Survey Finds Executives Four Times More Likely to be Phishing Victims Than Other Employees

In recent years, it has become conventional wisdom that corporate employees pose the greatest threat to companies’ cybersecurity.  A recent survey by IT security provider Ivanti indicates that senior executives need to recognize that they may be an even greater cybersecurity threat to their own companies’ cybersecurity.

In its December 13 State of Security Preparedness 2023 study, Ivanti surveyed 6,500 executive leaders, cybersecurity professionals, and office workers.  Some of the study’s most concerning findings pertained to behaviors by professionals such as CEOs, vice presidents, and directors:

  • More than one-third of surveyed leaders had clicked on a phishing link — four times the rate of other office employees
  • Leaders (one out of four) were much more likely than employees to continue to use the same passwords for years rather than updating them regularly;
  • Nearly one in four leaders “use easy-to-remember birthdays as part of their password.”
  • Leaders were “five times more likely to share their password with people outside the company.”
  • More than 1 in 3 leaders “have fallen victim to phishing scams, either by clicking a scam link or sending money.”

While 73 percent of security professionals and leaders reported that their organizations were planning to increase their cybersecurity budgets in 2023, and 74 percent of security professionals stated that they budget for security breaches, other responses about the actual state of organizations’ cybersecurity were more concerning:

  • Only 52 percent of leaders and security professionals responded that “they have ‘high visibility’ into every user, device, application and service on their network.”
  • 45 percent of security professionals said that “they either suspect or know that former employees and contractors still have active access to systems or files in the form of still-active usernames, passwords and login information.”
  • Although 92 percent of security professionals said that “they have a method to prioritize which vulnerabilities to patch”, “when asked which types of patches are prioritized, security professionals tell us all types rank high — meaning none do.”

In addition, Ivanti asked 1,356 executive leaders and security professionals whether they would be willing “to wager a chocolate bar” on the cybersecurity protections their organizations have in place.  Even though 97 percent of security professionals and leaders surveyed said that “their organizations are as prepared or more prepared today than one year ago”, 20 percent would not wager a chocolate bar on their cybersecurity.

Information security officers should include details of the Ivanti report in briefings and training materials, and not only for their own teams or mid- and lower-level employees.  As the report recommends, “organizations need to develop customized training curricula and tech interventions for CEOs and other high-level executives.”  As business email compromise schemes are projected to continue to grow through 2027 at a compound annual growth rate of nearly 20 percent, it is incumbent on senior executives to model proper cybersecurity behavior consistently to subordinates and each other.  Failure to do so can have disastrous results for their companies – and for their continued employment.

Egyptian, Saudi Competition Authorities Sign Memorandum of Understanding on Cooperation

In the past year, competition authorities in Egypt and Saudi Arabia have shown increased assertiveness in enforcing their national competition laws.  Pursuant to their respective competition laws, the Egyptian Competition Authority barred the use of anti-competitive contractual clauses imposed by a market-dominant food-delivery enterprise, and the Saudi General Authority for Competition blocked proposed transactions in the energy and food-delivery sectors.

A recent joint action by both competition authorities indicates that they are anticipating exercising their enforcement authority with regard to transnational anticompetitive conduct.   The Chief Executive Officer of the General Authority for Competition, Dr. Abdulaziz bin Abdullah Al-Zum, and the head of the Egyptian Competition Authority, Dr. Mahmoud Mumtaz, signed a Memorandum of Understanding (MOU) that, according to Arab News, “seeks to prevent monopolistic practices that restrict competition, in an effort to boost cooperation while respecting the laws of both countries.”

Dr. Al-Zumm reportedly indicated that the  MOU “includes areas of cooperation and exchange of consultations and experiences through mutual visits to the headquarters of competition authorities in the two countries, as well as through official electronic communication channels and other means of communication between experts and technicians of the two parties on issues of common interest.”  Dr. Mumtaz further explained that the  MOU “focuses on a number of areas of cooperation that include exchanging information and experiences in the field of promoting competition and preventing monopolistic practices, in a way that facilitates and enhances the performance of the functions of both sides, especially with regard to the role of competitive guidance and how to set policies that enhance competition in markets.”

APWG Second Quarter Phishing Trends Report Notes Record High in Phishing Attacks

Even as the world of computing become ever more complex in many respects – greater computing power, smarter devices, and more advanced artificial intelligence and machine learning, to name a few – one of the most conceptually simple cybercrime techniques remains a significant threat to computers and networks around the world.  Phishing, as defined by APWG (formerly the Anti-Phishing Working Group), “employ[s] both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials.”

