10 Ways to Protect Senior Executives from Phishing Attacks
In January 2015, Xoom’s shares fell 17% after news broke that they lost $30.8 million to a business email compromise (BEC) scam, a type of phishing scam. 21 March 2017 saw the arrest of Evaldas Rimasauskas, the hacker who successfully impersonated an Asian supplier. He swindled Facebook and Google out of over $100 million.
If it can happen to them, it can happen to you.
Before we get into how you can protect your company, let’s dispel a few myths.
Stop looking for buzzwords like “Nigerian Prince” and bad grammar. Today’s hackers set up shell companies and pretend to be subsidiaries of companies you know.
Phishing attacks are sophisticated. After extensively researching your company and senior management, a bad actor crafts an email designed to make you respond. Whether it’s paying an invoice to a fake supplier, downloading malware masquerading as a company newsletter, or typing your email password into a form that looks exactly like Gmail’s login form until you check the URL, their message appears normal.
Download NOW our Free Whitepaper
Don’t assume phishing attacks only happen via email. Hackers use Facebook messages, WhatsApp, and Twitter DMs. If you use it to communicate, they will use it to scam you. They will even spoof your CFO’s phone number and send you malicious links via SMS.
Here are our top ten ways to prevent phishing attacks from negatively impacting your organization.
1. Change your internal communication channels.
Today, email dominates workplace communications. Its popularity makes it a prime target for scammers. Rolling out an organization-wide secure collaboration and communication app with built-in messaging and filesharing gives your employees additional communication channels they can use instead of email. By integrating the new solution into your daily workflows, you will gradually transition internal communications, including file exchanges and group discussions, to the new platform, leaving email for external communications.
By limiting internal company communications via email, you make attackers claiming to be your CEO or COO easier to spot, report, and target with your spam filters.
2. Keep company communications on company-controlled channels.
Your IT shop does not control WhatsApp, Gmail, or Skype. They do not secure them. When a data breach happens, they may not even know that your company’s data was compromised. For EU companies, these shadow IT apps are GDPR nightmare. For everyone else, close your eyes and imagine the bad press if their data breach compromises your paying customers.
By deploying your own communication and collaboration solutions, you can provide an attractive alternative to insecure consumer apps. Implementing additional policies, including banning high-risk apps on company devices, will further curtail the spread of shadow IT in your workplace and keep communications on secure channels.
3. Use multifactor authentication.
Multifactor authentication is a pain. We won’t lie. We hate opening our authenticator app, waiting for the code to refresh, and racing to type it in before it changes, too. From a usability standpoint, SMS codes aren’t much better.
However, multifactor authentication serves as an additional barrier between your account and a bad actor. If someone acquires your login information, they cannot access your account without this code.
4. Teach your employees’ good email habits and learn how to recognize malicious links.
Do your employees know the difference between linkedin.com and linkedin1.com? The first is legitimate. We made up the latter, but it shows how an attacker may require a similar domain and use it to trick your employees into clicking a link.
With proper training, your employees will more readily recognize fake links and email addresses and malicious attachments.
If possible, use a collaboration app with filesharing to eliminate email attachments within the workplace. If your CEO does not email documents and your COO receives an email allegedly from your CEO with an attachment, then it’s not from your CEO.
After training, instruct your IT shop to conduct random phishing attacks against your organization. These attacks help your employees apply their phishing attack prevention training in the real world with minimal risk and constructive feedback. They also let you further tailor your training program to your employees’ skill levels and needs.
5. Disable HTML emails.
Beautifully formatted HTML emails introduce an additional vulnerability to your workplace because by design they hide things. Single pixel images embedded in the email track when your employees open emails and even record their IP address. Additionally, links and link text do not always match, even when the link text begins with https. This makes malicious links appear legitimate.
Pretty emails simply aren’t worth the risk.
6. Enforce a strong password policy.
Implement and enforce password policies like disabling the 10,000 most commonly used passwords, mandating that all users change their password regularly, and requiring that all passwords be at least eight characters long — better yet, 14 — and include complex characters. Minimum age and password history policies prevent employees from changing their new password back to the old one.
