Privacy for Executives
In today's interconnected world, high-level business executives are frequently targets of online abuse and real life threats because of their jobs. How can you protect yourself?
Executives make ideal targets for cybercriminals. This is because they both operate under conditions of high public scrutiny and also have a high level of access to valuable data. Plus, it doesn’t help that most executives also have little time to stay up-to-date with current cyber risks. Hackers and other bad actors are catching on to these trends. Indeed, research shows that cybercriminals are increasingly targeting senior executives.
If you don’t fancy having your reputation ruined through a data breach, your home address or phone number leaked online because of something you said or did, or an ill-intentioned ex-employee showing up at your door, it’s vital that you take certain precautions online. Keep on reading to learn about the kinds of risks executives face, if any laws protect against them, and what you can do to ensure your and your family’s safety.
Risks and Threats to Executives
Executives face numerous risks, both online and offline. Some of the most common threats to executives include whaling, spyware, identity theft, doxing, swatting, ransomware, reputation attacks, stalking, cyberstalking, and blackmail. Below, we take a look at each threat in greater detail, with real-world examples where applicable.
Phishing and whaling
One of the biggest threats to executives is spear-phishing. Spear-phishing is a highly targeted form of phishing that involves sending very specific emails to well-researched targets to trick them into revealing confidential information or installing malware on their device.
Whaling is a variant of spear-phishing. Also known as CEO fraud, whaling is when cybercriminals send deceptive email messages pretending to be senior executives at an organization to C-level executives or other important individuals (“big phish” or “whales”). The goal here is to either steal money or data (like trade secrets) or gain access to executive devices or accounts.
Like spear-phishing attacks, whaling attacks are always personalized. Attackers often use their victim’s name, job title, and other personal information to make the email seem more authentic. This is known as name spoofing.
Additionally, hackers may also use email account spoofing, which means crafting emails that look like they came from within the company network. Cybercriminals can achieve this by either compromising a legitimate account or using spoofing tools.
The consequences of a whaling attack can be dire. For example, in 2018, the CFO and Managing Director of Pathe, a European cinema chain, were fired from their jobs after failing to spot a whaling attack that cost their company more than $20 million.
In some cases, malicious actors may prelude or follow up a phishing or whaling email with a phone call, making it more likely that the recipient will click on the email or carry out the request.
While attackers often obtain personal information they need to pull off a successful whaling attack via company websites, social media, or social engineering attacks, they may sometimes resort to spyware instead.
Almost 1 in 2 C-level executives were targeted by spyware in 2019. Spyware was actually the second most common threat to executives that year.
Spyware is malware that infects your device, stealing your internet activity data and other personal information. Email attachments are one of the main delivery methods for spyware.
If the CEO of the consumer credit reporting agency Equifax can fall victim to identity theft three times, so can you. Identity theft happens when a malicious actor uses your personal data for fraudulent purposes.
Although financial fraud is the most popular type of identity theft, a criminal may also use your identity to:
- Conceal their true identity at the point of arrest.
- Receive medical services.
- Get a job.
- Pass a background check.
- Create a fake social media account to tarnish your reputation.
Doxxing, or doxing, is the act of finding and publicizing someone’s personal information, like their home address, phone number, and even details about their family, online. This practice usually aims to embarrass the target, draw criticism to them, or cause them physical and emotional harm.
In 2015, for example, hackers leaked the address and phone number of the former chief executive officer of Turing Pharmaceutical AG Martin Shkreli on 4chan, an anonymous online discussion board. According to CNN, “subsequent comments suggested ordering pizza to [Shkreli’s] Manhattan apartment and sending prostitutes who demand pills as payment.”
Shkreli was doxxed because he raised the price of Daraprim, a drug used by cancer and AIDS patients, and the public didn’t like that. But you don’t even have to do anything to have your information exposed online. In 2020, finance marketing executive Peter Weinberg was misidentified by internet sleuths who accused him of assaulting a child. His home address was posted online and his social media blew up with messages like “we’re coming for you” and “you deserve to pay.”
An unfortunate byproduct of doxxing, swatting is when someone tricks law enforcement into sending armed officers (and often SWAT teams, hence the name) to a victim’s home.
In 2020, pranksters swatted a number of tech executives, including senior Facebook executive Adam Mosseri. “Officers arrived in force and barricaded the streets outside. Twice,” wrote The New York Times. “But after tense, hours-long standoffs, they realized the calls were hoaxes. There were no hostages, and no one in the homes had called the police.”
