When the boss is away, the hackers will play…the role of CEO.
And thanks to all the selfies and location info available on social media, cybercriminals can pick opportune times to play bossfake.
When it’s easier than ever to find the OOO exec, IT pros need to have verification methods in place to prove that the margarita-sipping-on-a-beach-asking-for-important-data boss is, in fact, the margarita-sipping-on-a-beach-asking-for-important-data boss.
“Always assume bad guys will know if somebody’s on travel,” said John Pescatore, director of emerging security trends at the SANS Institute.
CEOhhhh nooooo. One simple safeguard is “the Houdini,” as Pescatore puts it.
Lore has it that Harry Houdini gave his wife a special codeword to ensure that any seancers claiming to contact the escape artist in the afterlife had the credentials to prove it.
For an exec texting for a wire transfer or a CFO emailing for a sales presentation, an agreed-upon verbal code can help a company wriggle out of a fraud scenario and verify the connection.
A verbal password can be added to a travel checklist familiar to most IT pros:
- Stay off the public wi-fi and use VPNs to encrypt traffic.
- Deploy multi-factor authentication (MFA) to protect against any credential compromise.
- Keep devices close. “Literally across from me, there’s a laptop on a table,” said Doug Saylors, partner at the consultancy ISC, who took an interview from the airport and spotted an abandoned device.
While VPNs can prevent man-in-the-middle attacks and MFA protects access to a lost laptop, orgs lost $2.4 billion to business email compromise. A business email compromise (BEC) scam appears to come from a legitimate request, like a vendor sending an invoice or a CEO asking an assistant to purchase gift cards for employee rewards.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
In February, Europol dismantled a “CEO fraud” group impersonating execs and requesting last-minute wire changes to the accounting department.
If a group knows that the boss is on vacation, an attacker can create a false sense of urgency, said Pescatore. A CFO might get a phishy text or email saying: Hey, we gotta get this money over to a vendor by midnight.
Hou-dun-it? Employees in suspicious scenarios should initiate the conversation, not click any links, and go “out-of-band” and outside the initial communication, according to Tim Callan, chief experience officer at the digital-certificate provider Sectigo.
“When you’re being asked for money to access or sensitive information, by somebody who’s purporting to be someone you know and trust, but the context is strange and unusual…especially when they’re creating a sense of urgency, that is when the warning flags should go up,“ said Callan.
A phone call to the boss may not even be enough assurance. According to a late 2022 VMware report, respondents saw a 13% rise in malicious deepfakes—and a little less than half were of the audio variety.
Encourage employees to send a Slack, call their number, do the Houdini.
“Assume it’s known that they’re traveling, and have this some sort of process in place to deal with that just in case,” said Pescatore.