Although these policies help protect the organization, they are pain points for your employees. Until — and unless — more software and hardware providers implement passwordless login via physical FIDO2 keys or other immerging technologies, you can’t fix this. That said, encouraging them to use in IT-approved password manager with multifactor authentication that encrypts all stored logins will make your employees’ lives easier and help minimize complaints about your draconian password policy.
7. Protect your password.
Treat your passwords like you do the keys to your car, house, and safety deposit box. If a random person walked up to you on the street and asked for your house keys, you would say no. The same applies when you receive an email asking you to click on the link to reset your password and when a service provider requests your email address and that email address’s password. This is where training comes into play.
Let’s say an email prompts you to reset your GSuite password. Last month, you changed your password as directed by IT. You haven’t requested a link to change your password. Should you click the link?
Absolutely not. Forward this suspicious message to IT. You can also call them on the phone and ask if you need to reset your password.
8. Limit what your company shares on social media.
Sophisticated phishing attacks often utilize information about your company that makes them appear legitimate. For example, marketing writes about the upcoming company picnic on your organization’s public Facebook page. An attacker sees their post and sends your CFO a message supposedly from your CEO about the company picnic. Right name, proper grammar, and it mentions the picnic scheduled for next week: it looks real. Your CFO downloads the attached spreadsheet.
If your marketing team uses posts like this to give your company a friendly face, encourage them to post after the event, not before. Pre-event information belongs on your company intranet and messaging app, not Facebook.
9. Discourage the use of personal email accounts.
It’s Friday evening. Monday’s senior management presentation still needs a little polish, and you need to practice. You open up Outlook and email it to your personal account.
Congratulations! You just sent sensitive corporate information outside your organization’s security umbrella.
You haven’t changed your personal email password in the last ten years. It’s your birthday and initials backward — easy to remember for you, your ex, and your kids. When Gmail asked you to enable two-factor authentication, you disabled the notice instead. That presentation’s information is only as secure as your personal email account.
Your organization’s security umbrella cannot protect you or your company if you deliberately circumvent it.
Instead of email sensitive data to personal accounts, implement encrypted shared drives and filesharing. Let your employees carry their work with them without compromising your security.
10. Make senior management the face of your company’s cybersecurity policies.
It’s not enough to hand out a manual and say these are our policies.
Without follow-up, holding a phishing attack prevention class is merely another opportunity for water cooler gossip. Punishing employees for noncompliance isn’t conducive to collaboration and may create a toxic work environment. There’s also no guarantee that punishment will change their behavior. Convenience often outweighs consequences.
You need cybersecurity advocates, who sing your collaborative file sharing app’s praises and willingly share their own experiences with suspicious emails and how your policies help them protect your organization and themselves. When an employee comes to them complaining about crazy passwords no one can remember, this person tells them about an IT-approved password manager and points them to a how-to guide.
These advocates are not your help desk personnel, secretaries, or other support staff. They are your CEO, COO, CFO, Chairman of the Board, and executive vice presidents.
They lead by example and show that your cybersecurity policies allow no exceptions, special treatment, or excuses.
As organizations most high-value phishing targets, they all receive comprehensive training in identifying suspicious emails and messages and how to protect themselves in the digital age.
When an employee reports a suspected attempt, they receive a thank you from the CEO. If an employee calls IT in a panic because they downloaded a malicious attachment, the CIOs office should reach out to them after the incident’s resolved. Ask if they felt comfortable with how the IT shop handled the event and why they clicked on the attachment. Explain that you’re asking so you can improve both your response and future training.
Bonus: Enhance your email security with a physical key.
In 2017, Google issued physical security keys are required that all of their 85,000+ employees use them. Since implementing the keys, they’ve reported zero successful phishing attacks involving compromised employee accounts.
Protecting your organization and, particularly, its senior executives from phishing attacks is an ever-changing battle. You cannot foresee every attack avenue or even prevent human error. However, with sound cybersecurity policies, good employee training, secure communication and collaboration apps, and amazing advocates, you can reduce the risk of a successful phishing attack.