C-Level Phishing in the Entertainment Industry
Don’t take the bait!
In our recent article about why film studios need better IT support we listed cybercrime as a top consideration for 2020 and beyond. It’s true that the media and entertainment field as a whole is being targeted by hacking groups, given the money involved and the fact that the industry has digitally transformed more quickly than any other. With that transformation comes significant vulnerability, but while organizations are investing in antivirus and firewall systems to protect against direct intrusion they lag in one key cybersecurity area – phishing attacks. More specifically, targeted phishing attacks (aka spear phishing) on EPs, CEOs, CFOs, and other C-suite level executives are of primary concern.
C-level spear phishing is when a cybercriminal impersonates (via email, SMS, or other digital communication) an upper level executive to trick subordinates and vendors in order to gain access to funds and sensitive data.
Remember the infamous Sony hack from five year ago? In regards to the high-profile cyber attack, experts came to the conclusion that phishing was one of the key tactics employed to penetrate’s Sony’s systems:
“Stuart McClure, founder and CEO of Cylance, and formerly the CTO of McAfee, analyzed files that the hackers dumped on the Internet — as well as the malware used in the attack — and concluded that the likeliest explanation was that the assault began with so-called “spear phishing” emails directed at employees who had significant or even root access to Sony’s network.” (Computer World, April 2015)
Spear phishing campaigns continue to be a successful tactic for hacking groups seeking to cause mischief in the media and entertainment industry. What’s crazy, is that these cybercrime campaigns are easily preventable. All that production studios and other relevant organizations need to do is become more aware and take some practical steps towards protecting their IT systems. Here they are.
4 Practical Ways the Media & Entertainment Industry Can Prevent C-Level Executive Spear Phishing Attacks
1. Institute an “Ask First” Confirmation Policy
The simplest and most effective way to keep subordinates and suppliers from being tricked into transferring funds or giving up data access is to institute an “ask first” policy.
Make it mandatory for staff to confirm with an executive before accommodating fund or data transfer requests. This confirmation must not be a reply to the original message (as the source may be controlled by a hacker) and instead must be sent via a secondary communications channel that is secured and sanctioned by your company. In fact, the best way to go about this (where viable) is to have staff simply knock on the door and confirm that the executive (you?) made the request in the first place. This redundancy is the best line of defense against C-level spear phishing.
2. Train Teams to Recognize Suspicious Emails
Your subordinates, colleagues, contractors, and vendors must become accustomed to vetting supposed C-suite emails that request data and fund transfers. It’s one thing to note that a request is out of the ordinary, but given the tumultuous times of 2020 nothing seems far fetched any longer. So what else can they look for? They need to inspect for near-match sender email names and/or domains.
For example, let’s say your corporate email address is email@example.com. Spear phishers will purchase near-match domains, such as studioexamples.com (note the “s”) and register firstname.lastname@example.org to use when executing their phishing campaigns. Alternatively, they may have already hacked your company’s email hosting service. Even without direct access to your personal email, they will create near-match sender email names, such as email@example.com (note the removed “s” from the sender name) and conduct their phishing schemes from that email address.
While your new “ask first” confirmation policy will mitigate C-suite impersonation, having everyone double-check email sender addresses will allow them to report future phishing campaigns directly to your IT team. They can then block emails coming from the same source.
3. Open Up Your Corporate Culture
This may seem like a pretty general, even lofty, tip to preventing a very serious form of cybercrime but it is VERY effective.
Spear-phishing attacks that target subordinates and the like are largely successful because the emails come across as being urgent and outright demanding. To quickly accommodate a pressing executive request, staff or vendors will respond without vetting because it has become ingrained in them to not question their income providers.
The film production industry has a history of creating this sort of environment. While it may (or may not) have ensured productivity in the past, in modern times it creates all sorts of vulnerabilities. The proliferation of digital communications and interrelated cybercrime is forcing the hand of traditional structures in the entertainment industry. The demand for an open door policy is high, not only for human resource satisfaction, but from a phishing prevention perspective too. You want staff and contractors to feel as if they can question things that seem out of sorts!
4. Have Outside IT Support Audit Your IT Infrastructure
Your IT team is likely doing a fantastic job. But they have a lot on their table given that your industry relies on technology for all processes. For this reason it is extremely important to bring in an outside IT support firm to audit your IT infrastructure. As a part of this audit, we will look into your digital communications systems so that we can check for any vulnerabilities that permit phishing emails to penetrate in the first place. We are armed with IT security tools that employ artificial intelligence (AI) and machine learning along with enterprise-level productivity solutions (i.e. MS Office 365) that can identify and nip inauthentic digital communications in the bud.
Contact SAV Technology today to discuss your IT needs.