Mid-level managers need to be particularly wary of targeted phishing attacks, according to Jenn Gast at INKY. Gast explains that criminals can easily conduct open-source research on a company’s organizational structure and craft spear phishing messages to trick its employees.

“Mid-level managers make enticing targets because they often have access to sensitive data and responsibility over invoice approvals,” Gast writes. “With a little research, a cybercriminal can uncover what accounts a mid-level manager oversees and then pose as a vendor requesting a change in payment. This can be particularly effective during COVID-19.”

Gast adds that these managers are likely to be targeted by business email compromise (BEC) attacks involving CEO impersonation.

“A cybercriminal who gains access to your business’s hierarchy can also use it to impersonate VPs or even your CEO,” she writes. “Mid-level managers tend to spring to action whenever they’re contacted by a higher-up. A cybercriminal engaged in CEO impersonation can use a phishing email to trick a mid-level manager into disclosing sensitive client or company data or granting access to your business’s computer system.”

Business email compromise is now a billion-dollar criminal industry, and these attacks will only grow more sophisticated as the criminals gain more resources to expend.

“If you and your mid-level managers aren’t prepared, cybercriminals exploiting COVID-19 can make an already difficult year a lot worse,” Gast says.

Organizations should implement a defense-in-depth strategy with a combination of technical solutions, security policies, and employee training.