Spear and whale phishing have been around for a while now, but recent social engineering efforts are focusing more on company executives.
An example is this type of email: it certainly looks legit at first glance; even the phone number and address right down to the floor number are correct.
But take a closer look at the URL used in the links: the real site has no relation to puzzlejs-mailing.com.
Various social media sites (e.g., LinkedIn, Facebook, etc.) have become the perfect sources of company executive names and often their family members’ names. This info provides spammers access to whole schools of phish (sorry, I couldn’t resist).
Why focus on execs? Because in many ways they’re perfect targets for a security breach, thus perfect targets for spam campaigns that on the surface appear to be legitimate messages from organizations that register and connect CEOs. These are just some of the potential security issues:
- First and foremost, executives have access to proprietary and sensitive company/customer information
- Many are ‘above the law’ when it comes to company security rules: exempt from email content filters, file transfers to and from mobile media, and other security policies and procedures
- They often get and use the latest in phone and computer gadgets, software, etc., without getting prior approval or security checks by IT staff
- They usually work from home, often on a computer / home network that’s accessed by other family members hence the reason for targeting them: the relative might unwittingly launch malware on the system which is then used to access company information.
- And! they often work under the assumption that they’ll ultimately be protected by their security system no matter what they do
So, as an administrator, how do you protect your company execs from the spear phishers?
Would you refuse to exempt your boss from email policies and security checks? Have you ever insisted on checking out their home setups or simply blocking their external access? Have you ever had to say NO to your boss under these circumstances, and what happened if you did?