We understand the importance of protecting our physical environments. When I drove to work this morning, I glanced into my rearview mirror to ensure I had closed my garage door. We lock the doors to our homes and the doors to our cars with thoughtless repetition because we understand the importance of keeping our homes and vehicles secure.
Meanwhile, organizations place alarm systems and surveillance cameras on their physical campuses because they want to protect their employees, their equipment, and their intellectual property.
The growing threat of cybersecurity has been exhaustively documented. Leaders are placing increased emphasis on protecting their digital assets because cyber threats have become a chief concern in boardrooms and conference rooms in every organization in every industry.
However, protection in cyberspace is not necessarily something that ends when the lights are turned off, and physical security systems have been enabled. Protection in cyberspace requires ceaseless vigilance.
Because of this, organizations have implemented controls, such as firewalls and network monitoring. They have developed awareness programs, like phishing testing, to ensure their employees understand how cyberattacks unfold and are better equipped to thwart them. These programs are necessary. However, organizations cannot fully control the actions of their employees online, especially outside of the work environment. In the past few years, as much of work has shifted to remote work, the lines between work and personal lives are increasingly blurring.
High-profile executives are major targets to cyber criminals. They are big fish, or what might be referred to as “whales.” They are lucrative targets because of their access to information. It could be their access to corporate networks or critical financial information. They tend to have wealth, so they are worth more effort. Hooking a whale can be a lot more lucrative for the investment. Crafting complex spearphishing campaigns, while more of an expense of energy, can pay off with greater reward.
Those who work in the aerospace and military industries are particularly common targets of these types of whaling attacks. Campaigns have been crafted in which attackers create fraudulent LinkedIn accounts. These accounts might impersonate hiring managers. A fake account might also impersonate an attractive young woman, hoping to lure in an unsuspecting male user. They may spoof the accounts of real people, harnessing photos and information available online to craft an ornate spoofed profile.
The conversations often begin on LinkedIn, where connecting with someone you do not know is common. The attacker might send a malicious file with a job opportunity hoping the recipient might open it. Or the attack might be more sophisticated.
A campaign may begin with a LinkedIn request from an attractive stranger. The target might respond to the request and begin conversing with the attacker via direct message. This type of back-and-forth might go on for months. Then, when enough trust is built, the attacker strikes.
High-profile executives are most at risk because there is a lot of information available about them online. This information can be used to improve the realism of spearphishing campaigns. For instance, a public merger and acquisition could help an attacker craft an email that, during a chaotic time, a target might open or send information without first considering the consequences or verifying the recipient’s authenticity.
It is more than just publicly available information about a high-profile executive that can be dangerous. Today it is the media they have been a part of and is available online. Attackers can use audio, and video clips from executives giving interviews or speaking at conferences and pair these clips with a type of machine intelligence known as generative adversarial networks (GANs) to create “deepfakes.”
Deepfakes are very realistic audio and video media that purport to show a person doing something or saying something they never did. Deepfakes have been used in revenge porn, and deepfake videos of celebrities and politicians are widely available. This isn’t science fiction. In fact, this year, a cryptocurrency exchange executive discovered people were having meetings with “him” without his recollection. He didn’t recall the virtual meetings because they weren’t with him. The meetings were with a deepfake of him. The executive only discovered the scam after people began messaging him to thank him for the meetings.
The dangers of deepfakes in the corporate world are vast. Deepfakes will be used in wire fraud, as attackers use deepfake audio of an executive to have an employee change bank account or wire transfer information to steal money. Deepfake audio and video could tank a company’s stock or sabotage an important merger if a deepfake video or audio clip is released of an executive saying something harmful or controversial.
The bottom line is the more information that’s out there about you, the higher danger you face, especially if you are a lucrative target from a financial or informational standpoint. You could become a target if you have something the bad guys want. This is not meant to scare anyone; it is just a reality. The key is learning to protect yourself. Below are three important ways to do just that.
Training: Organizations often put their employees through cybersecurity awareness training, which is important, but it should be taken a step further. C-suite executives should attend specialized training to learn the dangers they specifically face. Additionally, the executive’s family members, including children, should be trained as well, as they will be targets because of their association with the executive. In training, they should learn how to protect their devices, their online network and profiles, and how to limit the information they put online about themselves.
Home Network / Device Protection: Organizations protect their corporate networks but can often fail to help employees protect their home networks. This is even more critical as many employees are now working from home. Because of the importance and profile of executives, extra care should be taken to protect their home networks and devices. It is worth running periodic vulnerability scans or penetration tests of executives’ home networks and internet-connected devices. This would allow you to discover if, for instance, the default password is still being used on an internet-enabled doorbell camera, so its feed can be viewed by anyone online.
Dark Web / Deep Web / Social Media Monitoring: Executive information, including emails, social media profiles, and potentially personally identifiable information, should be monitored on the dark and deep web as well as social media platforms. TriCorps service, TriWatch®, provides this for many of our clients. The monitoring could help discover any threats that are made against executives or if any of their sensitive information has been released online.
Protecting oneself in the digital sphere takes exhausting vigilance, but it is of paramount significance. This is especially true of high-profile individuals and executives because they face unique risks and pose appealing targets to attackers. The above steps should be considered to help protect executives. TriCorps can help navigate these steps to keep executives safer and more secure online.