In today's digital landscape, an organization’s C-suite and senior executives hold the most valuable corporate data and sign-off authorities, meaning they represent the highest potential risk over email. Whether it’s inbound spear phishing attacks, or outbound mistakes resulting in a damaging data breach, the C-suite are vulnerable.
But what do cybercriminals want from these individuals, are breaches always a result of external actors, and what can organizations do to protect their top decision makers?
Decoding cybercriminals’ fascination with the C-suite
Sometimes referred to as a whaling attack, threat actors will often dedicate more time and resources to a phishing email against a senior executive or C-level, using a less generic approach than they would against the rest of the workforce.
As a form of spear phishing, cybercriminals usually carry out heavy reconnaissance on the individual and the organization to leverage convincing impersonation and social engineering tactics. Because the attacks often lack an attachment or link-based payload, it is difficult for technologies that rely on signature-based detection to identify them.
They may pretend to be another stakeholder within the organization, a trusted business associate or someone within their supply chain, using minor, hard-to-notice typographical errors in an email address, or a compromised legitimate account. If a compromised account is used to send the phishing email, it can be nearly impossible for an individual to identify the email as malicious, but the attacks often bypass traditional technologies that use reputation-based detection methods.
The cybercriminals’ aim is to trick an individual into revealing valuable corporate information, transferring funds out of the organization, or heavily disrupting operations. So, who better to aim for than someone with considerable influence and authority - but what exactly makes the C-suite such attractive targets?
Three reasons threat actors target the C-suite:
- In short, the C-suite have insights, access and control over privileged company data, systems, and finances. Such information and access are highly coveted by cybercriminals, due to their potential for exploitation and illicit gain.
- Senior executives are often busy, with a very significant workload and tight deadlines, meaning they have less time to thoroughly review an email and determine its legitimacy. Egress’ 2023 Data Loss Prevention Report revealed that 66% of employees use a mobile phone to access their email outside of work, and this percentage is likely higher for time-pressed C-suites on the go. Mobile devices make spear-phishing attacks much more difficult to identify, as usually only the display name is shown, so it’s harder to spot an incorrect address.
- Those in C-suite roles may often find themselves in the spotlight, leading lives that are fairly public. Whether this is via an active social media account, or speeches at conferences and events, cybercriminals have a wealth of open-source information (OSINT) readily available to them. This can then be used to craft convincing spear phishing or impersonation attacks.
How the C-suite has been targeted in the past 90 days
In a 90-day period, Egress platform data reveals that, from the C-suite, Chief Executive Officers (CEOs) were the number one target for phishing emails, receiving 23% of attacks, closely followed by Chief People Officers (CPOs), who received 21%. Down from first place since Egress did a similar investigation in 2023, Chief Finance Officers (CFOs) ranked third with 19%.
Having access to systems, data and funds, it comes as no surprise that CEOs and CFOs have placed in the top three targeted C-levels. Similarly, senior HR executives are privy to sensitive personal data including recruitment, employee relations, and payroll, making them high-value targets for threat actors.
As was the case in Egress’ 2023 Email Threats Pulse Report, C-suite members whose role related to information security, compliance, and technology continue to rank very low – likely because cybercriminals still anticipate a lower success rate due to their elevated cyber awareness.
But what happens if any of these C-level roles reply to a phishing email that lands in their inbox?
Graph showing the breakdown percentages of C-suite roles that were targeted by phishing attacks in a 90-day period, from Egress platform data
Risk isn’t just an inbound issue
The human element accounts for 74% of all breaches, so when thinking about an organization's riskiest users, it is negligent to consider that employees are only vulnerable to external actors.
In fact, in 2023, 91% of organizations experienced security incidents caused by outbound data loss within Microsoft 365, including misdirected emails and attachments, and data exfiltration.
These outbound events could include employees replying to a phishing email, clicking the wrong recipient in the Outlook autocomplete drop-down, accidentally sending the wrong attachment, or sending work to a personal device to look at after hours.
As innocent as these actions may sound, if they are carried out by a senior executive, the consequences could be devastating. As mentioned, senior executives often hold the most sensitive company data, so if that data is sent to an unauthorized recipient it could amount to a full-scale data breach.
In addition, busy (and possibly distracted) C-suites are more susceptible to fat finger error, especially if using a mobile. Therefore, it is imperative that organizations consider how to protect their senior executives, not just against external actors, but also against outbound incidents.
How can organizations protect their senior executives?
Tailored training for inbound threats
One way an organization can help their C-suite is by providing them with regular security and awareness training. It is commonly known that, in the workplace, attitude comes from the top down, so not only is it important for the C-suite to show an enthusiasm for security awareness, but as the highest-value targets, they are the ones that need to be the most vigilant.
Currently, 28% of organizations are using out-of-the-box security training modules and just under half (46%) are carrying out tailored training to the organization as a whole. However, as an attack sent to a C-suite is likely to be much more targeted than those sent to the masses, organizations need to ensure that they are tailoring training to each department or individual, based on the attacks that will actually land in the employee's inbox.
Is turning off Outlook autocomplete the answer on the outbound?
In response to frustrations with static DLP not adequality dealing with the human element of outbound mistakes, three-quarters (74%) of Cybersecurity leaders have considered turning off Outlook autocomplete to prevent misdirected email and attachments.
However, only 20% have actually disabled the functionality – the likelihood being that removing autocomplete would cause immense friction to workflow and manually typing in an email address could give opportunity to an equal number of mistakes. This is even more true for busy C-suite roles, who don’t have time to write out a long address every time they want to communicate over email.
The Egress approach to inbound and outbound threats
Given the responsibilities of the C-suite and senior executives, it's essential that email security does not become an additional burden. Organizations must provide them with the necessary tools to mitigate the risk of inadvertently enabling a detrimental data breach. However, sophisticated attacks that target the C-suite use tactics that easily evade traditional security technologies and static DLP isn’t dynamic enough to catch the full spectrum of human error related mistakes.
This is why many organizations are opting to layer their native security defenses in Microsoft 365 with an integrated cloud email security (ICES) solution that can neutralize advanced threats, in addition to preventing data exfiltration and misdirected emails and attachments.
Integrating with Microsoft 365 as part of the Egress Intelligent Email Security platform, both Egress Defend and Egress Prevent use AI models to detect threats and use real-time nudges to alert users to risk – on both desktop and mobile devices.
Defend utilizes pre-generative and zero-trust models, as well as linguistic, contextual, and behavioral analysis to detect advanced inbound threats such as spear phishing attacks targeting the C-suite. Prevent uses contextual machine learning and pretrained deep neural networks to identify anomalous sending behavior, stopping users from accidentally sending emails to an unauthorized recipient.
Together, Defend and Prevent work harmoniously, neutralizing sophisticated threats, preventing outbound incidents and stopping all employees, from C-suite to HR and Finance, from replying to a phishing email.
Our VIP Prevent Pack uses AI-powered email DLP to stop C-Suite, Finance, and HR from losing data and replying to phishing emails.