On September 22, the APWG issued its Phishing Activity Trends Report for the second quarter of 2022.  Key findings in the report include:

  • General: APWG observed 1,097,811 total phishing attacks in Q2 – “a new record and the worst quarter for phishing that APWG has ever observed. The number of phishing attacks reported to APWG has quadrupled since early 2020, when APWG was observing between 68,000 and 94,000 attacks per month. ”
  • Most-Targeted Industry Sectors: For Q2 2022, APWG founding member OpSec Security found that phishing attacks against the financial sector (including banks), “remained the largest set of attacks” (27.6 percent of all phishing). Attacks against webmail and software-as-a-service (SAAS) providers accounted for 19.1 percent of all phishing. While attacks against retail/ecommerce sites dropped from 14.6 to 5.6 percent, phishing against social media companies dramatically increased from 8.5 percent of all attacks in 4Q2021 to 15.5 percent in 2Q2022.
  • Ransomware: APWG member Abnormal Security observed not only a decrease in ransomware volume over 1Q and 2Q 2022, but also (as of June 2022) “the smallest number of ransomware victim companies since January 2021.” The five industries most frequently victimized by ransomware during 2Q included manufacturing (24 percent), business services (12 percent), retail and wholesale (10 percent), healthcare (8 percent), and construction  (7 percent).  In addition, approximately 56 percent of victimized companies had less than US$50 million in revenue, while nearly 13 percent of victim companies had revenues of more than US$500 million.
  • Business Email Compromise (BEC) Schemes: According to APWG member Agari by HelpSystems, in Q2 2022 “gift card requests were the most popular cash-out method used by criminals” (39.9 percent), followed by payroll diversion attempts (25.9 percent), advanced fee fraud (15.5 percent), and wire transfers (9.6 percent).  The average amount requested in wire transfer BEC attacks was $109,467, an increase from $91,436 in Q1 2022.  In addition, two strains of malware accounted for 90 percent of all malware delivered to corporate email boxes: Emotet (47 percent) and Qbot (43 percent).

Information security teams in every business sector should closely review the APWG report and incorporate pertinent details into internal briefings and training for corporate executives and employees.  Because maintaining effective cybersecurity in any environment is a constant challenge, it is essential that senior leadership maintain a clear understanding of the most prevalent and immediate threats to their corporate environments and provide information security teams with the tools and resources to cope with those threats.

Some Governors Think Busing and Flying Migrants to Other States Is Good Political Theater.  In Some Cases, It May Also Be Kidnapping.

In recent months, three governors – Greg Abbott of Texas, Ron DeSantis of Florida, and Doug Ducey of Arizona – have aggressively implemented policies to transport large numbers of migrants to other states, reportedly “to protest what they say are inadequate federal efforts on southern border security.”  Governor Abbott’s office recently stated that Texas has bused more than 7,900 migrants to Washington, D.C. since April, more than 2,200 migrants to New York City since August 5, and more than 300 migrants to Chicago between August 31 and September 6.  Arizona has sent 46 buses carrying 1,677 migrants to Washington, and Governor DeSantis – who has said for months that he would be relocating migrants to Delaware or Martha’s Vineyard – made good on that promise this week by sending two planeloads of migrants to Martha’s Vineyard.

While mayors of cities to which migrants have been shipped have decried the practice, and the Biden Administration is considering unspecified “litigation options” to halt it, the governors and their supporters so far appear unfazed, even emboldened, by the criticism and appear to enjoy what some critics call the political theater.  One aspect of the busing-and-flying program, however, should give the governors pause.

According to New York City Mayor Eric Adams, some of the families that were bused to New York “were forced on the bus with the understanding that they were going to other locations that they wanted to go to, and when they tried to explain they were not allowed to do so.”  Governor Abbott retorted that migrants were given voluntary consent waivers in multiple languages before boarding the  buses.  However, any evidence that migrants were forced onto buses or planes, or were induced to board by false promises (such as promises of being taken to other destinations or being able to get work papers) could raise a more serious issue for the governors: the possibility of federal kidnapping violations.

Title 18, Section 1201(a)(1) and (3), of the United States Code makes it a federal felony for anyone who, among other acts, “unlawfully seizes, confines, inveigles, decoys, [or] kidnaps” another person when that person “is willfully transported in interstate or foreign commerce” or “any such act against the person is done within the special aircraft jurisdiction of the United States.”  That language makes clear that kidnaping can occur without gun-to-the-head type coercion.  “Confin[ing]” migrants on a bus by force or threats of force, “inveigl[ing]” (in everyday language, “achiev[ing] control over someone in a dishonest but skillful way, especially so that they will do what you want”), or “decoy[ing]” (“trick[ing] or confus[ing] people into doing something or going somewhere”) is just as much an offense under section 1201 as seizing or kidnapping them.  And under Title 18, Section 2 of the United States Code, anyone who causes or aides and abets another person to engage in kidnapping is equally guilty of that kidnapping.

