The best way to protect yourself and your business from malicious actors is to understand their modus operandi and intercept them before they can do any damage.
One popular technique adopted by threat actors is to hack the email of a trusted member of an organization - the higher up, the better. From there, they can start a phishing campaign from the hacked account to obtain further information (known as a business email compromise) or immediately begin fraudulent transactions. Understanding who cybercriminals target and training those people to protect themselves is a vital step in safeguarding your organization. At Fresh Security, we refer to these targets as “highly visible people.”
Let’s take a further look into hackers’ techniques to infiltrate organizations and how highly visible people are implicated.
Who are highly visible people?
Highly visible people are individuals in an organization that are most visible to hackers. Their name is publicly associated with your organization, and there is sufficient data and information available about them online for cybercriminals to begin a phishing attack. When a data breach occurs, hackers will start trawling the database for their passwords.
These are the people who are likely to be targeted first by threat actors. They are essentially the front line defense for your business. They need thorough training on cybersecurity awareness to empower them to recognise malicious activity and act appropriately and ensure their accounts are protected with unique and secure passwords.
Identifying highly visible people in your company
Generally speaking, the more authority an individual has in your organization, the more of a target they are to hackers. Senior executives have more reach and more influence within a business, and consequently, they are gold dust to any hacker looking to impersonate a trusted member of your organization in a business email compromise attack (see below). Employees are more likely to follow their directives unquestioningly, and it may take longer for the threat actor to be discovered.
Unfortunately, these same individuals are more likely to have information about them publicly available online. As such, it’s easier for cybercriminals to conduct research to impersonate them effectively.
How highly visible people are implicated in data breaches
Business Email Compromise (BEC) attacks
Weak or duplicate passwords
A Verizon study of 1600 cybersecurity incidents and 800 data breaches found that phishing accounted for 90% of successful attacks.
Phishing attacks are when a threat actor sends a message to trick an individual into exposing sensitive data such as passwords and account details. Though phishing attacks generally implicate messages sent by email, they can also be conducted by voice or mobile messaging (also known as “vishing” and “smishing” respectively).
Highly visible people need to be aware that they are especially likely to receive a phishing message. In fact, there’s a specific name for phishing attacks that target highly visible people: “spearphishing.” Suppose the password of a highly visible person has not already been exposed in a data breach. In that case, hackers use spear phishing to access the individual’s email account before conducting a business email compromise attack.
A business email compromise is becoming an increasingly and concerningly prevalent form of a phishing attack. It’s a significant focus of our work at Fresh Security, and it directly pertains to highly visible people.
BEC attacks involve a threat actor impersonating a senior executive or CEO (a highly visible person) and using their authority to convince colleagues, clients, and vendors to wire money to a fraudulent account. It’s particularly effective because it exploits the fact that we still heavily rely on email for our business transactions. Using this method, it’s easy to make a phishing attack appear legitimate.
The FBI estimates that BEC accounted for over $2 billion in US business losses in 2020.
A highly visible person should be made aware that there’s a significant chance a hacker will attempt to guess their password using a brute force attack. If their password is weak or easy to guess, they are at considerable risk of being compromised.
An insider threat is a risk caused by someone within the organization or immediate contacts such as business associates or contractors. Insider threats include malicious attacks with intent, but it’s more likely to result from carelessness or lack of cybersecurity awareness.
Insider threats can be mitigated by fostering a culture of cybersecurity awareness within an organization. It’s vital for highly visible people and those within their immediate circle to recognise and preempt insider threats.
How do cybercriminals hack into email accounts?
Cybercriminals first need to gain access to a highly visible person’s inbox to conduct a BEC attack. Here are three ways malicious actors achieve this:
They obtain passwords from an existing data breach
They guess weak or predictable passwords using a brute force attack
Phishing emails and malware attacks
To date, almost 10.5 billion accounts have been breached. A significant number of data breaches include email and password combos. A hacker can buy a database from the dark web and begin trawling for the passwords of highly visible people within your organization. If you use the same password across various accounts, there’s an even greater likelihood of your login information being easily accessed by cybercriminals.
Despite advancements in cybercrime methodology, brute force attacks are still one of the most popular password cracking techniques hackers use.
Threat actors use a password dictionary that contains millions of password combinations and attempt each one sequentially until the password is cracked.
As explained above, hackers will target highly visible people in what’s known as spearphishing attacks to trick them into divulging sensitive information. Hackers can also use malicious software to infiltrate company networks and gain knowledge to help their phishing attacks appear authentic.
Companies must identify and train highly visible people to be particularly aware of how cybercriminals act. They need clear and unequivocal guidance on identifying and avoiding potentially harmful correspondence and using passwords to safeguard themselves and their organization effectively.