Keeping VIP Emails Safe: Why Your Executives Are Your Largest Security Concern

Originally published by Abnormal Security.

Written by Mike Britton.

Account takeovers are, unfortunately, relatively easy to execute and incredibly difficult for legacy email security solutions to detect. Additionally, once an account has been compromised, it can lead to more costly attacks such as data breaches and payment fraud.

VIP account takeover, in which an executive’s email account is compromised, can be especially damaging.

While executive leaders face unique major threats, best practices for protecting their security are relevant to all of us. In this article, we’ll examine why executives are popular targets for account takeovers, the consequences of a successful takeover, and how enterprises can prevent these attacks.

VIP Motivation: High Stakes and Big Payoffs

Business leaders—those who hold power, influence, and access in an organization—are the most tempting targets for email account takeover. Their inboxes are teeming with valuable, proprietary, and sensitive information about the company’s activities and other confidential matters. As a result, gaining access to an executive’s email account is a rich prize for identity theft and countless fraudulent schemes—much more so than your average employee.

VIPs are also visible throughout the company and often throughout the entire industry. They show up prominently on sales platforms, in sales conversations and strategic meetings, and in news articles about major decisions.

So a threat actor doesn’t have to do much digging to identify them as influential repositories of information. A simple understanding of the display name pattern and the company domain can give them the starting point for launching brute force attacks, or for tricking the executive with a sophisticated credential phishing email.

Further, multiple people typically need access to an executive’s accounts to support their work, giving attackers many avenues of potential entry. It’s not only the executives themselves that they can target, but also any assistants who may work with them on a regular basis and have full or partial access to their email and calendars.

Thus, it’s not uncommon for an executive to be logged in from multiple locations and devices—as multiple people are legitimately working from the account.

Security Challenges: A Recipe for Executive Headaches

Just because an executive is a talented, motivated leader doesn’t make that person a security superhero. These are busy, focused individuals, constantly interacting with internal and external stakeholders, and under pressure from all sides.

Most of all, executive leaders are keenly focused on their own high-level challenges and strategic decision-making. They don’t have time to go through best practices with every communication—checking inbox rules or domains for subtle abnormalities and hidden threats that would expose an attacker.

Threat actors take advantage of this, using deception, patience, and opportunism to trick an executive into falling for an email attack. Whether it is asking for “official” approval of a fake invoice or requesting credentials for an account, social engineering tactics can be successful on employees at all levels of the organization.

There is little denying that an email account is both a core resource and a core weakness. It’s the communication hub for nearly everything happening within an organization, and access is integral to managing logins to just about every other tool within the company. If threat actors can hijack an account, they can pivot into all sorts of mischief—changing inbox rules to keep the actual owner of the account unaware of their damaging behavior, forwarding their emails to an alternate account, or moving laterally throughout the environment to compromise other applications.

When you think about how much information executives are privy to, it becomes obvious how important it is to keep these VIP email accounts secure.

Guarding the Castle: How to Avoid Compromised Accounts

Awareness and training will always be important, but regardless of role, every employee is human and every human makes mistakes. Unfortunately, it’s not uncommon for a VIP—or any user—to engage with a threat actor without any idea that an attack is occurring within the inbox.

Therefore, the ideal email security system must understand normal email traffic patterns and spot anomalies instantly, analyze email content and context, and automatically take action to reveal and mitigate threats before an end user can engage. Additionally, when accounts are compromised, either as a result of a successful credential phishing attack or determined credential stuffing, security leaders should be made aware immediately.

With the right email security solution, executive leaders can breathe easier knowing that their cloud environment is being proactively scanned and protected against attack. Since discovering a breach through normal channels can take 250 days, it’s wise to have controls in place that prevent this type of incident from occurring at all.