The above scenario ended well. It doesn’t always, though. In 2017, the police shot and killed an unarmed man in an unrelated swatting incident.
When it comes to ransomware, cybercriminals are turning away from individual consumers and targeting large corporations instead, says CyberCube in its report “Understanding Ransomware Trends.”
Ransomware is malware that locks down a victim’s files until a ransom is paid. However, recently, attackers have started stealing data before encrypting it and leaking it if their targets don’t pay.
For example, in 2020, ransomware attackers encrypted and copied data belonging to the German facility management company Dussmann Group. To prove that they were serious about their intention to expose the data if the company failed to pay up, the group posted more than 16,000 files to the dark web, including the contact details of the organization’s executives.
A successful ransomware attack can result in more than just huge financial costs and leaked data. It can also damage the CEO’s reputation. A survey by data protection company Veritas found that 40% of consumers would deem CEOs personally responsible for a ransomware attack. Moreover:
- 35% would want the CEO to pay a fine.
- 30% would insist that the CEO is banned from running a company in the future.
- 23% would demand a prison sentence.
If an executive is accused of illegal activity, it makes sense that most of the time, the board of directors terminate their contract or take other action. However, not all allegations of illegal activity may be true.
Unfortunately, when someone harms your image with false accusations, it’s very difficult to prove that you are, indeed, innocent.
Stalking and cyberstalking
Another threat executives face is stalking. Stalking typically involves repeated, harassing behavior that causes the victim to fear for their safety.
Often, stalking behavior that starts online eventually moves offline. For example, in 2020, a man not only left Apple executives disturbing voicemails and tagged Apple CEO Tim Cook with inappropriate photos on Twitter but also trespassed onto Cook’s property — twice.
Blackmail is the act of coercion using the threat of revealing or publicizing either substantially true or false information about a person or people unless certain demands are met.
Executives, especially those that have a high net worth, are a particularly attractive target to blackmailers.
This is due to two reasons:
- They have more to lose if certain things were to be leaked.
- They generally have the resources to pay the blackmailer.
In most cases, attackers threaten to release photos or other sensitive information if the victim refuses to pay or provide some other benefit. For example, in 2003, a hacker accessed Bloomberg’s computer system and emailed the company’s co-founder Michael Bloomberg threatening to ruin the financial news service’s reputation unless he paid $200,000. More recently, a man was charged for trying to blackmail Nike executives for $25 million.
What Does the Law Have to Say About That?
In most instances, state and federal laws protect individuals that fall prey to online and offline attacks (although there are a few exceptions where the law hasn’t caught up to what cybercriminals are capable of doing). Here’s what the law says about each one of the above threats to executives.
Phishing and whaling
Only a minority of states have specific anti-phishing laws. However, in states with no explicit anti-phishing laws, other criminal laws (such as laws that address computer crime or identity theft) can be applied to the act of falsely obtaining someone else’s personal data.
Similarly, although there isn’t a single federal statute that criminalizes phishing, other federal laws may be applied to the crime.
Only 20 states, as well as Guam and Puerto Rico, have explicit anti-spyware laws. However, all states have laws that address computer crime and identity theft that may apply to practices involving spyware.
There are no federal laws against spyware. Moreover, existing computer fraud laws don’t generally apply to cases that involve spyware, either.
For example, the Computer Fraud and Abuse Act (CFAA) doesn’t apply to most spyware cases because spyware rarely causes direct damage. Similarly, the Electronic Communications Privacy Act (ECPA), which prohibits any person from intentionally intercepting electronic communications, is also usually inapplicable because spyware is often installed with user consent (i.e., as part of another software).
Stealing someone’s identity or impersonating another person is a crime in all states. However, the penalties and the restitution provisions vary from state to state.
Identity theft is also illegal at the federal level. The Identity Theft and Assumption Deterrence Act of 1998 makes it a crime to “knowingly transfer or use, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.”
At the moment, there are no consistent legal remedies against doxxing. Indeed, it’s not actually against the law to find and post someone’s information online, as long as it’s publicly available. In other words, it’s usually okay to share someone’s phone number, email address, and even home address but not credit card details.
That being said, some states are considering making doxxing illegal. Moreover, some of the conduct that is regarded as “doxxing” may fall under state or federal laws that relate to harassment, extortion, and stalking. A doxxer may also be brought to justice if they acquired someone’s sensitive data through illegal means, such as hacking.
Several states, like Colorado and California, have made it an offense to falsely report a crime to the police or other authorities.
