What is an Executive Phishing attack?

One thing is true about fraudsters who phish; they know how to innovate. As such, phishing now comes in many flavors and cleverly manipulates people using social engineering.

Of the many types of phishing, Executive phishing goes in for the attack at the highest level of office, the C-level executive. This type of targeted phishing is behind scams including Business Email Compromise (BEC), which according to the FBI, cost businesses $43 billion globally between 2016 and 2021.

The FBI also points out that BEC scams are increasing by 65% between 2019 and 2021. Executive phishing is sometimes called CEO fraud or Whaling; here is how It works and how to prevent it from harming your company.

How Does Executive Phishing Work?

Executive phishing or Whaling is a form of highly targeted spear phishing that goes after the ‘big catch’ or ‘whale’ because the payoffs are high. It saw a 131% increase between Q1 2020 and Q1 2021. However, a fraudster must use clever tactics and social engineering bait to catch the big one.

The steps to capturing a big phish are as follows:

Surveillance and Intelligence Gathering

A company's CEO or other high-level executive is identified as the ideal target for a cyber-scam. During intelligence gathering, the fraudster will research the executive’s role, what areas of the business they control, whom they do business with, financial transactions, and history. The fraudster will also research the company and any third-party vendors it works with.

Development of the Executive Phish

The intelligence gained from the research carried out in the first phase is used to develop a convincing phish scenario. The cybercriminals behind executive phishing should not be underestimated. They understand human behavior and will design their attack based on how the target executive will likely react to a given scenario.

The Spoof

The entry point begins with a compromised or spoofed email account of a trusted supplier or colleague. This email will use social engineering tactics that manipulate behavior to trick the C0levle executive into initiating a money transfer or similar.

Compromised Account Whale Phishing Variant

Sometimes cybercriminals can compromise a C-Level executive email account. Again, phishing is typically the starting point for this compromise.

Once the cybercriminals have control over the email account, they can use it to send emails from the legitimate account to other executives. It isn't easy to recognize that this hacked email is not from the C-level executive as it is a real but hijacked account.

Who Is At Risk From Executive Phishing?

The people at risk of an Executive phishing attack are those in the company with the most control, i.e., the C-suite.

However, Executive phishing can affect other members of a company, who are socially engineered into making money wires and paying fake invoices as demanded by the spoofed (or compromised) email account of a C-level executive..

Examples of Executive phishing attacks offer an insight into who is most at risk from Whaling.

• An Omaha commodity trading company, “Scoular Company,” paid $17.2 million to cyber criminals after becoming a victim of Executive Phishing. In this instance, the executive target was the corporate controller.
• FACC is a supplier to Boeing and Airbus. In 2016, the company suffered an Executive phishing attack that ended in $56 million in losses and the sacking of the CEO and several other financial department employees.

Differences between Executive phishing and Spear phishing.

Spear-phishing and Executive phishing attacks have some elements in common; they both:

• Target specific people in an organization
• Use social engineering to manipulate users into doing the bidding of a cybercriminal

The areas where they differ.

• Spear phishing targets specific types of roles and departments. For example, to steal login credentials from the IT department.
• Executive phishing targets high-level executives to steal money.

How To Prevent Executive Phishing

No one measure will prevent Executive phishing. However, security awareness training, simulated phishing exercises, and email protection software will provide the layers of security needed to stop the insidious threat of Executive phishing or Whaling.

The following are best practice measures for protecting your C-level executives and other staff from the costs and harms of Executive phishing:

Behavior-Driven Security Awareness Training

Executive phishing means highly targeted malicious emails are directed toward C-level or other high-profile executives. You must use behavior-driven security awareness training tailored for C-level executives to counteract this threat: security training will imbue your executive team with the skills to be more security aware.

As a security-first mindset is most effective when it becomes a top-down skill, training your executives to recognize security threats will also help to build a company-wide security culture. This will help in making all employees safer email users. Training executives in security awareness is much like training other staff members to spot security issues, as it is about changing poor security behaviors.

However, the executives and C-suite must have tailored programs built into your security awareness training packages that teach about the specific perils of targeted phishing campaigns such as Executive phishing. These training modules should focus on the social engineering aspect of phishing and how to spot scams, how to use the internet safely, and the importance of security hygiene and good security habits.

Phishing Simulations

Advanced phishing simulation exercises should be part of the security awareness training delivered to the C-suite.

Phishing simulation platforms will train executives to be vigilant about the emails they receive (and send). Advanced phishing simulation platforms can also be tailored and often supply templates that can be used to prepare simulated Executive phishing exercises, to pre-train the executives on how Whaling and Executive phishing works.

Phishing simulators provide metrics that measure the effectiveness of the phishing simulations, allowing you to tailor them as required.

Robust Authentication Measures

Using robust authentication is an important layer of protection to achieve comprehensive email protection that helps limit the impact of Executive phishing.

Ensure that your executives use multi-factor authentication (MFA) wherever possible and understand the importance of password hygiene. Some apps will support a second factor, such as a software-based authenticator or a biometric. However, robust authentication alone will not prevent an Executive phishing attack; researchers have identified toolkits for sale on the dark web that bypass 2FA.

Phishing fraudsters are always looking for the best payoff for their cybercrimes; Executive phishing gives them a massive payoff if they are successful.

Therefore, an organization must include its executives in security awareness training and tailor simulated phishing exercises to teach how to detect a social engineering attack. Using behavior-driven security awareness training, a company can protect its executives, employees, and its company assets.

To protect your executives and company from Executive Phishing, check out TitanHQ’s demo of SafeTitan security awareness training.

The FBI also points out that BEC scams are increasing by 65% between 2019 and 2021.

Stats And Data For Infographic

1. Executive Phishing: Intelligence and surveillance: hackers watch and learn to understand who to target and how the target business operates. This gives them the intelligence to carry out the Executive phishing attack.
2. Phishing The Target: carefully composed phishing emails are sent to the identified targets from part one:

CFO: There’s an urgent invoice that must be paid today; otherwise, we will lose this client. Can you ensure this invoice is paid immediately, as I am currently away. Regards, CEO

Finance Department: Hi Jake, I need to see our latest accounts for a business opportunity I am dealing with. Please send me the latest cash bank statement immediately. Thank you, CEO

Accounts Payable: find attached the statement for a client payment that was not processed. The money must be immediately transferred otherwise, we will lose this client. Can you pay this immediately. I will call you later today to check that this has been processed. CEO name, Sent from my mobile.

1. Social Engineering at Work: targeted employees are socially engineered using tactics, including:

Urgency: pay now, or we will lose the client!

Trust: I must respond as this is my boss

Fear of Reprisal: this is the head of the company; I better do this otherwise I’ll be in trouble

1. The Cost Of Executive Phishing:

Invoice Fraud: middle-market businesses are losing $280,000 per year to invoice fraud, according to the Financial Professional Census.

Business Email Compromise:  $2.4 billion in global losses, compared to $49.2 million from ransomware, according to the FBI.

Data Breaches: average cost to a business of a data breach was $4.35 million in 2022; this is the highest recorded by IBM in their “The Cost of a Data Breach Report.”

1. Other Impacts Of Executive Phishing

• Loss of large sums of money.
• Loss of reputation.
• Intangibles such as the impact on the brand.
• Staff fired.
• Staff morale was negatively affected.