If attackers can gain the trust of executives using layered social engineering techniques, they may be able to access sensitive corporate information such as intellectual property, financial data or administrative control logins and passwords.
While phishing remains the primary pathway to executive compromise, increasing C-suite awareness of this risk requires a more in-depth approach from attackers: Pretexting.
C-suite members might be contacted by an attacker posing as a one-time acquaintance or prospective business partner.
Continued correspondence helps develop a rapport with executives until attackers send through a document or link with their message.
According to the Verizon 2024 Data Breach Investigation Report, pretexting is now present in 25% of all business email compromise attacks.
While it can't touch the 59% of attacks connected to ransomware, the sheer volume of ransomware attacks makes it easy to miss pretexting clues as executives and IT teams focus on early detection of ransomware extortion efforts.
Pretexting isn't enough to create compromise in isolation.
While executives might make the mistake of responding to emails or clicking on links, the damage done is relatively small-scale, especially if issues are immediately reported to IT. However, a compromise campaign that combines pretexting, network reconnaissance and vulnerability exploitation can create an additive effect that sees attackers gaining basic network access and then using data supplied by executives to compromise sensitive or protected data.
The long-term timeframe of pretext efforts also reduces the chance that attackers are discovered before they act.
Once attackers convince executives to click malicious links or download infected documents, they can capture usernames and passwords.
Equipped with executive credentials, attackers can also impersonate executives and ask employees to take actions that cost companies money, such as transferring funds or making purchases.
If attackers are able to compromise data such as employee or customer information, enterprises may face penalties for non-compliance with regulations such as HIPPA, GDPR, CCPA or other compliance frameworks.
While regular security training helps staff and C-suites spot odd behavior or strange requests, humans are predisposed to respond positively in social situations, creating the perfect opportunity for attackers.
Pretexting is an inherently human attack vector that exploits the social nature of work.
While it's impossible for C-suite members to eliminate their human instincts, it is possible for executives to divide and conquer attacker efforts with regular security training.
Consider a pretext email that's part of a larger plan of attack.
If board members are trained to be suspicious of any unsolicited emails, no matter how benign, they can frustrate attacker efforts by removing a key link in the chain.
Multiply protective impact with AI. Pretexting helps attackers get a foot in the door.
Pretexting adds a layer of misdirection to executive phishing efforts.
If attackers can capture the trust of C-suite executives, they may be able to wreak havoc with little to no warning.
This Cyber News was published on securityintelligence.com. Publication date: Tue, 02 Jul 2024 14:13:05 +0000