What is an Executive Phishing Attack?

One thing is true about fraudsters who phish -- they know how to innovate. Bypassing security filters is their motivation, and a good fraudster can make millions off their unique skill. As such, phishing now comes in many flavors and cleverly manipulates people using social engineering. Phishing is a subset of social engineering, and it’s a billion-dollar industry for fraudsters with the right motivation and skills.

Of the many types of phishing, Executive phishing targets the highest office level, the C-level executive. This type of targeted phishing is behind scams, including Business Email Compromise (BEC), which cost businesses $43 billion globally between 2016 and 2021, according to the FBI. The FBI also reports that phishing scams increased by almost 300% between 2019 and 2023. In 2019, about 115,000 phishing scams were reported, but the number catapulted to almost 300,000 in 2023. Executive phishing, sometimes called CEO fraud or Whale-Fishing, is a growing concern for many businesses. Several businesses have already been impacted, and several more will also suffer from the monetary loss of executive phishing. We explain how it happens, the damages businesses face, and how to avoid it.

How Does Executive Phishing Work?

Executive phishing or Whaling is a highly targeted spear phishing that goes after the ‘big catch’ or ‘whale’ because the payoffs are high. The introduction of ChatGPT in 2023 made whaling much easier, and CNBC reported that businesses saw a 1200% increase in executive phishing scams. Spear phishing has much higher monetary returns for attackers, but they must also perfect their craft and use innovative ways to bypass ordinary email filters.

Whaling involves steps attackers usually follow to catch the big phish. Every attacker has a strategy and tools to compromise a system, but most attackers follow the same steps. The steps to capture a big phish are as follows:

Surveillance and Intelligence Gathering

A company's CEO or other high-level executive is identified as the ideal target for a cyber-scam. During intelligence gathering, the fraudster will research the executive’s role, what areas of the business they control, whom they do business with, financial transactions, and history. The fraudster will also research the company and any third-party vendors it works with. This step is necessary to identify employees with potentially high-privilege access to the corporate network, including email accounts.

LinkedIn is a great reconnaissance tool for this step. Fraudsters can collect information from LinkedIn and additional targets working for the organization. Titles and sometimes email accounts are available to the public, so it costs nothing but time for the attacker to collect important information. In some phishing attacks, multiple high-level executives could be targets. Sophisticated attackers might pretend to be one person in the organization but target another high-level executive using social engineering. Security people often ask some employees to eliminate some information and hide their information to lower the risks of them being a target.

Development of the Executive Phish

The intelligence gained from the reconnaissance step is used to develop a convincing phish scenario. This information is used to customize the phishing message instead of a “spray” technique where the attacker sends a generic message to multiple people within the organization. For example, if the target is a finance executive, the message might demand money for a fraudulent invoice. An HR executive might receive a message asking for payroll credentials or payments.

The cybercriminals behind executive phishing should not be underestimated. They understand human behavior and will design their attack based on how the target executive will likely react to a given scenario. Security awareness training helps executives and other employees identify these phishing messages, but it should be a failover strategy rather than the first line of defense.

The Spoof

The attack entry point begins with a trusted supplier or colleague's compromised or spoofed email account. Most phishing messages convey a sense of urgency to get the recipient to forget their sense of hesitation. The message might tell the recipient that the CEO demanded money transferred to a bank account, or the attacker might tell an HR representative that an employee needs their payroll check. It might seem easily identifiable, but phishing emails use social engineering tactics that manipulate behavior to trick the C-level executive into initiating a money transfer.

Some employees realize shortly after that they’ve been scammed, so the correct next step is to alert management and security. Attackers might attempt additional scams if the target does not realize the messages were a scam. Fraudsters use methods where a return of funds is difficult, so time is of the essence at this step. Some funds might be recoverable, but returning funds is often difficult or impossible.

Compromised Account Whale Phishing Variant

Sometimes, cybercriminals can compromise a C-level executive email account. Again, phishing is typically the starting point for this compromise. An email sent to C-level executives convinces them to divulge their credentials. Phishing usually involves an embedded link that sends the executive to an attacker-controlled site. The site looks like the official site for well-known applications such as Office 365

or Google email. The executive enters their credentials without checking the URL, and the attacker now has the credentials to compromise their email.

Once cybercriminals control the executive email account, they can use it to send emails from the legitimate account to other executives. It isn't easy to recognize that this hacked email is not from the C-level executive, as it is a real but hijacked account. Using legitimate email accounts is especially useful in social engineering, so BEC has become one of the biggest threats to organizations.

Who Is At Risk From Executive Phishing?

