You can be on Entrepreneur’s cover!

5 Types of Employees Often Targeted By Phishing Attacks Different kinds of phishing victims usually see different lures and techniques used to land them.

By Jack Danahy

entrepreneur daily

Opinions expressed by Entrepreneur contributors are their own.


Twenty years ago, hackers breached organizations by finding and exploiting holes at the network perimeter. To stop them, security teams focused on locking that perimeter down, creating a "hard, crunchy outside," but they did much less to strengthen internal users, systems and networks.

Modern attackers have evolved, moving to easier targets, at the organization's "soft, chewy, center" -- the users and their systems. Phishing, hacking campaigns that send fraudulent email disguised as legitimate traffic, is the primary technique. Over time, we have learned that users are susceptible to all types of phishing cons, from free software to fake websites and unsolicited ads that show up in their email boxes. Trusting souls unwittingly type credentials into forged screens and click on malicious links that surreptitiously install system eavesdroppers, ransomware and even backdoors. When that email appears to come from a friend or high-level executive, it's even more natural for the employee to trust it and get hooked by the phishing attack. After all, who says "no" to the boss?

Related: 7 Cybersecurity Layers Every Entrepreneur Needs to Understand

The total cost of these attacks is in the billions of dollars. This profitability encourages new criminals and finances the development of sophisticated new tools. What's more, hackers have identified the best methods of targeting users based on their job function and seniority. Preventing these losses begins and ends with supporting the users -- protecting them from themselves and helping them to develop better habits that will ultimately safeguard the entire organization.

Like real fishes, different kinds of phishing victims usually see different lures and techniques used to land them. Let's take a closer look at the behaviors of some employees that are most likely to find themselves the target of a phishing attack and how to protect them.

1. Executives.

CEOs, CFOs, and other top executives are some of the most popular phishing targets. As high-ranking decision-makers, their access to sensitive information, as well as their authority to sign-off on things such as wire transfers makes them extremely attractive "trophies." So, what does a phishing attacks look like for an executive? Typically, they take the form of sensitive information requests from a trusted source. By spoofing an email so that it carries a credible sender, attackers can make requests to other executives that are far less likely to be denied. The FBI reports that there have been more than $2 billion in losses to scams such as this in the last three years alone.

How to protect them: Make additional authentication or verification steps a requirement for any sensitive requests like wire transfers. Additionally, encourage execs to limit what they share and who they connect with on social networks.

2. Administrative assistants.

Masters of multitasking, administrative assistants are the unsung heroes in the corporate word. Between handling all the behind-the-scenes scheduling and screening phone calls, they often have access to company and individual executive accounts. Their frontline role and privileged relationships encourage attackers to view them as accessible targets who can give up the keys to the kingdom. Attacks on assistants often come in the form of a request from another executive, commonly asking to review an attachment or send along financial information. Eavesdropping software, when installed on an assistant's system, can see all the privileged communications that the assistant is called upon to handle.

Related: 4 Cybersecurity Best Practices for Your Organization

How to protect them: Provide admin assistants with a clear procedure for how to deal with suspicious emails and make sure you have a good spam filter in place. If the assistant comes across a disreputable email, they should know exactly how to report it to the IT department (and feel actively encouraged to do so).

3. Salespeople.

Always on the hunt for the next big deal, business development managers, account executives, and inside sales people constantly interact with prospective and existing clients in person, over the phone, and via email. As a result, they're eager for emails from potential customers and want to be as responsive as possible. Phishers can typically find their name, phone number and email address online and can be reasonably confident that any message they send will be opened. A credential theft from these users would provide access to customer lists, pricing sheets, and confidential deal information. Stealing their accounts will also allow for a new phishing attack vector to members of the finance, management, and account teams, who would trust messages from the salesperson user.

How to protect them: Have a conversation with your purchasing department about how to transfer invoices through additional methods other than email. Remind salespeople to double-check any linked text they receive in an email and discourage them from opening attachments from sources they don't know.

4. Human resources.

Their roles can vary, but human resources professionals are generally some of the most highly connected people in an organization. Since they communicate regularly with current and potential employees, phishers posing as a potential employees will send malicious payloads disguised as resumes, or will impersonate a high-level executive asking for personnel information. During the 2016 tax season alone, over 50 organizations were tricked into leaking employees' W-2 forms by phishing emails impersonating requests from CEOs.

How to protect them: Investing in benefits software and employee portals can help reduce the scenarios where employees send confidential documents via email. HR should also be reminded that that any requests they receive from an employee asking for sensitive information should be verified either over the phone or face to face.

5. Any employee.

The truth of the matter is that mass phishing attacks are just as popular as ever. Anyone at your company with access to a device -- from the CEO to entry-level assistants -- can be the subject of a phishing attack. Training programs and security measures need to be addressed with everybody, even the IT folks who are keeping it all up and running. The more people who are involved and the easier you can make it for them to participate in security efforts, the better success you will have in preventing attacks.

Related: Expert Hacker Shares 3 Ways Small Businesses Can Minimize Cybersecurity Threats

How to protect them: Utilizing spam email filtering solutions along with additional endpoint security will help cover the gaps in antivirus protection. Having security policies for responding to suspicious emails and a company-wide backup strategy will also reduce the risk of attacks.

Understanding these users and the likely lures attackers use makes security awareness and education more targeted, interesting, and effective. Users will learn how to recognize and ignore malicious behaviors, eliminating a prime source of risk. Making the organization's center less soft and chewy also requires that their systems recognize and block malicious behaviors in the same way, catching those new attacks that slip by even the most conscientious user. By taking this layered approach, organizations will have the right protections to keep employees off the hook, even in the most tempting phishing attack.

Jack Danahy

Co-founder and CTO of Barkly

Jack Danahy is co-founder and CTO of the endpoint security company, Barkly. A 25-year-veteran in the security industry, he was the founder and CEO of two successful security companies: Qiave Technologies, acquired by Watchguard Technologies in 2000, and Ounce Labs, acquired by IBM in 2009.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Side Hustle

This Dad Started a Side Hustle to Save for His Daughter's College Fund — Then It Earned $1 Million and Caught Apple's Attention

In 2015, Greg Kerr, now owner of Alchemy Merch, was working as musician when he noticed a lucrative opportunity.

Business News

This One Word Is a Giveaway That You Used ChatGPT to Write an Email, According to an Expert

"Delve" has increased its presence in written work since ChatGPT entered the scene.

Business News

Yes, You Can Buy a Foldable Tiny Home on Amazon — And Now It's Selling for Less Than $12,000

The waterproof and flameproof house was listed around $35,000 a few months ago.

Side Hustle

This Insurance Agent Started a Side Hustle Inspired By Nostalgia for His Home State — Now It Earns Nearly $40,000 a Month

After moving to New York City, Danny Trejo started a business to stay in touch with his roots — literally.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Starting a Business

4 Common Mistakes That Will Spell Doom Your Ecommerce Business

It's hard to spot a success story before it happens, yet it's easy to tell if a business will struggle. With that in mind, here are the four most common mistakes people make that you should avoid when starting an ecommerce business.