Are Hackers Smarter than the C-Suite?


There are forward-leaning, tech-savvy executives, and then there is the other 99% of the C-Suite.

While CEOs and CFOs may understand grand business strategies and the intricacies of finance, often times they can be as befuddled by technology as the average person.

Normally, that’s not too big of a deal.  In fact it can be somewhat amusing to see a Board member or CEO fumble with an iPhone or a tablet.  It isn’t funny, however, when hackers catch on to that trend.  And that is exactly what is happening now.

We have all at some point received an email trying to perpetrate a scam.  The emails could take the form of a friend saying they are stuck in Europe with no wallet and they need cash, or that your bank needs to check your security.  Fortunately, most of us recognize these emails as suspicious and do not respond.

Recently, though, the forensic and cybersecurity team at PwC has seen an unusually effective variation of such scam emails targeting executives in financial, executive and corporate transaction functions.  Emily Stapf, a director in PwC's Advisory practice focused on forensic technology, briefed me about this trend, noting its uptick and surprising success.

Stapf and her colleagues at PwC have seen a surge in phony requests to C-Suite executives requesting quick, large, and largely undocumented wire transfers for hundreds of thousands, if not millions, of dollars.

The scam is intended to work as follows: a company’s Controller receives an email from the CEO asking for money to be wired for a new urgent business transaction.  The email from the CEO typically includes names, wire details, amount and a sense of urgency, but little context for its purpose.  Replies to the originating email will sometimes bounce back or fail if it has been sent from a “spoofing” service (which is a service that generates an email that appears to have come from a legitimate sender name/address).  Sometimes the cyber fraudsters will send the email from a legitimate internal account, and if so they can be monitored and delete responses before detection by the intended recipient/sender.

More often than one would like to see, the recipient of the fraudulent email will simply act, presuming that if the CEO is urgently requesting the transaction, there is little time or reason to verify it.  The illegitimate wire transfers are typically only detected with face-to-face communication between executives after the money is successfully out the door.  Often fraudulent transfers occur before the scheme is detected and stopped.

While this scheme is in many ways a new spin on an old fashioned scam, cyber fraudsters use the plethora of information and tools available on the Internet to help pull off their crimes.  The cyber fraudsters will scour social media to get valuable personal (but public information).  For instance, reporting relationships and corporate functions can be divined through phishing LinkedIn (NYSE:LNKD), corporate profile postings and other publicly available information.  Cyber fraudsters can then guess correct email addresses and blast away until they find an unsuspecting and unfortunate target.

None of this should be a big surprise, especially given that PwC noted in its 2013 US State of Cybercrime Survey that “Many C-Suite executives have neither adequate knowledge of who the most serious threat actors are, nor (logically given the foregoing) do they have a cybersecurity strategy to defend against them.”

These schemes are only the latest in a long line of attacks specifically directed at the C-Suite.  In 2011 McAfee released its “Operation Night Dragon” report, wherein it detailed attacks on global oil, energy, and petrochemical companies with the apparent intent of stealing sensitive information such as operation details, exploration research, and financial data.  The Night Dragon attacks also specifically attacked information systems used by company executives, so they could gain access to information that would only have limited distribution (and correspondingly high value) within the targeted company.  Similar stories have abounded for years describing advanced cyber attacks that would directly send copies of emails to unauthorized users, as well as the theft of mobile devices used by executives to plant malware on them, or simply copy them as a whole.

The point here isn’t to embarrass the C-Suite.  Far from it.  Instead, these attacks and stories illustrate that anyone and everyone at a company is a potential target of a cyberattack, and everyone, from the CEO down to the newest intern, has to understand the risks associated with cyber theft as well as what attacks could look like.

The recent spate of attacks also highlights the fact that executives are in need of cybersecurity just as much as they are of physical security.  Many executives don’t think twice about hiring a bodyguard or other executive protection services, and now they need to have the reflexive reaction to spending on cybersecurity.  Considering that the C-Suite is home to all the money and good information, who wouldn’t want to pick their collective brain, or steal their secrets of the C-Suite?

Brian Finch (@BrianEFinch, is a contributor.