In most cases, swatting is treated as a misdemeanor. However, if the person that makes a prank call knows that their report may cause bodily harm or death, they are guilty of a felony. At the moment, there are no federal anti-swatting laws.
While just a few states make ransomware and/or computer extortion illegal, all states have some type of computer crime laws in place.
Ransomware specifically isn’t a crime at the federal level. However, other cybercrime laws could be used to bring charges across the country.
Stalking is prohibited in every state. Most states define stalking as the intentional and repeated following of another person to harass them. The definition varies only slightly from one state to the next.
Some states also have cyberstalking or cyberharassment laws. Those that don’t may use existing harassment or stalking laws to punish individuals that use electronic communications to monitor or threaten someone.
Stalking is also illegal under federal law. If someone crosses state lines to stalk or harass a person, they’re committing a federal crime. Under federal law, it’s also a crime to harass or stalk someone over the internet.
Blackmail is illegal in all 50 states, but the definition of the offense varies. Some states view blackmail as a type of extortion. Extortion is when someone tries to obtain something through force or violence.
Blackmail is a federal crime, too. It may be punishable by substantial fines or a prison sentence, depending on the details of the case.
If someone hurts your reputation, that is known as “defamation.” Written defamation is called “libel,” whereas verbal defamation is called “slander.” For a statement to be defamatory, it must be presented as true but actually be untrue.
Defamation is typically considered a tort (a civil wrong). Indeed, only some states have criminal laws against defamation. In states that have criminal defamation laws, defamers may face fines or imprisonment. In states with no criminal defamation laws, offenders can be criminally sanctioned if:
- They violate a restraining order
- They violate a court order linked to libelous behavior
- They’re charged with a similar crime, for example, harassment
However, to be successful in a criminal defamation claim, you have to prove without a doubt that the defamer knew the statement was indeed false. There are no federal criminal defamation laws.
How to Protect Your Privacy
Luckily, there are many things you can do to protect your privacy, both online and offline, as an executive. Reviewing your digital footprint and removing your name from the internet, using a password manager and a good antivirus, and encrypting your emails are just some of them.
1. Review your digital footprint
Today, tracking down someone online is ridiculously easy. Most of the time, all you have to do is Google a person’s name to find their home address, phone number, hobbies and interests, and other details about their life.
Unfortunately, scammers often use this information as fodder for whaling and spear-phishing attacks. Someone may also use this data to dox, swat, or stalk you. To prevent falling prey to these kinds of attacks, it pays to spend some time reviewing your digital footprint.
Start by Googling your name, address, and phone number, as well as your social media handles. Use private browsing mode to ensure that your Google account doesn’t skew the results you see. Alternatively, search for your name on another search engine, like the privacy-focused DuckDuckGo.
Don’t forget to see if there are any images of you floating around the web, either. If there are, make sure to right-click on the photo and “search Google for image” to see where else it may be cropping up and how it’s being used.
2. Remove your name from the internet
Now that you’ve Googled your name, is there any information out there that could be exploited by attackers? If so, try to take it down.
Removing data that may be too revealing from sites you control — like your personal website, the company’s site, or your LinkedIn account — is relatively easy. However, don’t forget that it’s not just email addresses and phone numbers that could give hackers the ammunition they need to scam you or cause you harm. Information about your interests, hobbies, and future plans could also jeopardize your personal privacy and open you up to cybercriminals and disgruntled employees or customers.
Unfortunately, deleting data from third-party sites is harder. But it’s not impossible. Any non-profit organizations and industry groups you belong to should have no problem with your request to take your name down from their sites.
On the other hand, news media, government agencies, and other independent sites may be less likely to respond to your requests. The best thing you can do here is to evaluate the risks that having your information on these sites exposes you to.
Last but not least, opt-out of data brokers and people search sites. These sites comb online and offline resources (think government public records and social media sites) to compile extensive and usually accurate profiles about individuals. They then sell these profiles to anyone willing to pay for them.
Not sure where to start? We have a detailed, step-by-step opt-out guide. However, opting out of data brokers is a time-consuming process and one that you have to repeat regularly (data brokers have a bad habit of relisting people’s profiles even after they opt-out). If you’d rather spend your time elsewhere, you can always get professional help.
3. Keep your social media private
Public social media accounts can give cybercriminals great insight into your life, something that can contribute to the success of both online and offline attacks. For example, in one case, a hacker discovered an executive’s love for cricket and his associate’s name via Facebook and used these details to send the executive a fake invitation to a cricket match — one that the executive clicked on, of course.
