During the course of our investigative work, Fortalice has observed an increasing and alarming trend: personal email compromise is leading to business email compromise. Threat actors will leverage weaknesses regarding executives’ or board members’ personal cybersecurity hygiene to gain access to their business accounts. Employees with access to financial systems and IT systems are also a major target. In some cases, Fortalice has even seen threat actors doxing, or searching for and dumping personal data, in attempts to humiliate the target and their organization. Extortion also remains a top cybersecurity threat, with organized criminals overseas routinely targeting corporations and the people who support them.
Best-in-class organizations like the National Association of Corporate Directors (NACD) have found that Digital Executive Protection is no longer discretionary; it is fundamental to protecting corporations and the individuals who manage and oversee them. The following paper describes how threat actors are attacking board members, executives, and high access employees, and how Digital Executive Protection Programs can turn the tide against them.
Social engineering is the use of publicly available personal information of employees, executives, and board members to gain access to company information, accounts, and/or finances. A criminal can typically build up a detailed image of their victim by combining the information from their employee page on the company’s website, their LinkedIn profile, their Twitter profile, and their Facebook profile.
For example, in 2020, Shark Tank television judge Barbara Corcoran was tricked into a phishing and social engineering scheme of almost $400,000. Her assistant was impersonated by a cybercriminal, who emailed their bookkeeper asking for a renewal payment for real estate investments, using a fake email account that looked identical to the real one. Due to Barbara Corcoran’s recent real estate investments and her assistant’s contact information being public information, the cybercriminal was able to make the attack believable.
To stand guard against similar cybercriminals who seek to exploit prominent figures, Digital Executive Protection will flag all information that could be used against you in a social engineering attack. Some examples of Digital Executive Protection at work might include removing information from an inactive Myspace account or requesting that your child removes a photo they posted in front of your home that displays your vehicle’s license plate.
Employees of all levels have large amounts of personal information, including but not limited to their phone number, home address, email address, vehicle information, and voter information. This information, often available through high-level data aggregators and collectors, can be used in doxing attacks or otherwise used for malicious intent against your organization’s personnel. Digital Executive Protection can detect where this information is located and remove it before it gets into the wrong hands.
It is no secret that board members and executives hold highly valuable and sensitive information for their organizations. Knowing this, cybercriminals will try to gain access to accounts and networks that contain this lucrative information. Reusing passwords is one way cybercriminals are able to access confidential accounts. Millions of emails are compromised, and passwords are breached every year, making highly sensitive information freely available on the deep and dark web.
If a cybercriminal does not know your account password, they have the option to reset the password using security questions. And while you may think only you or your family could correctly respond to these questions, cybercriminals who leverage social engineering can dig for the answers on your social media profiles. Take, for example, the popular Facebook post chain “about me” challenges (pictured below.) What might seem like simple fun online could quickly lead to divulging more than you know to clever cybercriminals.
Digital Executive Protection will shield you from falling victim to a hack by ensuring that there is a limited amount of public information that could be used against you. Additionally, securing your accounts by using different forms of multi-factor authentication will add another layer of complexity to cracking your accounts.
Fortalice is uniquely positioned to provide a human-centered approach to Digital Executive Protection. It is important to keep in mind that the level of protection received from an executive protection program is dependent on the service offerings of your security provider. At Fortalice, our proprietary methodology for Digital Executive Protection is backed by sophisticated tools scanning the open, deep and dark webs for information, and most importantly, is human-curated. Our human-forward approach ensures that scans and alert findings are considered against the personal and business interests of the executive, board member or high access employee. Our analysts can put information into context and act on your behalf to remediate vulnerabilities – whether that is scrubbing personal and account information available online or locking down accounts or taking back an account.