Boss Phishing: The Inside Track to Data Breaches

The culprits in hacking events and data breaches have often been seen as mysterious figures with high levels of computer skill. They’re the stuff of blockbuster cyberthrillers, often portrayed as slightly unstable geniuses with unstoppable abilities. But the reality of hacking and data breaches is far more mundane than Hollywood would have us believe; in fact, with the new tools and methods at their disposal, stealing information can be a fairly unskilled crime if they have the right power of persuasion.

The easiest way to steal data seems almost too obvious: simply convince someone to give it to you. Employees at every level within a company can be the targets of a low-tech scammer, from the custodian all the way up to the C-suite executive, as an alarming number of companies have already discovered.

How do scammers manage to convince company employees to give them access to entire databases of information? Through an increasingly common tactic known as “boss phishing.” This method—which has also been referred to as CEO phishing, spoofing, and business email compromise attacks—uses a bogus email that appears to come from someone higher up in the company, perhaps even the CEO, to persuade a lower-level employee to provide data, change a password, transfer funds, or other unauthorized activity. Once the recipient of the fake message complies, the hackers take over.

Boss phishing works for two major reasons: it’s easy to do, and the recipient thinks he’s complying with a superior’s orders. Questioning the boss’ orders is usually frowned upon, so employees all too often comply when they’re told to hand over information or transfer money from one account to another.

Some of the companies hit by a successful boss phishing attack just in 2016 include medical centers, schools, retailers, social media websites, and perhaps most surprising, software and technology companies., Advance Auto Parts, and Snapchat were probably some of the more recognizable household names to be targeted earlier this year. In some cases, the stolen records belonged to employees of the company, while in other cases it was customers, patients, or students whose records were accessed.

Since this form of attack is both easy and effective, companies have got to take the threat seriously and enact a full-spectrum effort to prevent it. A company policy against fulfilling any emailed directive of a sensitive nature without verbal verification is a good start, so long as everyone understands that questioning the order isn’t insubordination, but instead is just smart cybersecurity. Another key step would be to limit who has access to large databases of stored information; if the “boss” emails an employee with instructions to do something the employee isn’t even capable of doing, that could serve as a warning that a hacker is at work in the system.