As a recent study shows, top managers are four times more vulnerable to phishing attacks than their employees. No wonder: cyber criminals often target them specifically. Read this article to learn how this gateway can be closed.
Phishing attacks are a great danger for companies. Employees are tricked into revealing confidential data through fake emails or websites. Usually, these attacks are widely spread with the aim of finding as many victims as possible. With spear phishing, however, criminals specifically target a single person or organisation that subsequently becomes the direct focus of their campaign. “Whaling" is when they target a high-ranking manager.
According to a study by the IT security company Ivanti backed by facts and figures, managers are substantially more likely to fall victim to such phishing attacks than regular employees. While more than a third of the managers surveyed had already fallen for a phishing email, this was the case for only 8 percent of employees. The executive floor is thus four times more susceptible to this method of attack.
"More than 1 in 3 leaders – people like CEOs, VPs and directors ¬– have fallen victim to phishing scams, either by clicking a scam link or sending money." Press Reset: A 2023 Cybersecurity Status Report
Several factors can be identified as causes of this. For example, as previously stated, the attacks are becoming more sophisticated and targeted. According to one of the study's anonymous interviewees, even experienced staff sometimes had difficulty recognising phishing emails as such. In general, people are often the most significant security factor in the cybersecurity concept.
At the same time, the workload on the executive floor can be enormous. The CEO of a company has to deal with significantly more emails and other requests than, for example, an employee down in production. They are also often under time constraints. The highest alarm level is not activated for every email.
In all this, phishing attacks are often only an intermediate step. The actual goal can be "cloud jacking", that is, gaining access to information from ubiquitous online services. These providers usually ensure a high level of security, which is why the respondents in the Ivanti study generally view such services as a benefit for security. However, once the attackers get their hands on the access data, these services become as secure as a safe with an open door.
Another target for phishing could be ransomware. In these attacks, data is encrypted by the malware and only decrypted again after payment. This also affects small and medium-sized enterprises.
This has potentially enormous financial ramifications and can even lead to a loss of face and trust with customers and the general public. This is why, for example, 90 percent of German companies have set aside funds for ransomware attacks. This often accounts for almost half of the cybersecurity budget. And, by the way, official bodies such as the National Cyber Security Centre (NCSC) warn against paying the ransom.
Here are some suggestions to make spear phishing and whaling more difficult:
Of course, top managers already have their hands full. There never seems to be enough time to organise cybersecurity training. However, the data shown here should make it clear that this is a perilous train of thought.
At the same time, the risk of attacks continues to rise. This is another reason why 71 percent of those surveyed by Ivanti stated that their budget for security measures will increase this year. On average, spending here has risen by 11 per cent.