Executive Phishing: What Is It? How Does It Happen?

What Is Executive Phishing?

Executive phishing is a type of Business Email Compromise (BEC) in which fraudsters pose as high-level executives and convince employees to wire money or give up sensitive data. Executive phishing can take on several other forms, including CEO fraud, whaling, and executive impersonation.

BEC scammers have targeted a range of organizations, from online platforms like Reddit to small school districts. And the repercussions can be devastating. The Internet Crime Complaint Center (IC3) 2022 Report placed BEC at the top of its list for the highest victim dollar loss at $83 million [*].

To the uninformed, executive phishing text messages, phone calls, voicemails, and emails may seem harmless. Knowing how to recognize and report them can help you safeguard your identity and organization.

Examples of Executive Phishing

Unlike other cyberattacks, executive phishing scams don’t ferry malicious payloads. These schemes prey on an employee’s respect for higher-ups and a desire to do right by their company.

Executive phishing campaigns tend to unfold when a scammer — masquerading as a vendor or someone in IT or upper management — initiates contact with an employee. This can happen via:

• Spoofed emails. Scammers alter the sender name so that emails appear to be from a senior employee. But upon closer examination, the sender's email address may not match the real one. There may also be spelling errors or unusual phrasing in the body of the email. Scammers can spoof text messages, too — a practice called smishing.
• Spoofed calls or voicemails. Fraudsters call employees, ostensibly amid conferences or business meetings without information that they need to “finalize a deal.” They may also leave scam voicemails — called vishing — to request cash. Some scammers even use artificial intelligence (AI) to mimic an executive’s voice.
• Social engineering. Con artists contrive a sense of urgency by making employees think that they’ve violated company policies or have outstanding bills to pay. Worried that they may be reprimanded, unwitting victims respond by clicking on a link or downloading an attachment — both of which belie the actual contents: a scam site or malware.
• Fake social media profiles. Professional networks like LinkedIn supply scammers with a free list of employees to target. Using real photos from a Google search, cybercriminals can fabricate a fake executive profile to propagate spam messages until someone complies.

Once they’ve successfully engaged an employee, fraudsters will:

• Request wire transfers to existing vendors — except they’ve spoofed the payment link so that funds are siphoned straight into an illicit account.
• Solicit wire transfers from employees, claiming that they need funds to make an emergency business-related purchase.
• Send fraudulent invoices from hijacked emails, hoping that you pay them.
• Claim to manage confidential company information, but this is merely a facade to gain unauthorized access to private accounts.
• Request W2 forms or other Personally Identifiable Information (PII), framing it as a pressing HR task or requirement.

BEC incidents continue to plague corporate America. The FBI received 21,832 BEC complaints in 2022 alone [*]. And the real-life examples below illustrate the insidious nature of these attacks.

Impersonating health networks

In November 2022, the U.S. Department of Justice (DOJ) charged 10 defendants for their involvement in BEC schemes targeting federal funding programs like Medicare and Medicaid [*]. 

Scammers spoofed hospital email addresses to persuade insurance employees to submit payments to a new bank account. Two Medicare programs, five Medicaid programs, and two U.S. private health insurers lost a collective $4.7 million.

Blind impersonation attacks

Last year, a BEC group called Crimson Kingsnake impersonated 19 well-known law firms to collect “overdue payments.” By fostering a sense of urgency, the scammers manipulated recipients into sending them payments for bogus services rendered [*].

Employees that resisted or asked for more information received emails with fake descriptions of the services allegedly completed. Sometimes, the group even replied as a company executive — a second impersonated persona in charge of authorizing a transaction.

⛳️ Related: What To Do If a Scammer Has Your Email Address →

Posing as Silicon Valley Bank customers

Following the collapse of the Silicon Valley Bank (SVB) earlier this year, scammers registered bogus domains to conduct BEC attacks on affected depositors [*]. Threats actors set up phishing sites that appeared to be distributing free USD Coin (USDC) to depositors willing to scan a QR code.