That’s not to say that you shouldn’t have a social media presence, though. In general, it’s a good idea to register social media accounts in your name that may otherwise be claimed by imposters for harmful purposes.
However, make sure that your accounts are set to private and don’t accept anyone you don’t know in real life as a friend. In addition:
- Don’t use geolocation “check-in” services such as those offered by Facebook.
- Ask your friends and colleagues not to tag you in photos.
- Remove personal information from your profile, like where you went to school or college or your current place of residence.
- Don’t overshare (for example, don’t post pictures of your house, car, or kids).
Cybercriminals may also gather information on you via your family’s social media accounts, so make sure they’re locked down, as well. It may also be worth it to have a chat with your kids about the dangers of posting things like the names of pets, the location of their schools, and when they’re (and in consequence, their parents) out of town.
4. Install a VPN
Whether you’re traveling or working from home, a virtual private network (VPN) can help prevent hacking, spying, and tracking by creating a secure connection.
With a VPN, not even your internet service provider (ISP) can see your location or data. This is important as ISPs can collect and sell your browsing history to data brokers, who may in turn unknowingly hand over this data of malicious actors.
5. Invest in a password manager
According to a 2017 F-Secure study, about 1 in 3 CEOs have had their passwords leaked in data breaches on a service they access with their work email.
For this reason, it’s imperative that you never use the same password more than once. If you do, hackers may be able to access your other online accounts and applications as well as sensitive company data.
Of course, coming up with a strong password each time you create a new account isn’t easy, and this is where a password manager like Abine Blur comes in handy. A password manager will help you create unhackable passwords, store them for you, and automatically log you into your accounts. With a password manager, your only job is to remember the master password to the password manager.
6. Encrypt your emails
End-to-end encryption ensures that the sender’s email messages are encrypted and can only be decrypted in the recipient’s inbox. What this means is that cybercriminals are unlikely to get a chance to compromise sensitive data or attachments, something that can significantly reduce the likelihood that you’ll fall victim to executive fraud.
Most email service providers make it super simple to encrypt emails. For example, Gmail automatically encrypts your emails, as long as both you and the receiver enable Google’s email encryption protocol.
7. Use a good antivirus
Your device may come with an in-built antivirus, but that doesn’t necessarily mean that you shouldn’t pay for additional antivirus software. For example, while Windows Defender, which comes standard on Windows 10, is often rated as one of the best free antivirus software, it might not protect you against everything.
Indeed, cybercriminals are likely to first go after free, built-in software like Windows Defender, which they see as low-hanging fruit before they target software that is less common and runs on fewer machines. Paid antivirus may also include more features and offer personalized support.
Of course, free antivirus is better than no antivirus, so if you don’t yet have an antivirus on your device, go ahead and install one now.
8. Keep your software up-to-date
Speaking of antivirus, it’s crucial that you keep it up to date, as well as any other software you use. Software updates tend to include patches to security holes that hackers often look for. By putting off software updates, you’re making it easier for cybercriminals to gain access to your device.
9. Ask questions
Unfortunately, because they are so targeted, spear-phishing and whaling attacks are much more difficult to spot than regular phishing scams. Encrypting your emails can help, but you should exercise caution nevertheless.
If you receive an email you weren’t expecting that requires immediate, drastic action, be wary. Don’t respond to it, click on any links, or open any attachments.
Instead, scan the email with a virus scanner, hover over the link to see where it leads, and check the sender’s email address. If in doubt, ring the sender to confirm their request (but Google their contact details first — the phone number in the email could be false).
10. Keep an eye on your credit report and bank statements
Periodically checking your credit report, bank statements, and medical reports can help you prevent identity theft. If you spot anything suspicious, notify the appropriate institutions immediately.
For additional information on how you can protect yourself on the internet, check out the below resources:
- AccessNow, a non-profit that protects and extends people’s digital rights, explains how to dox yourself.
- Abine Blur password manager creates strong passwords and stores them for you.
- DeleteMe is a subscription service that deletes your personally identifiable information from data brokers and people search sites.
- Have I Been Pwned? lets you see if your sensitive data, like your emails and passwords, have been compromised by hacks.
- IdentityTheft.gov is where you can report identity theft. It also provides information on how you can recover from this crime.
- Phishing.org, a resource for IT specialists and other internet users, has useful information on phishing. It also provides a list of free tools, such as a Phishing Security Test.
- The No More Ransom project offers tips and tricks on how you can prevent a ransomware attack. It also has decryption tools in case it’s too late and you’ve already experienced a ransomware attack.
- VirusTotal checks files and URLs for malware.