With C-Suite email credentials sold on the dark web for as little as $250 per user, Canadian CEOs could become increasing targets for “spear-phishing” attacks, a cyber insurance provider warns.
The digital scam involves sending fraudulent emails from what appears to be a trusted source, asking the recipient to reveal confidential information.
In a cyber incident reported to Toronto-based BOXX Insurance (which offers a cyber product called Cyberboxx) earlier this year, one broker’s client reached with news of a phishing email that seemed to be broadcast from a senior member of the finance department. That broker was able to help contain the damage and reputational harm, says BOXX Insurance CEO and co-founder Vishal Kundi.
But, according to Kundi, such phishing is becoming increasingly commoditized.
“As an example, cybercriminals have created a phishing kit featuring fake Microsoft Office 365 password alerts as a lure to target the credentials of chief executives, business owners, and [those] with ‘chief financial something’ in their title.” Several dark web forums are selling compromised Office 365 credentials for executives at a cost of $250-$500 per user, he adds.
“Cybercriminals can also use an executive’s credentials to conduct additional attacks, targeting other employees and even third-party partners in the executive’s address book with phishing emails,” Kundi says. “Unfortunately, this type of threat isn’t always easy to get across to senior executives. You probably still come across top executives sometimes that view email security mechanisms or policies as an inconvenience to them.”
This makes it harder to sell cyber insurance. Brokers are contending with clients who don’t think they can be a target. Clients are brokers alike don’t always understand the related exposures and coverages.
With nearly 90% of Canadian organizations reporting an increase in phishing attacks since the start of COVID-19, according to a report from the Insurance Bureau of Canada, brokers will need to keep up with ever-evolving coverages and risk management.