Other scammers spoofed SVB web domains, telling customers they were eligible for a payback program. Following the webpage’s instructions, victims shared compromised depositor logins, contact information, and personal crypto wallets.

A BEC attack on a New Hampshire town

In the summer of 2021, the town of Peterborough, New Hampshire lost $2.3 million to two elaborate email phishing attacks [*].

Thieves sent forged documents to state finance department employees, instructing them to redirect school district and community project payments to a fraudulent bank account. Since these emails originated overseas, it complicated the task of apprehending the culprits and recovering lost funds.

Whaling vs. Executive Phishing

Whaling and executive phishing are often used interchangeably — but they don’t have the same targets, motives, or methods of attack.

Whaling is a subset of executive phishing in which scammers specifically target C-level executives. They use personal or organizational data to trick officials into wiring large sums of money or sharing valuable trade secrets.

There’s an even deeper subset of executive phishing called spear phishing. In this type of attack, scammers set their sights on a specific individual. 

Usually, this person has significant control over the company’s data and technology stack. Like whaling, spear phishing attacks require extensive research. Scammers use the victim’s job title, direct reports, vendors they work with, and projects they work on to craft elaborate, realistic schemes.

Steps To Prevent Executive Phishing

Preventing executive phishing attacks is a company-wide effort. Here’s what you can do to keep your organization safe.

1. Recognize phishing attempts

If an email or text seems suspicious, it probably is. A few telltale signs of phishing are:

• Unfamiliar greetings. Most phishing emails and texts contain out-of-place phrasing that executives normally wouldn’t use, and they are chock-full of spelling and grammatical errors.
• Incorrect email addresses. Names may be misspelled, or the address may have slight variations compared to the actual company domain name.
• Unusual requests. Your peers won’t ask you for your login credentials, let alone ask you to wire money or send a confidential file to a personal email address.
• Suspicious attachments. These often contain malware that can infect your hard drive.

If you’re not sure if an email or text came from a trusted source, you can always use another form of communication to get in touch with the supposed sender and confirm that they tried to contact you.

Report any scam emails or texts to your cybersecurity department, and pay close attention during security awareness training and simulations. You’ll learn about new social engineering tactics and spoofing techniques to look out for.

2. Use multi-factor authentication (MFA) and a password manager

Unique, complex passwords are hard for cybercriminals to hack. Password managers remind you to change your passwords frequently, and help you create and safely store them.

But don’t stop there. Even if you have ironclad passwords, scammers can gain access to your login credentials through data breaches or leaks. 

Add a second authentication method to your accounts with multi-factor authentication (MFA). Biometric characteristics like your fingerprint or face are tough to replicate. Similarly, one-time codes sent to your phone or an authenticator app are difficult to intercept.

3. Consider Safe Browsing tools

Safe Browsing tools can block intrusive trackers, persistent ads, and websites designed to steal personal or financial information — such as company credit cards. The best Safe Browsing tools are iOS and Android compatible and work on major browsers like Firefox, Chrome, and Edge.

You might also consider using a VPN (virtual private network) to further protect your online privacy. VPNs hide your IP address and encrypt your browsing history as you surf the web.

4. Turn on email spam filters

Your IT team has likely activated email security features on your work email. But personal email can be a vector for executive phishing attacks, too. Here’s how to configure them:

Gmail

• Gmail scans all email messages for spam by default, but you can configure your own custom spam filters [*]. 
• For example, you can place spam messages in quarantine for your manual review, or scan messages from bulk senders more closely for spam. Start creating filters from the Spam section of your Admin Console: Menu → Apps → Google Workspace → Gmail → Spam, Phishing and Malware.

