$46.7 million dollars is not a small amount for any company to lose. But Ubiquiti didn’t even know that they had lost that amount until the FBI warned them of fraudulent transactions, which prevented an even bigger loss. The company did not realise that they were being scammed because the transactions seemed to have been authorised by the founder and CEO.
How is such a large misappropriation of funds possible? Threat actors sent emails that impersonated the CEO and a lawyer, claiming that a confidential acquisition was underway and funds would need to be transferred to facilitate the transaction. The Chief Accounting Officer commenced transferring funds based on the emails without realising that the emails were not genuine and the receiving bank accounts belonged to cyberattackers. 14 transfers were made over 17 days to accounts in multiple countries before the FBI warned Ubiquiti and the transfers were stopped. Ubiquiti was lucky that the account through which the transactions were routed was being monitored by the FBI, or the transfers (which amounted to 10% of their cash position) could have been far greater.
This is the risk that CEOs face: they have great power and responsibility and therefore it is very profitable for threat actors to launch attacks against them or by using their name. All organisations have something of monetisable value to threat actors and therefore all CEOs, even leaders of small companies, can expect to be repeatedly attacked.
Cybersecurity Of, For, and By Leaders
If you are the CEO or other senior leader of your organisation, you should realise you have a target painted on your back (and may also be held personally liable for cyberattacks) and take adequate precautions, as well as set an example for the rest of your organisation. If you represent your organisation’s IT and are concerned about senior management’s exposure to cyberthreats, you will need to convince them that they will be specifically, and even individually, targeted by cyberattackers.
How Threat Actors Target CEOs
Corporate leaders are targeted in 2 ways – directly, usually through whaling or indirectly through identity theft via hoax communication to other employees.
Direct Threats – Whaling
Phishing is a form of social engineering where the victim is persuaded to open an infected attachment, click on a malicious link, or perform other harmful actions. When this attack is used to target CEOs or other boardroom executives, it is called whaling (because a whale is much larger than a fish).
The distinction between whaling and general phishing does not lie only in the size of the target but also in the nature of the attack. Phishing uses general campaigns against a general audience while whaling uses very specific campaigns which may even be tailored to that specific individual. It is the customised nature of whaling attacks that make them very dangerous, as typical guidelines to avoid social engineering may not be effective against attacks designed to mislead a specific individual and such attacks may even originate in the personal life of the CEO away from enterprise protection.
Indirect Threats – Identity Theft
Also known as CEO fraud (though it is not the CEO who is committing fraud), this attack involves misappropriating the identity of the CEO to persuade other employees in the organisation to perform harmful or inappropriate actions. The Ubiquiti case discussed above is an example of such CEO fraud. Such attacks may or may not be customised to target a specific individual.
It should be noted that both attacks can be combined into one i.e., the identity of a CEO can be stolen by an attacker to conduct a whaling attack against another senior executive (such as the CFO) in the company.
Managing the Risk of Attacks Against Leaders
Once we understand that any business leader (even the founder of a small company) is at risk, we can take steps to mitigate that risk.
- Frame Strict Policies – CEOs should lead the way in framing and following organisational policies that protect against cyberattacks. This shouldn’t be limited to a cybersecurity policy but extend to other areas of operations as well. The Ubiquiti attack that was discussed earlier was possible because large fund transfers could be executed by just one person. Requiring 2 people to authorise such transactions increases the probability that concerns will be raised and such transfers will be paused pending independent verification. But policies have to exist and be enforced across the organisation’s hierarchy for that to happen
- Recognise that Social Media is a Threat – Wise use of social channels can build valuable media assets for an organisation but unwise use is a risky endeavour. As a CEO, you should be very careful about what you post on social media which extends to posts on your personal channels; the information you post, which may seem innocuous to you, may be used to launch an attack e.g., posting that you will be travelling to a resort for a vacation lets threats actors know when you will be away from your headquarters and that your colleagues will not be surprised to hear from you via email because you will not wish to call (or receive calls) while at the resort. This creates an opportunity for threat actors to communicate with your colleagues in your name knowing that they will be unable to verify that communication with you. This risk has caused many CEOs to delete their social media accounts. We do not recommend such extreme steps but encourage you to be circumspect about the information you share e.g., vacation details can be posted after you return from your vacation
- Protect Communication Channels – Compromising the email address of a senior executive can have severe consequences for an organisation. A cyberattacker set up an automated rule in the email of the CEO and COO of a broker-dealer that blind-copied all received emails to an external email address. 17,000 emails were sent to the external address resulting in a $65,000 fine. Password hygiene is important for all employees and is particularly important for the organisation’s leaders due to the greater importance that is given to their communication. Strong passwords are not enough if they can be stolen easily so precautions against password theft (such as not installing dubious applications which could include keyloggers) should be followed
- Be Aware of the Technology Ecosystem – Your voice-activated digital assistant is convenient but it is also listening to every conversation. Your wearable tech tracks your every move and even monitors your emotional state. Is this technology the latest, greatest, and coolest? Undoubtedly. Is it also a potential security threat? Yes. No digital device or service is 100% secure and those with C-level responsibilities have to balance the convenience that such devices offer with the risk they represent
- Establish a Cybersecurity Culture – People across the organisation’s rank and file are either its greatest strength or weakness. Establishing a culture where everyone from the CEO downwards follows cybersecurity best practices ensures that they are its strength. A well-informed and security-conscious workforce forms the organisation’s primary defence against social engineering and employees will have the knowledge and skills to step in and prevent a cybersecurity mishap even if one employee is misled by a cyberattacker
K7 Security’s Endpoint Security protects organisations against phishing and identity-stealing malware such as keyloggers. Contact us for more information on how we can help you protect your C-suite and the rest of your organisation against the latest cyberthreats.