BOXX Insurance has found that C-level executives are easy “spear-phishing” targets.
Cyber attack insurance company, BOXX Insurance, based in Toronto, Canada, has found that CEOs and other C-level executives are increasingly victims of spear-phishing scams.
Credentials for execs at this level are sold as cheaply on the dark web as $250 per user.
The cyber attack insurance provider has cautioned that executives are increasingly filing claims after having been targeted by fraudulent emails which appear to have come from a source they trust. The emails request confidential email, which is then shared under the assumption that the email is a legitimate one.
The insurer released a report in which it described an example based on one of its clients’ claims. In this instance a senior member of the company’s finance department received a phishing email earlier this year, which then broadcast the message from that senior finance department member to others on that email account’s contact list. In that particular instance, the broker was able to keep the damage and reputational harm contained, but this is often not the case, explained Vishal Kundi, the CEO and co-founder of BOXX.
This type of phishing scam has become commonplace and cyber attack insurance claims are frequent.
“As an example, cybercriminals have created a phishing kit featuring fake Microsoft Office 365 password alerts as a lure to target the credentials of chief executives, business owners, and with ‘chief financial something’ in their title,” explained Kundi. There are a number of dark web forums selling executive Office 365 credentials at a surprisingly low rate. Often between $250 and $500, he added.
“Cybercriminals can also use an executive’s credentials to conduct additional attacks, targeting other employees and even third-party partners in the executive’s address book with phishing emails,” said Kundi. “Unfortunately, this type of threat isn’t always easy to get across to senior executives. You probably still come across top executives sometimes that view email security mechanisms or policies as an inconvenience to them.”
As a result, many cyber attack insurance companies find that companies assume they won’t be a target and therefore choose not to purchase the coverage they would require to protect them against this type of scam. Many senior level executives have yet to fully understand their exposures of this nature and what coverage provides in the case of a phishing scam.