The Threat
By 2028, the global cost of cybercrime is projected to be $13.82tn – a 50% increase since 2024, and indicative of the increasing scale and
sophistication of the threat, combined with their difficulty to defend against. Most, if not all, organisations have quickly understood the potential damage that such attacks pose to business continuity and have correspondingly spent billions, if not trillions, of dollars to mitigate this threat. While most enterprise software solutions and platforms are extremely sophisticated and have foundational anti-cyber provisions built-in at their core, these systems are naturally fallible to the weakest link in any digital ecosystem – the human being.
This human vulnerability threat, while applicable to all employees, is more prevalent to senior executives, their families, and those who work closely with them. The threat vectors are numerous but can be condensed to financially motivated organised crime offensive cyber teams, idealist lone-wolf hackers (or hacktivists), and private for-hire hackers engaged by third-parties for corporate espionage.
Vikrams Story
- Vikram is the CFO of MegaCorp UK, and a keen runner. MegaCorp is a leading FS institution in the United States with a global footprint of 400 locations.
- David is a computer science graduate from Manchester University and a hacktivist. He is frustrated by social inequality and is angered by an article he reads in the Guardian about corporate bonuses.
- David identifies Vikram as MegaCorp’s CFO from its website’s people page, and after some online research finds Vikram’s Strava profile.
- Vikram’s Strava account is public, and David analyses Vikram’s running routes. The convergence of Vikram’s routes leads David to identify a potential home address for Vikram.
- David then analyses Vikram’s social media network and finds pictures of Vikram’s family. A photograph taken in Vikram’s garden by his wife during a summertime barbeque, as well as Google street map imagery, allows David to correlate that the house identified on Strava is indeed Vikram’s home address.
- David navigates to Vikram’s house and using a commercially available device clones Vikram’s home WiFi network.
- Vikram connects to what he believes is his WiFi network to check some emails in the evening – it is in fact a spoof network established by David.
- David now has full access to Vikram’s devices and installs malware onto MegaCorp’s global ERP system.
Miriam's Story
1. Miriam Jones is the Executive Assistant for John Taylor, the CEO of Austin Exploration, a US-based global energy company.
2. John’s social media presence is extremely limited although his name and a short bio appear on the corporate website, and he does have a LinkedIn account. Miriam is an avid poster on the social media platforms Instagram and Facebook, and both her profiles are public.
3. Sasha is a cyber criminal and is part of a structured, medium-sized cyber organised crime team based in Warsaw.
4. Sasha explores Austin Exploration’s website and notes that John is the CEO. While there are no obvious contact details, Sasha is able to determine Austin Exploration’s email domain name from the ‘contact us’ page on the website.
5. Sasha then examines John’s online presence but can only find a LinkedIn account. Despite being mostly private, Sasha is able to view several of John’s connections and identifies Miriam. Miriam’s LinkedIn profile is completely public, and Sasha is able to see that she is the EA for Austin Exploration’s CEO.
6. Sasha then explores Miriam’s social media activity in more detail, and from Instagram posts learns that Miriam had spent the previous weekend wine tasting with friends in Napa Valley and has a labrador puppy called Teddy.
7. Sasha then uses this information to create a spoof email from ‘John’ to Miriam asking for the urgent delivery of funds to a fake company’s bank account.
8. Miriam immediately directs Joe from the finance team to authorise the payment using her delegated authority responsibility – the payment is authorised later that day.
Alex's Story
Alexandru (Alex) Ianculescu is a senior consultant in Assure’s finance department – a global mid-market accounting advisory firm. He is based in Romania with the majority of Assure’s offshore services team. Sian Hughes, is the Finance Director of Assure’s UK operations in London.
2. Anatoly is part of a large offensive cyber team, backed by Russian organised crime, based in Vladivostok. After a short period of online research, Anatoly identifies Alex as a target of interest from his social media activity.
3. Anatoly discovers Alex’s personal email address and mobile number from a TikTok account, and via text message informs him that his Yahoo email account has been compromised and requires a password reset. Alex immediately clicks the password reset link that has been sent to him via text message and is redirected to a fake Yahoo site developed by Anatoly.
5. Alex is somewhat suspicious, but the site’s requirement for multi-factor authentication (MFA) comforts him and he uses his MFA app to input the required code.
6. In real-time, Anatoly can see the MFA code being inputted on his screen and uses it to gain access to Alex’s Yahoo email account. With this access, Anatoly analyses Alex’s email history and notices an email sent to sian.hughes@assure.co.uk two-weeks previously containing a booking link to a restaurant in Bucharest.
7. After a 4-week cooling-off period during which time he conducts some online research on Sian, Anatoly uses this information to create a spoof email from ‘Sian’ to Alex’s work email address asking for the urgent payment of several invoices which he has attached.
8. Alex receives the ‘internal’ email and actions the payments – there are four in-total amounting to the transfer of £845,700 into the bank accounts of fake companies that Anatoly has created.
The Solution
Understanding an executive’s online vulnerability is the critical step towards combating the threat of targeted cyber-attacks. An online vulnerability assessment (OVA) is a comprehensive investigation into an individual’s online presence with the aim of identifying areas of security vulnerabilities and providing suggestions on how to mitigate them. Once the vulnerabilities have been identified, the subsequent mitigation steps are simple, quick, and extremely effective, and significantly hamper the ingress opportunities for a would-be hacker.
Contact Us
If you wish to discuss any of the topics mentioned in this article, please contact a member of our team.
