Protecting Managers from Identity Spoofing

A short article on how adding a small layer of security can go a long way in protecting yourself from being scammed and having your identity/data stolen

If we were to point out the most frequently used phishing attacks with the highest success rate in the world of the Internet, this infamous “prize” would most likely go to spoofing attacks — also known as identity spoofing. Identity spoofing is an action in which attackers take the identity of another (human or non-human) entity to achieve fraudulent goals or gain an illegitimate advantage. Imagine if somebody with the identity of a company’s CEO sent out an email to the accounting department, requesting immediate invoice payment or, even worse, gaining access to the company’s private assets. Shouldn’t such requests be naturally regulated?

This raises the query, should a company’s CEO hold fewer access rights than his subordinates? Here, the rationale can be grounded on the counter question: Why would a company leader need administrator privileges and why would he need to hold private keys? The Founder and CEO of DECENT, Matej Michalko, together with the company’s IT management, has followed this practice and made it a priority to disseminate imperative information in order to pre-empt any malicious behaviors.

Throughout history, top corporate executives have always acted as high-value targets for these attackers — especially since the more they travel around the world, the more susceptible they are to becoming victims of such attacks. This should be the utmost concern for organizations — to protect their C-level executives and compel them to use the strictest data protection standards and appropriate security technologies whenever possible.

How should this be implemented?

The most important part is to make it clear for the executives, to demonstrate how easily they can become targets and what consequences might ultimately follow. Granted, with all their responsibilities, obligations and concerns, people in leading positions don’t have time to constantly worry about having a large bullseye painted on their backs — but they should be worried. While managers go about their work routine every day, attackers are spending time planning, practicing and improving their skills before executing their masterplan and subsequently accomplishing it on high-value targets.

This matter does not only concern professional/work accounts. As a matter of fact, social and personal accounts can be intruded just as easily. On the other hand, it might be a challenge to convince the executives to acquire countermeasures, as it intervenes with their style of work.

IT Managers cannot fully rely on executives to operate in a secure manner, and they need to ensure that all technological controls are in place on an infrastructural level. How do we implement such countermeasures effectively into practice?

The most basic sequence of questions to ask in this case would be:

Regarding your phone:

• Is it encrypted?
• Do you store sensitive emails on your mobile phone?
• Are any of your sensitive emails encrypted?
• What applications do you have your private and work accounts associated with?

Regarding your computer:

• If an attacker crashes your computer, will you lose anything? Do you have proper backups?
• Is your drive encrypted?
• Are any of your sensitive emails encrypted?

Regarding your company’s technical infrastructure:

• What internal resources do you have access to?
• Which social media platforms do you use and for what purpose?
• Do you partake in online sweepstakes to win free stuff, essentially sharing your personal data?

Unfortunately, enforcing regulations and digital boundaries on highly skilled executives does not work anymore. The only way to eliminate attacks is through open and proper communication and training. It is really important to understand that hackers are able to build a really precise information base from sites such as Facebook, Twitter, LinkedIn, Instagram, etc. This information base can then be used to perfectly tailor a phishing attack. In the history of cyber attacks, these fraudulent acts have always had high success rates because the human factor can, regrettably, fail.

Because the source of most attacks comes via email messages, the most basic, prioritized and mandatory step should be to have your emails secured as much as possible. Using SPAM filters, SPF, DKIM records, antivirus systems and other effective measures are key defensive mechanisms everyone should utilize.

What countermeasures can one use on business trips?

As I have mentioned above, executives who conduct business trips carry a higher risk factor to be attacked. Throughout the last couple of years, these attacks have evolved to not only digital but also physical attacks against people who potentially hold large amounts of BTC, ETH, DCT, or any other coins/tokens in their wallets — and this is the harsh reality. Therefore, it is highly recommended for companies to have their procedures in place, and not to leave executives or top-level managers in dire straits.

Beside physical attacks, check-in and check-out procedures should be defined and applied to electronic devices, as well. One of the ways to lower the odds of an attack could be to use a virtual OS image on all business trips and simply wipe it upon arrival back to the office.

Most of the websites and spam emails shoving attractive prizes in your face are fake and are used only for gaining information from the possible victims. Don’t forget to double check and think twice, whether it concerns protecting your personal data or giving it away. With that said, always try to remember this: If you’re not paying, you are the product.