Spear-phishing hackers turn to junior staff when execs master security basics
Top executives who are trained well in self-defense don’t make good targets. And that’s what’s starting to happen in healthcare and other industries: Because of their positions and the subsequent wide-ranging digital access granted to them, exactly what makes these whales prime targets, C-suite executives are receiving high-quality cybersecurity education and are becoming more adept at protecting themselves and their assets.
The higher an employee’s annual income, in fact, the more likely it is that employee has received cybersecurity training at their organization, found the “Cybersecurity Training in the Workplace” survey conducted by cybersecurity vendor ESET.
So what’s a spear-phishing hacker to do? Aim for smaller fish who nonetheless have key access. Infosec pros need to be aware of this tactic and protect junior staff as well as they do senior executives.
“CXOs may be protected by extensive cybersecurity training; on the other hand, gatekeepers, such as administrative assistants, who screen and filter through incoming requests, calls and e-mails before escalating to the top, often are moving quickly and have not received the security education required to filter out phishing attacks on their own,” said Asaf Cidon, vice president of content security services at cybersecurity vendor Barracuda Networks, which has observed more junior staff members being spear-phished.
Phishers identify a target further down the chain of command using social platforms such as LinkedIn or company websites to familiarize themselves with the hierarchy at an organization.
“For example, administrative assistants open most e-mails and are a first point of contact for a CXO to streamline business processes,” Cidon said. “In an impersonation scam, a frequent social engineering tactic, a phisher could masquerade as an internal member of an organization and target admins to obtain personal information and credentials for further network access. They could also pose as an outside party with authority that needs to obtain sensitive information quickly to mitigate a more serious issue.”
Another social engineering tactic used to target and interact with members within an organization is through social media scams, where it can be easy to determine where an individual falls in an organization chart.
“This can be a request for a connection on LinkedIn, or an impersonation on collaboration tools like Slack or Mattermost,” Cidon said. “Once the connection is made on social media, an attacker can pose as a non-threatening actor, or leverage the relationship to conduct more in-depth research on a target. Because of the personal nature of these initial attacks, and the fact that most of them do not contain malicious files or links, traditional e-mail security solutions can’t stop these attacks.”
Targeting junior employees can be successful for various reasons. First, because of a potential lack of security training. And second, because of the inherent level of trust between teams.
“Spear-phishing attacks rely on impersonation; attackers pretend to be someone else, the boss in this case, and reach out to the junior staffer with some sort of urgent request, ‘Send this file,’ ‘Pay this invoice,’ ‘Do this by end of day,’” Cidon explained. “The combination of the urgent ask and coming from an authority figure creates a very compelling attack against junior employees. We see this quite a bit.”
Just recently, an attacker reached out to an accounts payable team member, pretending to be the CEO who needed an invoice paid for a new vendor who had not yet been set up in the system, Cidon said of an actual attack he observed.
“The ‘CEO’ went back and forth in casual conversation, building on that trust before requesting to make the payment by end of day,” Cidon said. “We were able to intercept the attack live, but it was a great reminder that the combination of the urgent ask from the presumed authority figure, in this case the CEO, creates a very compelling attack against junior employees.”
Healthcare CIOs and CISOs have an even greater responsibility when combating phishing – a health system can span multiple hospitals and include hundreds and sometimes thousands of staff members, all of whom have access of some kind to the network, and access to patient information, Cidon said.
“Greater cybersecurity education and training for all employee levels, with emphasis on specific types of scams for different departments – for example, W2 scams for HR departments – is the first step in shoring up defenses,” Cidon added. “And as more medical communications and systems are moved to digital networks, the implementation of appropriate software defenses, such as e-mail filters, firewalls and threat detection systems, is imperative to protecting healthcare and patient data.”