Why your board members could be your greatest risk
We were recently doing some cyber security awareness training with a Dublin-based housing organisation. One of their board members received an email purporting to be from Microsoft exhorting him to “urgently review login attempts”. The email looked completely genuine. The logo and typeface looked fine. And there were no spelling or grammar errors. The email link directed him to an Office 365 portal where again everything seemed genuine. This login page even had a TLS certificate and a reassuring padlock.
But here is the rub, up at the top of the “Office 365 login page” was the housing association’s name embedded in the URL. Taking all these factors into account and the curiosity factor of these mysterious login attempts, the board member entered his Office 365 password.
A few days later he discovered that his email address was being used to send out fake invoices under the banner of his housing association’s brand.
This type of attack is extremely convincing because cyber criminals are able to exploit Azure Static Web apps. This enables them to create very convincing and customised login pages that emulate, very convincingly, the organisation’s own Office 365 login portal. What’s more these login pages are not flagged by firewalls, email gateways or anti-virus software because they’re hosted on Microsoft infrastructure. And for that added sense of false security, they also use TLS certificates.
Why board members present an elevated hacking risk…
-
Board members are typically not full-time employees, they are often unfamiliar with the latest happenings inside your organisation. This makes them more susceptible to impersonation attacks.
-
Board members are often unfamiliar with the IT infrastructure of the organisations they work with. This unfamiliarity increases the risk of attacks such as phishing.
-
Board members will typically have multiple logins for personal cloud-based accounts but also for the other organisations which they work for. In our experience, for this user cohort, password managers are rarely used.
These factors result in a greater risk of:
-
Credential theft (Office 365, GSuite etc.)
-
Malware and Ransomware
-
Impersonation and Spoofing Attacks
What board members need to know.
-
Board members need to made aware of just how easily website domains can be spoofed.
-
Board members should have a fundamental knowledge on how cyber criminals research them.
-
Board members should be made aware of the emotional triggers that are used by cyber criminals to persuade them to click on malicious attachments or URLs.
-
Board members should made aware of the dangers of password re-use and the importance of password managers.
-
Board members need to made aware of the importance of two-factor authentication.
In this particular case, if the user had a fundamental understanding of how cyber criminals spoof websites using trusted entities like Microsoft (a key module of SecureClick training), he could have stopped this attack dead in its tracks.