If you are looking for the weak link in the cybersecurity chain, you will find it in people. People make mistakes. Hackers are great at exploiting vulnerabilities in software, but the easiest vulnerability for them to target is people. People can be too trusting which can lead to hackers easily gaining access to systems and information.
When it comes to cyber awareness, we think about training employees on how to spot malicious emails and avoid opening them. All employees in an organization need to be trained, but the biggest target for hackers is the executives. People with titles like “chief executive,” “chief financial officer,” or “vice president” need to be extra vigilant, as they are the prime targets. The same goes for lawyers and anyone working in finance.
Howard Solomon, in one of his IT World Canada podcasts, spoke about a scam targeting senior executives. Solomon cites a research report by threat intelligence company Group-IB that claims at least 156 senior executives of financial, real estate and legal firms have been victimized by the attacks since the middle of 2019. This attack works well because the hackers do detailed research on the victims and their companies. With this information, the hackers will send an executive an email from what looks like a partner company and includes a PDF attachment or a Microsoft Office file. Once the executive clicks on the file they are sent to a website that looks like a Microsoft Outlook login page. “Victims who log in give up their username and password to the crooks. Then they can log into the executive’s email and copy all messages. Then the attackers send phishing emails from the executive’s account to new victims, after which the sent message from the executive’s outbox is deleted to avoid detection. With the captured emails the criminals can search for and resell sensitive business information.”
The hackers rely on executives being too busy to look closely in detail at the message for any signs of malice. They are counting on the executive to trust the sender and the attachment. Solomon states that there are a few clues in these messages to indicate malicious intent, such as the sender and recipient sharing the same name. Some messages have unusual formatting, like using plus signs instead of spaces between words. Using proper email hygiene, such as spending the time to ensure that the email is from a trusted source before taking an action, is a wise move. This is true for both executives and their staff.
If your organization has never had a cyber awareness training campaign, then it is time to start. Remember all levels of the organization should receive cyber awareness training, from part-timers to Executives. To help deliver your cyber awareness needs, trust Quick intelligence.