Picture this: An employee is going about their day when out of the blue a text message appears claiming to be their CEO. They're in dire straits and only you, the employee, can help.
If it hasn’t happened to your organization yet, it probably will. Just ask any CEO how often they have to remind employees that no, they are not sending text messages asking for aid or personal information.
Your CEO did not lose their phone and access to other contacts or critical business information. They are not stranded on the side of the road, asking for virtual gift cards to fill up their gas tank.
Malicious actors use any means or medium available to evade defenses and trick would-be victims into unlocking access to sensitive information. Phishing attacks are among the most common tactics, and organizations can be in for a world of hurt when an employee takes the bait.
Phishing campaigns from threat actors claiming to be a senior executive feigning distress are constantly making the rounds.
“I’m a bit surprised that people are still falling for it,” said Kris Lovejoy, Kyndryl’s global security and resilience practice leader. “This has been around for a bit now, this concept of somebody in the C-suite needing immediate help.”
Attackers are exceptionally good at exploiting the psychology of human behavior in phishing campaigns, but there’s nothing particularly sophisticated about these types of attacks, Lovejoy said.
“That’s why it’s so nefarious. Humans are just essentially very trusting and the attackers are going after that weak spot, which is their trust,” she said.
Phishing remains prevalent because it works
Mobile phishing attacks increased 50% during the last year, according to research by SlashNext, a malicious message detection vendor.
More than four out of five data breaches studied in Verizon’s 2022 Data Breach Investigations Report involved a human element, and phishing accounted for the majority of initial entry points. A Forrester report published in November 2021 attributed nearly one-third of data breaches to phishing attacks.
Many of these phishing attempts hit email inboxes to initiate business email compromise. But text messages are just as vulnerable and the additional perceived personal nature of text messages play right into the hands of malicious actors.
“Spoofing the CEO for cybercrime is so lucrative because social engineers know that people want to do good. When your boss tells you to do something urgently, you are wired to obey and will be more likely to overlook red flags,” Mika Aalto, co-founder and CEO at cybersecurity training firm Hoxhunt, said via email.
The cybersecurity firm has fended off multiple phishing campaigns in which the attacker spoofs Aalto and sends out messages to employees, mostly via email but also text messages, he said.
Cybersecurity pros observe CEO spoofs from both sides
Employees from all types of businesses, including those in cybersecurity, receive messages from threat actors claiming to be their CEO. Robert M. Lee, co-founder and CEO at industry cybersecurity firm Dragos, tweeted a screenshot of one such text message received by a Dragos employee last month, including their attempt to turn the tables on the threat actor in response.
“Phishing attacks from CEOs happen all the time,” SlashNext CEO Patrick Harr said via email. “It’s pretty common for new employees to get emails from someone saying they are the CEO asking them to notify them or do something for them. We are seeing this expanding now to mobile on text messages.”
These types of attacks are harder to detect because most employees don’t know their CEO’s phone number, Harr said. Threat actors know that too, and exploit that weakness as such.
One particularly sophisticated attack observed by SlashNext originated on WhatsApp. The threat actor, claiming to be CEO of the target’s employer traveling in Asia, asked the employee to organize a Zoom call.
“The hacker used video of the CEO and claimed to have audio problems, and using the chat function asked the employee to send company data to the link he provided in the chat,” Harr said.
For Lovejoy, the persistence of these types of phishing attacks reinforces the need for organizations to look inward and understand the psychology of the people that make up the business.
“You have to think like the attacker,” Lovejoy said. “You have to understand what matters and then ensure that you’ve got the right level of control around what matters so that not only you’re protecting it but you can recover if the worst does happen.”