When it comes to cybersecurity risk - it’s not just devices and networks that are susceptible to attacks. Employees are a prime target for threat actors. Research suggests that employees of small businesses will be hit with a 350% higher level of social engineering attacks than those who work in large businesses.
Companies with a minimal security posture in place are the most likely to be compromised. Because they may not have robust cybersecurity measures in place, they’re essentially leaving windows unlocked for cybercriminals.
Malicious actors aren’t just targeting any employee, they’re crafting their techniques to specific roles in the organization to maximize effectiveness and their return. Here is a list of the positions most at risk and the attacks they’re likely to face:
C-Suite executives have access to sensitive information, and much of that information could be sitting in their email accounts. Across various platforms, apps, and software, their accounts also contain elevated access privileges.
This combination makes the C-Suite a juicy target for cybercriminals. Because of the potential for a high payoff, hackers will often deploy more sophisticated attacks. For example, if successful, fraudsters can take over a CEO's email address and elicit payments from the accounts team. No one’s going to say no to the CEO, after all.
Common cyberattacks targeted at the c-suite:
Spear phishing is a targeted form of phishing—impersonating a known entity through email—aimed at a specific individual or position. Spear phishing is often used in combination with social engineering techniques to make the email seem more legitimate. The phishing attack can convince an exec to give up precious information or click on a link that will lead to an account takeover.
Spear phishing was behind a major attack against two unnamed tech giants (believed to be Facebook and Google) which embezzled $100 million in funds from them.
Hackers can use a wide range of well-planned, researched, and skillful attack methods targeting C-level execs. These can include:
- Attacking personal email accounts which might contain privileged information that could be used to then compromise the company's accounts.
- Monitoring executive movements through social media to try and compromise them physically. For example, they may try to meet them at a conference and plan to steal a device or get access to a laptop.
- Hacking insecure remote access channels such as public WiFi connections.
Account compromise or account takeover (ATO)
A compromised account is when attackers gain access to that account's username and password. This can be done using various methods, including:
- Social engineering
- Phishing emails leading to fake websites where a user must type in his or her credentials
- Keylogging or monitoring malware
Once the hacker has access, they can leverage the exec’s elevated privileges to deepen the attack against their organization.
This is another broad-scope type of attack. Scammers will go to all sorts of efforts to swindle funds from C-level execs. This occurred to Barbara Corcoran, a judge on ABC's Shark Tank, when a fraudster obtained her bookkeeper's details and emailed a $400,000 invoice that needed to be paid. The attack showed that the hacker had sufficient knowledge of Corcoran's activities to make the invoice seem legit. It was almost paid.
Hackers can also monitor social media accounts, both personal and business, to attempt to gain as much information as possible about the C-level exec for their attempt at fraud.
Finance and Accounting
Finance and accounting employees hold the keys to the company's coffers. They pay invoices and often have access to sensitive customer information such as account numbers or undisclosed contracts. If compromised, hackers can get away with stolen funds and extremely sensitive information.
Common cyberattacks against finance and accounting
Business Email Compromise (BEC) attacks
BEC attacks are a coordinated set of actions, such as social engineering and email account takeover, that are aimed at finance and senior-level personnel in particular. The purpose of such attacks is usually to get the targeted person to hand over funds—such as payment for a fraudulent invoice—or to obtain sensitive/privileged information.
BEC attacks resulted in the highest amount of financial loss than all other crimes reported to the FBI in 2021, topping the list at over $2.3 billion in losses.
A BEC attack targeting the finance department of Ubiquiti Networks, a Silicon valley computer networking company, resulted in a $47 million loss when finance employees were convinced to transfer the funds into fraudulent accounts. Only $15 million was recovered.
Phishing is when a fraudulent email is sent, impersonating a known entity such as a bank or other business. Clicking links in the email typically leads users to malicious software or websites designed to pilfer login credentials.
Phishing is the top-most reported crime to the FBI, hitting a staggering 323,972 victims in 2021.
A common impersonation technique used against accounts personnel is to pretend to be from a company that requires urgent payment for an outstanding bill.
When CEO accounts have been compromised, hackers can impersonate that CEO via their email and elicit payment from the accounting department for some or other bogus cost.
IT and Engineering
IT and engineering are high-value targets for cybercriminals for several reasons:
- These teams often have direct access to sensitive assets. This greatly increases the effectiveness of ransomware and Advanced Persistent Threats (APT), highly sophisticated methods where an attacker lurks in a network undetected.
- Less lateral movement is required. As the department has elevated privileges, a compromise already places a hacker in a deeply embedded position.
- Hackers can directly target company infrastructure, posing a major risk.
- Hackers know how to exploit commonly used software used by these teams, or gain privileged access to databases to execute a data breach.
Common attacks used against IT and engineering
This is a form of malicious software that holds company resources or systems hostage until a ransom is paid to liberate the system.
This type of attack made headlines when Colonial Pipeline was attacked, leading to fuel shortages on the East Coast. The hackers demanded a ransom via cryptocurrency, and were paid $4.4 million in bitcoin.
Advanced Persistent Threat (APT)
This is an extremely advanced, stealth-mode cyber threat that uses sophisticated techniques to carry out an enduring attack that usually goes undetected. It leverages multiple attack vectors to gain access to a wide range of services.
A known APT attack group called Deep Panda hacked U.S. government databases of the Office of Personnel Management, exposing 22.1 million records of "sensitive" information.
New employees are eager to do a good job and nervous to fail and so they might be more prone to responding to urgent requests that are really an impersonation.
Lack of familiarity with fellow employees and executives adds to their vulnerability because they are less likely to spot an email as untrustworthy. Not knowing security protocols, they are also less likely to flag fraudulent traffic as suspicious.
Common attacks against new employees
Because of their particular vulnerability, new employees are targeted by a number of attacks that play to their desire to do well at their new company. These attacks often include phishing, BEC attacks, and social engineering methods to obtain unwitting cooperation with fraudsters' sinister ends.
SMEs need an modern managed security provider to help improve employee security
Considering the vast number of potential attack zones in an organization, investing to protect each one can be prohibitively expensive for SMEs. A modern managed security provider can help to reduce these costs to a minimum. Through the provision of a comprehensive coverage, they will be able to tackle every aspect of an organization's security posture requirements. Capabilities should be focused on users and their identity.
Phishing Simulation Training
Basic training of employees regarding phishing and other forms of attacks is essential. This includes training on how to detect phishing emails and fraudulent websites, understanding how malware works, what social engineering tactics to be aware of, how to protect credentials, and related topics. This needs to be accompanied by regular phishing tests to put the knowledge into practice.
Endpoint Detection and Response
The endpoint is both an attacker’s beach head for digging deeper into your environment as well as typically the final destination of their mission. Detecting an attack early can help you minimize the impact before it becomes a costly breach.
Privilege Escalation and Abuse
Not every attack involves a piece of malware. Attackers can get a hold of legitimate credentials from the above roles and can enter your environment freely. However, they’ll still need to get more privileges and move around to achieve their desired outcome. It’s important to have visibility into this type of identity abuse.
Learn more about how SolCyber can help your organization manage its security posture simply and affordably.