If any state or local authorities are found to have forced migrants onto interstate transportation, or lied to them to get them to board, those authorities might think that they were not engaged in kidnapping because they did not have a pecuniary motive for their actions, or because they themselves did not transport or accompany the migrants across state lines.  They would be wrong on both counts, under long-established Supreme Court decisions. 

In a 1964 decision, United States v. Healy, the Supreme Court held that section 1201 is not limited to kidnapping for pecuniary gain.  And in a 1999 decision, United States v. Rodriguez-Moreno, the Court held that federal kidnapping under section 1201 “is a unitary crime” that “once begun, does not end until the victim is free.”  In other words, a person who compelled or lied to migrants but stayed behind after the bus leaves can be just as guilty of federal kidnapping as a human trafficker who grooms a vulnerable person into getting into a car but stays behind as another trafficker drives across a state line with the intended victim.

To be sure, the mere transportation of migrants to other states does not constitute kidnapping under section 1201.  If state and city officials can establish that they gave complete and truthful information to each bus- or planeload of migrants about the circumstances of their shipment to other states, and that no coercion or force was used to get them on board, that busing or flying of migrants, however callous, is no crime.

But if there are credible reports of lying or coercion to get migrants on board buses or planes for interstate travel, the Federal Bureau of Investigation and the U.S. Department of Justice need to investigate those reports and take appropriate action.  Both agencies have substantial expertise in investigating kidnapping of all types.  For their part, the governors need to convey unambiguously to those conducting the migrant shipments that there must be no show or threat of force, and no false or deceptive statements, to get migrants on board.  And if drivers or flight crews involved in transporting those migrants witness specific instances of such lying or coercion of migrants, their employers need to authorize them to refuse to transport those migrants.  No transportation contract, no matter how lucrative, and no political advantage are worth becoming complicit in possible federal kidnapping violations.

IUCN-NGO Traffic Report Indicates Decline in Overall Rhino Poaching Rates Since 2018

For nearly 90 years, nations around the world have sought, with varying degrees of success, to combat illegal wildlife trade.  Yet even after the Convention on International Trade in Endangered Species of Wild Fauna and Flora (CITES) entered into force in 1975, wildlife crime remains a blight for many countries. The U.S. Department of Justice even declared that illegal trafficking in wildlife, plants and timber, and marine creatures “has reached epidemic proportions.”

Several species that have been especially heavily targeted by poachers, because of the heavy demand for their use in traditional Chinese medicine, are African and Asian rhino.  From the start of the 20th century to 1970, the African and Asian rhino population plummeted from 500,000 to 70,000, and in just the last decade, nearly 9,900 African rhinos have been lost to poaching.

An August 22 report by the International Union for Conservation of Nature (IUCN) and the NGO Traffic seeks to strike a cautiously positive note.  The report, which covers the period 2018 through 2021, states that “[o]verall rhino poaching rates have declined since 2018, and trade data suggests the lowest annual estimate of rhino horns entering illegal trade markets since 2013.”  One significant variable that evidently affected rhino poaching rates was the COVID pandemic.  According to the report, “global lockdowns and restrictions due to the COVID-19 pandemic saw several African countries experience dramatically reduced poaching rates in 2020 compared to previous years.” But “as COVID-19 travel restrictions lifted, some range states reported new increases in poaching activities – for example, South Africa reported 451 and Kenya six poached rhinos in 2021. However, these numbers are still significantly lower than during the [poaching] peak in 2015.”

At the same time, the report cautioned that threats to rhinos “are at a global – transnational scale, and include environmental change and social drivers”, and that “[t]he risks of these additional threats to global rhino conservation outcomes is unclear.”  It also noted that “illegal trade in rhino horn is still considered the primary threat to the persistence of rhinos.”

Government officials and corporate compliance teams whose mandates include wildlife crime and corruption should read the report closely, while recognizing that several variables may well contribute to an increased incidence of rhino poaching later in 2022 and beyond.  For example, the reportedly lower incidence of COVID in Africa and Asia may contribute to increased travel and tourism to those regions, including an upsurge in poaching.  In addition, South Africa, which can boast the world’s largest rhino population, is set to see an increase in rhinos killed for the second straight year, as poachers have shifted their focus to the country’s KwaZulu-Natal province.  Faced with these disturbing trends, all of the 184 CITES signatory nations will need to redouble their efforts to sustain the decline in rhino poaching.