The executive floor as a phishing victim: a study confirms the risk

As a recent study shows, top managers are four times more vulnerable to phishing attacks than their employees. No wonder: cyber criminals often target them specifically. Read this article to learn how this gateway can be closed.

Phishing attacks are a great danger for companies. Employees are tricked into revealing confidential data through fake emails or websites. Usually, these attacks are widely spread with the aim of finding as many victims as possible. With spear phishing, however, criminals specifically target a single person or organisation that subsequently becomes the direct focus of their campaign. “Whaling" is when they target a high-ranking manager.

Managers more often victims of phishing than employees

According to a study by the IT security company Ivanti backed by facts and figures, managers are substantially more likely to fall victim to such phishing attacks than regular employees. While more than a third of the managers surveyed had already fallen for a phishing email, this was the case for only 8 percent of employees. The executive floor is thus four times more susceptible to this method of attack. 

"More than 1 in 3 leaders – people like CEOs, VPs and directors ¬– have fallen victim to phishing scams, either by clicking a scam link or sending money." Press Reset: A 2023 Cybersecurity Status Report

Several factors can be identified as causes of this. For example, as previously stated, the attacks are becoming more sophisticated and targeted. According to one of the study's anonymous interviewees, even experienced staff sometimes had difficulty recognising phishing emails as such. In general, people are often the most significant security factor in the cybersecurity concept.

At the same time, the workload on the executive floor can be enormous. The CEO of a company has to deal with significantly more emails and other requests than, for example, an employee down in production. They are also often under time constraints. The highest alarm level is not activated for every email.

Phishing often only the first step

In all this, phishing attacks are often only an intermediate step. The actual goal can be "cloud jacking", that is, gaining access to information from ubiquitous online services. These providers usually ensure a high level of security, which is why the respondents in the Ivanti study generally view such services as a benefit for security. However, once the attackers get their hands on the access data, these services become as secure as a safe with an open door.

Another target for phishing could be ransomware. In these attacks, data is encrypted by the malware and only decrypted again after payment. This also affects small and medium-sized enterprises.

This has potentially enormous financial ramifications and can even lead to a loss of face and trust with customers and the general public. This is why, for example, 90 percent of German companies have set aside funds for ransomware attacks. This often accounts for almost half of the cybersecurity budget. And, by the way, official bodies such as the National Cyber Security Centre (NCSC) warn against paying the ransom.

Recommendations for more efficient prevention

Here are some suggestions to make spear phishing and whaling more difficult:

• Awareness-raising specifically for managers: Internal workshops, webinars and training courses should raise awareness of cyber risks specifically among senior management. The content here is purposely tailored to the role and responsibility of top managers.
• Regular training: Safety training should be as self-evident and mandatory for top management as it is for all other employees.
• Phishing simulations: Personal weaknesses and knowledge gaps can be brought to light with the help of self-generated test emails. This increases awareness and motivates participation in training measures.
• Control mechanisms: Technical solutions such as advanced access controls can automatically detect and restrict risky behaviour. One example may be solutions for User and Entity Behaviour Analytics (UEBA). These continuously monitor user activities and can detect deviations from normal behaviour on this basis.
• External audits: Independent third-party analyses help to uncover blind spots and provide objective recommendations for action.
• According to the Ivanti study, a general awareness of the problem in the boardroom also helps IT managers. Thus, 86 percent of companies with a particularly high level of security confirm to have the support of management.

Closing words

Of course, top managers already have their hands full. There never seems to be enough time to organise cybersecurity training. However, the data shown here should make it clear that this is a perilous train of thought.

At the same time, the risk of attacks continues to rise. This is another reason why 71 percent of those surveyed by Ivanti stated that their budget for security measures will increase this year. On average, spending here has risen by 11 per cent.