The people at risk of an executive phishing attack are those in the company with the most control, the C-suite. A CEO, CTO, COO, CFO, CMO, and any other high-level executive is a target for spear phishing. Although these employees are at high risk, don’t forget that other employees with elevated privileges could also be a target for more sophisticated phishing and social engineering attacks.

Executive phishing can affect other company members, who can be socially engineered into making money wires and paying fake invoices as demanded by a C-level executive's spoofed (or compromised) email account. Because the phishing message comes from a legitimate executive account, it’s difficult for employees to identify and stop the scam. Employees can be trained, and businesses often put several checks and balances in place to catch these scams. Even with security training and checks and balances, some phishing messages achieve their goal – stealing money and other sensitive information.

Examples of Executive Phishing Attacks Offer an Insight into Who is Most at Risk from Whaling

• An Omaha commodity trading company, “Scoular Company,” paid $17.2 million to cyber criminals after becoming a victim of executive phishing. In this instance, the executive target was the corporate controller with access to financial accounts.
• FACC is a supplier to Boeing and Airbus. In 2016, the company suffered an executive phishing attack that ended in $56 million in losses and the sacking of the CEO and several other financial department employees.

Differences Between Executive Phishing and Spear Phishing

Spear-phishing and executive phishing attacks have some elements in common; they both:

• Target specific people with high-level privileges in an organization.
• Use social engineering to manipulate users into following malicious actions directed by a cybercriminal.

Critical Differences Between Spear Phishing and Executive Phishing

• Spear phishing emails target specific roles and departments. For example, they might target an administrator with high-level privileges in the IT department.
• Executive phishing targets high-level executives to steal money, and usually the messages are customized for C-suite employees (e.g., CTO, CIO, CTO, CEO, CMO, COO, CFO).

How To Prevent Executive Phishing

No one measure will prevent executive phishing. Your security strategy should be implemented in layers; email security and filters are no different. Security awareness training, simulated phishing exercises, and email protection software will provide the necessary layers of security to stop the insidious threat of executive phishing or Whalers. Email protection software is your first line of defense, and any false negatives can be caught with employee security awareness training. The very last layer of defense is your antivirus software running on user devices.

The following are the best practice measures for protecting your C-level executives and other staff from the costs and harms of executive phishing:

Behavior-Driven Security Awareness Training

Executive phishing means highly targeted malicious emails directed toward C-level or other high-profile executives. To counteract this threat, you must use behavior-driven security awareness training tailored for C-level executives. Security training will imbue your executive team with the skills to be more security-aware.

As a security-first mindset is most effective when it becomes a top-down skill, training your executives to recognize security threats will also help build a company-wide security culture. This will help make all employees safer email users. Training executives in security awareness is much like training other staff members to spot security issues, as it is about changing poor security behaviors.

Executives and C-suite must have tailored programs built into their security awareness training packages that teach about the specific perils of targeted phishing campaigns, such as executive phishing, whaling, and spear phishing. These training modules should focus on the social engineering aspect of phishing and how to spot scams, how to use the internet safely, and the importance of security hygiene and good security habits.

Simulation tests identify users that need more security training. A simulation test is a phishing-like message, usually emulating a real-world one. Tracking is set on the email and the landing page where users are directed after clicking the malicious link. Reports tell administrators which users opened the email, deleted it, clicked the link, and divulged their credentials, essentially falling for the phishing attack. These metrics can be used to understand business risks associated with phishing and users vulnerable to attacks.

Phishing Simulations

Advanced phishing simulation exercises should be part of business security awareness training offered to the C-suite.

Phishing simulation platforms will train executives to be vigilant about malicious email messages they receive (and send). Advanced phishing simulation platforms can also be tailored and often supply templates that can be used to prepare simulated executive phishing exercises using real-world examples or custom examples created by security people to pre-train the executives on how Whaling and executive phishing works.

Phishing simulators provide metrics that measure the effectiveness of tailored phishing simulations, allowing you to customize them further as administrators identify pain points in email security. Good security awareness training software gives you all the tools, templates, tracking, and reporting features necessary to better employee understanding of phishing.

Effective Authentication Measures

Effective authentication is an essential layer of protection to achieve comprehensive email protection that helps limit the impact of executive phishing. Authentication should stop attackers even if they obtain credentials; specifically, two-factor authentication (2FA) limits the impact of stolen credentials. 2FA is another layer of email security that stops the effects of phishing.

Ensure that your executives use multi-factor authentication (MFA) whenever possible and understand the importance of password hygiene. Some apps will support a second factor, such as a software-based authenticator or a biometric. However, robust authentication alone will not prevent an executive phishing

attack. Researchers have identified toolkits for sale on the dark web that bypass 2FA, so administrators need to use 2FA as a layer of security defense and not the sole strategy to protect employee network accounts and stop BEC.

