- Due to their privileged access to high-value corporate assets, executives are in the crosshairs of cyber attackers, according to the latest Verizon Data Breach Investigations Report.
- The Verizon report found that the combination of access and the need to make quick decisions made C-level executives more vulnerable to social engineering attacks.
Enterprising cyber attackers driven by a money motive are setting their sights on objects that will deliver the highest returns. Thanks to their access to high-value systems and data, C-level executives are a prime target for social engineering hacks. This year’s Verizon Data Breach Investigation Report (DBIR) found social attacks, including business e-mail compromises (BECs) against enterprise executives, are on the rise. Speculating that the combination of proximity to high-value assets and the intensive pressure of their roles, which limits executive time to scrutinize messages, makes them more vulnerable than most employees with less critical roles, the Verizon DBIR claimed that staffers in leadership are 12 times more likely to be the victims of credential theft or other social incidents, such as being tricked into transferring money to an adversary’s bank account.
BECs are part of a subset of financially motivated incidents known as ‘financially motivated social engineering’ attacks. These events are initiated through a social platform but are not associated with malware or malicious employee behavior. Incidents such as financial pretexting and phishing are among the 370 recorded financially motived social engineering incidents, 248 of which were verified to be breaches.
The Verizon DBIR – which examined 41,686 security incidents, including 2,013 confirmed data breaches globally investigated by Verizon and multiple agencies such as the FBI and the Secret Service – did find a reduction in one notable type of financially motivated social engineering attack; W-2 phishing attacks against human resources workers used to file false tax returns were virtually eliminated. The supposition is that widespread awareness led to better protections and controls over employee tax information, but there is no definitive proof of what dramatically reduced the number of these incidents.
The report, which classifies an incident by nine general types of events, found that as organizations move more of their data to the cloud and other digital depositories, they may be putting these assets at risk by not instituting appropriate controls. This is one issue that has led to an uptick in financially motivated social attacks against web-based e-mail.