Why even top execs are hooked by phishing gambits

A new report from security firm Barkly, which sells software to find malware based on behavioral patterns and block viruses, explains how easy it is to fall for phishing schemes and put protected information at risk for hacking.

Phishing occurs when an individual clicks on unsolicited emails or links, or is lured into disclosing credentials because of a supposed emergency need to access information.

Anyone can be easy prey, the vendor warns. The most likely prey, which Barkly calls the “corporate catch of the day,” includes top executives, administrative assistants, salespersons and human resources.


Every employee also remains vulnerable, but members of the C-suite are the most prized, and hackers have specific ways to reel them in. Top executives are prized for the confidential information they possess, credentials that give expanded access to information, and they are used to receiving urgent requests, so they aren’t hovering over a link to see if the URL is appropriate before clicking.

Their information-rich assistants are just as vulnerable, as are all other employees, says Mike Parker, director of customer success at Barkly.

Also See: Why spear-phishing hacks are so successful

Social media sites enable hackers to learn enough about an executive target to make a convincing and specific email. Phishing an executive often starts with a request for sensitive information from a trusted source. After a top executive’s email is commandeered, a hacker can target lower-level executives who aren’t likely to refuse a request they think is coming from the top.

“When that message appears to come from a high-level executive, it’s very easy for any employee at an organization to be duped,” Parker adds.

Requiring higher levels of verification for everyone in the company before complying with sensitive requests, encouraging executives to limit their information sharing and who they connect with on social media, and making a policy not to share confidential information via e-mail are three immediate steps that healthcare organizations can take. To talk security with an executive, remind them how important they are (which they like to hear), then explain why they are prized security targets and lay out the havoc that can occur if they are personally compromised. Push the need for specific executive security training and have data to back up the need.

Also, talk about the need for company-wide phishing tests with departmental leaders responsible for security improvements among their team members.

The Barkly report gives examples of what a phishing email may look like and also covers how to talk to other high-profile targets such as salespeople (think of the downtime of a hack, during which operations are compromised) and human resources (use portals to communicate instead of email). The report is available here.

For reprint and licensing requests for this article, click here.