Phishing fraudsters are always looking for the best payoff for their cybercrimes. Executive phishing gives them a massive payoff if they are successful. Fraudsters use executive phishing and spear phishing as a high-risk but high-reward strategy. One executive phishing success could mean a million-dollar payout to a sophisticated attacker.

Therefore, an organization must include its executives in security awareness training and tailor simulated phishing exercises to teach how to detect a social engineering attack. Most executives are extremely busy with work but should be persuaded to take time out of their day to perform essential security training. Using behavior-driven security awareness training, a company can protect its executives, employees, and assets.

To protect your executives and company from executive phishing, check out TitanHQ’s Phishing Simulation Solution.

The FBI also points out that BEC scams are increasing by 65% between 2019 and 2021.

Examples of Executive Phishing Emails

1. Executive Phishing: Intelligence and surveillance: hackers watch and learn to understand who to target and how the target business operates. This gives them the intelligence to carry out the Executive phishing attack.

2. Phishing The Target: carefully composed phishing emails are sent to the identified targets from part one:

CFO: An urgent invoice must be paid today; otherwise, we will lose this client. Can you ensure this invoice is paid immediately, as I am away? Regards, CEO

Finance Department: Hi Jake, I need to see our latest accounts and their information for a business opportunity I am dealing with. Please send me the newest cash bank statement immediately. Thank you, CEO

Accounts Payable: Please find the attached invoice statement for a client payment that was not processed. The money must be immediately transferred; otherwise, we will lose this client. Can you pay this immediately? I will call you later today to check that this has been processed. CEO name, Sent from my mobile.

Social Engineering Tactics:

Targeted employees are socially engineered using tactics, including:

• Urgency: pay now, or we will lose the client!
• Trust: I must respond as this is my boss, and I could be fired.
• Fear of Reprisal: this is the head of the company; I better do this; otherwise, I’ll be in trouble and could lose my job.

The Cost Of Executive Phishing:

Invoice Fraud: middle-market businesses lose $280,000 per year to invoice fraud, according to the Financial Professional Census.

Business Email Compromise: $2.4 billion in global losses, compared to $49.2 million from ransomware, according to the FBI.

Data Breaches: The average cost to a business of a data breach was $4.35 million in 2022; this is the highest recorded by IBM in their “The Cost of a Data Breach Report.”

According to CFO.com, 83% of finance leaders dealt with cyber fraud in 2023, with wire transfer fraud, vendor fraud, and CEO or CFO impersonations being the most common tactics. New data from Trustpair’s 2024 U.S. Fraud study supports this, revealing that a significant number of CFOs and finance teams have experienced fraud firsthand. The study surveyed 266 U.S.-based director and C-level finance and treasury professionals from companies with over $1 billion in revenue, finding that 83% reported fraud attempts on their business within the past year.

PhishTitan Features for Business Email Security

Through real-time analysis and threat assessment, PhishTitan neutralizes Business Email Compromise (BEC) and spear-phishing scams before they begin. PhishTitan uses layers of protection to ensure that business emails are protected. These protective layers include:

• AI-driven Threat Intelligence: Anti-phishing analysis uses AI trained from a vast threat; these data alert any dangerous URL and web pages, preventing employees from clicking links or navigating to malicious websites.
• Advanced M365 Security: Integrated with M365, it scans all emails (internal and external), augmenting EOP and MS Defender for unbeatable phishing protection.
• Time of Click Protection: PhishTitan replaces email links and sends the link to an inspection site to check the validity of the website associated with the link. If the website is a phishing site, the user will not be able to navigate to the site.
• Auto Remediation: Post Delivery Remediation allows MSPs to swiftly eliminate threats from users’ inboxes, promptly removing malicious mail that has already been delivered.
• URL Rewriting and Analysis: works with ‘time of click’ protection to prevent successful phishing attacks. PhishTitan rewrites URLs to ensure Link Lock protection. It inspects and rewrites all URLs to detect links to malicious sites, ensuring safety.
• Native Integration with Office 365 email: makes business email security simple and removes human error.
• Real-time Threat Analysis: essential to capture advanced phishing attempts.
• Link Lock Service: ensures that they remain protected even if a recipient clicks a URL in a malicious email.
• Smart Mail Protection: compares incoming mail with a list of known threats. Data from multiple sources across the global threat landscape ensures that the most current threats are always part of this list.
• Data Loss Prevention (DLP): prevents sensitive data from leaving the corporate network. Protects intellectual property, customer data, and other sensitive information.

Discover the powerful potential of our new phishing protection and remediation solution for Microsoft 365.