Although the C-suite can be a tough nut to crack, the potential payouts from a successful whaling attack – one that targets top-level executives - can make cracking it well worth a fraudster’s time.
In a world where almost everyone has a digital presence, cybercriminals have all the resources at their disposal to get to know their mark - and the ramifications can be devastating for senior executives caught in the crosshairs.
According to the UK government’s Cyber Security Breaches Survey, phishing constitutes the most common cyber threat vector for businesses, with 83% of the organisations that spotted attacks registering this as the scammer’s chosen method. And with the wealth of information that is shared publicly across various online spaces, whaling attacks are becoming a serious cause for concern.
Kraig Rutland, VP for cyber security at Aon’s Cyber Solutions, explains: “A lot of the time, senior executives have an important public profile and digital presence. The evolution of an individual’s digital footprint has accelerated rapidly over the last decade with social media, online platforms and content – not just personal but professionally too.”
The motivation behind tactical whaling attacks is almost always financial, but the fallout can be reputationally and legally devastating. In one well-publicised instance, an Austrian aerospace manufacturer lost €50m from a targeted email attack which resulted in the firing of several employees, including the company’s CEO.
And possibly the most nefarious aspect of such whaling attacks is how attackers gain access. Frequently, they exploit information in the public domain – social media posts from friends and family, their hobbies and interests, or their location.
“They’re targeting down. One organisation in the States was the victim of a massive ransomware attack,” says Kate Kuehn, chief trust officer at Aon. “When they did the forensics, they found out they got in through the CEO’s wife’s phone. He’d borrowed it and sent a few things over text when it was compromised. The attack put the company out of business,” she says. “The line between public and private is so blurred.”
Managing cyber risk is not a single-point-in-time activity. It is a circular process and needs to be continuously reviewed
Other more deeply personal profiles can also be a source of rich data – but also potential embarrassment. “The information on elite dating sites is an area where attackers can manipulate data, and it’s exactly the sort of place you’d expect to find high-net-worth individuals,” says Kuehn.
These sites, among others, lay out an opportunity for criminals to build trust and convince targets to invest larger and larger sums of money from crypto wallets or offshore bank accounts.
The tools that attackers now have in their arsenal provide an acute ability to replicate the sort of communications senior executives expect to see in their inboxes, eliminating many of the usual red flags. AI chatbot services, like ChatGPT, Bard and Claude, to name a few can be misused and become a fraudster’s friend, making it even easier to deliver fast, effective, frequent attacks. Advanced natural language tools can even offer scammers from outside the English-speaking world new levels of natural language fluency in their communications.
And the expanding use of AI makes it likely that there will be far more sophisticated social engineering attacks in the future as it becomes challenging to distinguish between genuine and fraudulent communications. Some tools can detect the use of AI, but these are still playing catch-up while deepfake technologies and AI chatbots get more sophisticated.
Rutland believes that recognising the risks posed to individual executives alongside the fundamental cyber threats facing organisations is an important measure. “We have to go back to understanding the risks and find new ways to mitigate them as the landscape continues to evolve,” he says. “Executives will need to be more conscious than ever about the information they put out there. When they get an email that might seem like an obvious request, consider a self-check built into the system: Am I expecting this? Should I be responding? How did that information get in there, and is there a way to validate this?”
The assortment of vulnerabilities hackers can exploit, from family and friends to associates, can see businesses engaging in a high-stakes game of whack-a-mole. But there are ways to plug the gaps.
Assessment is the first port of call. It’s vital to understand the threats you are most vulnerable to and what you can do to better protect yourself against them. Senior executives can start by understanding their own level of exposure. Aon delivers tailored individual vulnerability assessments, or IVAs, as part of its cyber loop risk management model.
This gives executives visibility over threat exposures. They can then use this data to drive the decision-making required to manage their own digital footprint. A similar approach can be taken for their organisations. A comprehensive cyber risk assessment can be performed to determine risks, threats and financial exposures, which in turn helps businesses to prioritise mitigation measures and budgets to better maximise cyber resilience.
It’s vital to be comprehensive in assessing risk, according to Rutland. “There is a business risk, operational risk, financial risk, reputational risk, and even supply chain risk. Cyber now lives in all those towers, so an organisation must constantly be assessing and understanding its cyber maturity and using this insight to make data-driven decisions on how to manage accordingly,” he says.
Aon’s cyber loop model for sustained cyber resilience identifies four entry points. Rutland explains: “These points aren’t linear, and organisations can enter at any stage: you may enter at a time of recovery, or financial transfer, for example, which leads to further need to assess cyber risk. Mitigation is understanding where there might be a control gap and closing it through people, processes or technology,” he explains. “You can move from assessment to transfer or recovery to mitigation or any number of combinations. What is important is that managing cyber risk is not a single point in time activity. It is a circular process and needs to be continuously reviewed.”
The sheer number of ways organisations and individuals can be exposed to cyber risks might seem daunting, but it needn’t be despairing. Businesses can establish a culture of vigilance and preparedness that puts them on the path to sustained cyber resilience.
“It has to be in constant deployment all the time,” says Kuehn. “Cyber is always changing. It’s a never-ending journey, and there’s always going to be innovation that we have to think about.”
For more information visit aon.com/cyberloop
