The other day I was participating in a company’s employee meeting when the CEO revealed he had been “caught” that morning by a real phishing attack email.
It wasn’t even a particularly tricky one. It was something he and anyone else should have easily caught. He was just distracted, or it was just the right phishing pitch at the right time.
Either way, he clicked on the included rogue link. He immediately recognized the error and appropriately reported it.
I was amazed! This CEO didn’t let his ego get in the way. He immediately told everyone in the company he had been successfully phished and that he had reported it. He didn’t make excuses. He didn’t appear embarrassed. He was just a human being human.
How I wished more CEOs had the same sort of leadership.
This is a CEO leading by example, showing that he, too, is susceptible to phishing attacks. He then told everyone that he had reported it and that the IT security folks were appropriately responding. It was a wonderful, teachable moment.
When a CEO or other respected person in your organization shares that they were successfully phished, I think it does a bunch of good things. First, it shows to all employees that anyone is susceptible. Fighting phishing isn’t simply a matter of intelligence, common sense or smarts. Anyone is susceptible to the right phishing attack at the right time.
This isn’t to say that CEOs are innately brilliant. Many aren’t. But I think most people would agree that it does take something special to become a CEO of a successful company, leading lots of other people…and even people with that special skill set are susceptible to phishing.
I was an employee at another company years ago where one of the most truly brilliant people in the company, a person respected for their smarts and thought leadership around the world, had fallen to a real-world phishing attack.
It was a spear phishing attack. According to Barracuda Networks, even though spear phishing attacks only make up less than 0.1% of all email attacks, they account for 66% of successful data breaches.
The phisher had taken over another company’s email account and found an ongoing thread that involved a project both parties were frequently exchanging messages over. The attacker then sent an email with a boobie-trapped document using the same thread subject. The recipient, the brilliant fellow, opened the document, but was surprised to see that it really didn’t have to do anything with the project.
He closed the email confused as to why the sender had sent it to him. A few hours later, on Super Bowl day no less, the strange message started to bother him. He worried that he might have been the victim of a phish. So, he reported it. And sure enough, it was a real phishing message and it had successfully placed malware on his system. But the attacker had not yet been able to take advantage of their success. The company’s IT team removed it before more damage could be done.
That company made that example a core part of their annual security awareness video that year. It was, like the CEO example above, one of the best examples to share with the rest of the company, for the same reasons.
The second lesson these examples teach beyond that anyone can be susceptible, is to report it (appropriately per an organization’s policies), even if you aren’t sure, even if it’s later when you reach that conclusion. Better late than never. As an example, many ransomware groups that gain initial access to a company, don’t use that access for days, weeks or even months.
Overall, I think that when a company’s best and brightest publicly report (at least to their employees) that they, too, fell victim to a phishing attack, it shows how committed the company is to stopping social engineering and phishing attacks. It says, “We are all in this together!” and that smarts and egos need to be set aside. Few things say more about the company and its leadership’s commitment to fighting phishing.
If your company’s CEO gets phished and shares it, consider yourself in a great place that cares more about decreasing cybersecurity risk than protecting leadership’s self-esteem.