sure: it's better to have one than to go without.

Conclusion

We hope you learned a few new things from reading this step-by-step breakdown. Here are some final tips to help you protect against executive phishing attacks.

  1. Modern businesses aren't just using a single mode of communication. Ensuring best practices are followed needs to be instilled in the security culture of your business.
  2. Conduct regular phishing awareness training. This will help to prepare your employees for the eventual phishing attacks they'll receive. Even if you focus on one form of training (e.g., simulated email phishing), this will empower employees to spot phishing across all communication methods.
  3. Prevention solutions such as SEGs shouldn't be your only line of defence. SEGs are great for reducing the number of phishing attempts your employees receive, but don't lean too heavily on these. Ensure you have a solid defense-in-depth security strategy.
  4. Avoid creating a culture of fear among your employees. The goal is to equip them with the skills to identify executive phishing attacks, not to hinder their operational efficiency in everyday business tasks. It’s important to strike a balance, tailoring your approach to the specific requirements of your industry.

If you have any questions or would like additional insights into how you can run an effective simulated phishing and security awareness training program, please contact the team at CanIPhish!