Robert Fitzsimons, Sales Engineer at Searchlight Security

There are a number of reasons why cybercriminals target executives. They have high personal worth, have a privileged position within their organization, and have very public profiles. These factors make them high-value marks, while also making it difficult for security teams to protect them.

In this blog, we examine the reality of executive threats, how cybercriminals and disgruntled employees target business leaders, and what security teams can do to identify when their executives are in the threat actors’ crosshairs.

What is Executive Threat?

Executive threat is a catch-all term for executives being targeted by criminals online. However, it can take many different forms and be driven by very different motives, including (but not limited to):

- Fraud - gathering enough information and data on an executive in order to assume their identity.

Extortion - gathering sensitive information on an executive to blackmail them. 

- Espionage - hacking executive accounts in order to access commercially valuable data or intellectual property.

- Reputational damage - impersonating executives or publishing sensitive information with the intention of damaging their reputation or tarnishing the organization’s brand.

Of course, one of the biggest concerns for executives is of being targeted by criminals who want to cause them physical harm. Sadly, this is an all too real threat for high-profile business leaders. In 2021 research from Ontic, 24 percent of physical security and IT leaders reported that their CEO or their family members had received threats and/or were harmed when working from their private residence or while traveling that year. A further 15 percent of respondents said that their company had received executive kidnapping threats since the beginning of 2021.

What is a Whaling Attack?

Another reason executives are targeted by cybercriminals is to use their compromised accounts to target others. Whaling attacks (also known as CEO impersonation attacks) are when the accounts of high-profile employees - such as the CEO or CFO - are used to steal from the organization. The “whale” - aka the executive - is chosen for their privileged position and authority within the company, which makes it easier to trick others into handing over sensitive information or financial details.

In this attack technique, cybercriminals either create spoof accounts using the executive’s personal details or use their legitimate corporate accounts that they have hacked. The latter is known as Business Email Compromise (BEC) and is a particularly difficult technique for security teams to spot as the account is trusted on the network. Using the hijacked account, the cybercriminal masquerading as the executive can make demands of employees, contractors, or partners, who are very unlikely to question a request from someone so senior.

How Can Executive Threats Be Spotted?

Many executive threats start with the individual being “doxxed”, which means sharing someone’s personal information on the internet with malicious intent. Executives’ personal information can often be found on the clear web, on dark web forums, on paste bins or specific dox sites without them knowing about it. In some cases, they may never become aware that data such as their home address, personal emails, and phone numbers are available online, and it remains there indefinitely for somebody to exploit. 

Therefore, the first step for organizations that want to tackle executive threats has to be to undertake monitoring of the clear, deep and dark web for data relating to their executives. In particular, they should continuously monitor for their executives’ names in dark web forums, which would be an early indicator that they are being targeted, as well as personal details such as their emails, IP address, or passwords, that would indicate that the executive has already been compromised.

An Example of Identified Executive Threat

A large healthcare organization located in the United States engaged us to understand their digital risk footprint on the dark web. Utilizing our dark web threat monitoring solution, DarkIQ, we found the personal email address of an executive on a paste bin dedicated to doxxing. After closer examination, we discovered that this dox included a vast amount of information on the executive that could be used for malicious purposes, such as their business and personal email addresses and contact numbers:

Information on their spouse, including their name, contact numbers and vehicle information:

Information about their family home:

Armed with the knowledge that this information was available on a paste bin, the organization was able to implement the necessary extra security measures required to protect the executive. Alerts were also put in place to notify the security team of any further conversations on the clear, deep and dark web that referenced the organization or the individuals mentioned in the dox, which would highlight if cybercriminals were planning an attack. 

Putting a Stop to Executive Threats

No one should ever feel that their personal safety is at risk because of their job and there are measures that can, and should, be taken to minimize the threat to executives. Continuous monitoring of executive details can alert security teams to when their staff are compromised, allowing action to be taken at the earliest opportunity to mitigate the threat or remove the data from the public domain.

By utilizing dark web monitoring capabilities, organizations are able to extend their visibility beyond their network and into the conversations and discussions happening within the criminal underground.

Click here to view our report Executives Under Threat and find out how you can protect your organization’s leadership team with dark web monitoring.