Executive Phishing: Don’t let a fake boss cost you real money
You receive a message on your WhatsApp messenger or an email from your boss, asking you to handle a discreet assignment. The message is laced with urgency and authority, making it difficult to resist the temptation. But beware, dear employee, for this could be a trap set by cyber fraudsters. Executive Phishing, a type of hacking method, has been gaining popularity among scammers, who target gullible colleagues with fake messages that appear to come from their bosses.
The tactics used by these hackers are devious and rely on the psychology of obedience. A boss is asking you to do something, and you can't generally say "no". The message may be convincing enough to make you think twice before acting. Take for instance, a private company employee who received a message from his 'CEO', asking him to buy a few gift cards to be presented to some clients.
“I’m at a conference. We need to provide our clients with some gift cards, and I want you to handle this discreetly for me,” the message said. The employee was initially taken in by the message, but soon realized that something was amiss when he noticed that the sender's account had a photo of his boss, despite the fact that it came from a new number.
Stan Kaminsky, a cybersecurity expert at Kaspersky, warns that such messages can come in dozens of flavors. Hackers often cite involvement of regulators, police, or major business partners to gain credibility. They then suggest all manner of ways to “solve the problem” with a colleague's help. The person approaching the victim appears to be someone you know to some extent – and a fairly important person at that.
“Scammers often choose a C-level manager’s profile as bait. First, they have authority; second, chances are the victim knows the person, but not well enough to spot the inevitable differences in speech or writing style,” Kaminsky said. To prevent interference with the fraud, the fake boss initially warns the victim against discussing the incident, citing disastrous consequences.
The fraudster often claims a lack of trust in others or alleges disloyalty among other employees, aiming to isolate the victim until their demands are met. But there's a silver lining. WhatsApp's not the only medium that hackers prey on. They use business emails too to lure victims into the trap.
Vakaris Noreika, a cybersecurity expert at the Lithuania-based threat management platform NordStellar, says business email compromise is a sophisticated social engineering attack to deceive victims by impersonating trusted individuals – their colleagues. Unlike traditional phishing scams, these attacks are highly targeted and personalised, relying on broader research about the company, its employees, and even conversations within the organisation.
“Even the most cyber-aware user can fall victim to business email compromise attacks because they exploit the added layer of trust that comes with impersonating a person of authority in the organisation,” Noreika said. According to the FBI Internet Crime Report 2024, business email compromise was the second most expensive cybercrime by experienced loss, amounting to over $2.7 billion.
Noreika advises companies to build a comprehensive security strategy and raise employee cybersecurity awareness. He also recommends monitoring the dark web for potential employee data leaks to prevent cybercriminals from infiltrating the network using leaked or stolen credentials.