Hackers impersonate CXOs to swindle money off lower-level employees

Last week, Patrick Hillman, the chief communication officer of crypto exchange Binance, wrote a blog post explaining how scammers had been creating deepfakes of him using interviews he had given to various TV channels in order to scam crypto users on social media. While Hillman’s case is a particularly advanced incident, security experts have noted that hackers impersonating top level executives at firms has become a common affair nowadays.

“Phishing and scamming threats, where attackers pretend to be from our company and try to dupe our own employees, are extremely common. They are not just restricted to emails, and spill over to WhatsApp as well,” said B.K. Raju, chief information security officer (CISO) at public sector company, Oil and Natural Gas Corporation (ONGC). 

While citing one such attack on Tuesday, security firm Check Point Security said that most such incidents fall under a form of cyberattack called Business Email Compromise (BEC). The company blocked a similar attack where hackers impersonated a company’s chief financial office (CFO) to swindle money from lower-level employees.

To do so, hackers first find legitimate email ids from the company’s finance division. They then create similar looking email addresses and send mails to company executives, asking them to transfer money to a customer, or for other purposes. They could also ask for access to sensitive information about the company.

According to Makarand Sawant, vice president - information technology at Sahyadri Hospitals, a private hospital chain in Maharashtra, such threats have gained greater prominence over the last 2-3 years. He added that deploying advanced threat protection (ATP) solutions, like a cloud-based email filtering service, can help protect firms, but no organization is fully immune to such threats. 

“The company has also deployed XDR (extended detection and response) solutions that help detect, prevent and mitigate host-based cyber risks and threats,” he added. XDR solutions use telemetry, data analysis and more to find security threats before they can hurt a company, while cloud-based email filtering tools are meant to catch spam emails before they hit employees’ inboxes.

That said, while solutions like this can help, J.S. Sodhi, group chief information officer and senior vice president at Delhi-based Amity Education Group noted that “user awareness is the key” to mitigate phishing, spoofing and other threats.

“We conduct rigorous security awareness and training to help reduce the chances that employees will click on phishing links or fall victim to other types of attacks,” he said. 

ONGC’s Raju, agreed, saying that to handle such threats, the company organizes regular initiatives to train their employees about such threats. "We organized an information security day on August 4 to demonstrate to our employees how these threats work. Earlier this week, we also organized an InfoSec Quiz that our employees had to partake — in order to spread awareness regarding such issues," he said. 

"At the end of the day, it is the individual more than the company that pays the price, since most of such bulk scam attempts only have financial gains in mind," said Akshat Jain, chief technology officer of Indian cyber security firm Cyware. “The key threat that has risen with remote work is the use of both personal and work emails on the same browser window, and the overlap of work resources. Proxies are being increasingly put in place to filter out such threats, but the risk of an unaware employee is still there,” he added.