Outlook

• Microsoft Outlook automatically sends spam emails to your junk folder, but you can make its filtering more regimented [*]. To choose the level of protection you want, go to Home → Delete group → Junk → Junk email options. Then, click on the Low, High, or Safe Lists Only option.
• You can also delete all suspected junk messages instead of moving them to the junk email folder. Simply check the box for “Permanently delete suspected junk email instead of moving it to the Junk E-mail folder.” 

AOL

• AOL users can indicate any email as spam by clicking on Mark as Spam [*]. AOL will then give you the option to unsubscribe, meaning you’ll no longer receive messages from that email address. 
• If you mark an email as spam by accident, go to the Spam folder and select the email you marked by mistake. Then, check the box to the left of the email and confirm your selection.

Yahoo!

• Yahoo! scans emails for spam; but, just like AOL, you can report emails that evade spam filters [*]. Go to your Yahoo Mail, select the email, and click on Mark as spam. 
• When you click on the button, you’ll be given the option to Unsubscribe or Report as spam, which moves the email to your spam folder.

iCloud

iCloud Mail uses dynamic lists and trend models to detect and block junk automatically [*]. But if you see an odd email, you can mark it as spam from your:

• Mac: Select the message and click on the Junk button or drag the message to the junk folder.
• iPhone or iPad: Swipe left on the message, tap on More, and then tap on Move to Junk.
• iCloud.com email account: Select the message, click on the Flag button, and then pick Move to Junk or drag the message to the junk folder.

5. Do not click on links or respond to urgent messages

Scammers use urgency to provoke action, but don’t give in. Opening a spam email may not do any immediate harm — but clicking on phishing links can send you to sites that steal your password or automatically download spyware onto your phone or computer. Instead of engaging with a suspicious email, follow IT’s official recommendations to report spam.

⛳️ Related: What To Do If You’ve Been Phished: 7 Next Steps →

6. Activate call filters

If scammers have your phone number, they will continue to call or text you, hoping that you will eventually relent.

Most phone carriers display incoming spam calls as “Scam Likely,” warning their customers not to pick up. And some carriers offer extra spam blocking for a small fee.

If you continue to receive calls or texts from a particular phone number, consider blocking that number. Here’s how to block numbers on an:

Android device

• Open the Phone app [*].
• Long-press the number you want to block.
• Tap on Block.

iPhone

• Open the Phone app and find the number you want to block in your Contacts, All or Missed calls, or Voicemail [*]. 
• Tap on More Info next to the phone number or contact name that you want to block.
• Tap on Block this Caller.

Always-on spam call and text protection can screen and block scam calls before they ever reach you. AI-powered call assistants can silence spam calls and only forward important delivery, appointment, or emergency calls.

7. Update your social media privacy settings

Social media platforms retain extensive information about you, your family, and even where you work.

As a general rule, don’t post pictures or statuses that give away your location. And avoid posting any personal details or sensitive information. 

Beyond that, restrict who can see your profile, comment on or like your content, and follow you. In your privacy settings, look for ways to:

• Limit the personal data that apps collect. Social media apps may share this information with advertisers or could suffer from an accidental breach or leak.
• Restrict access to third-party apps. Don’t use your Gmail or social media profile to log in to other accounts. Create a new username and password that’s harder for hackers to intercept, and revoke access to any connected apps that you no longer use.
• Revisit your friend list. Cull accounts that you don’t recognize, and block and report unknown users who keep contacting you. Make your profile private, and limit who can find and send you connection requests.
• Take advantage of privacy checkups. Both Google and Facebook offer privacy checkup tools to review every aspect of your profile and suggest safer settings.

💡 Related: 15 Facebook Scams You Didn't Know About (Until Now) →

CEO Fraud Is Serious — Identity Guard Can Help.

The widespread use of social media has made it easy for fraudsters to harvest information about their targets.

Thieves can easily find the whereabouts, roles, and responsibilities of prominent executives and employees. 

Fake emails, scam texts, and spam calls are relatively low-cost compared to other forms of fraud. Worse, the security gaps resulting from remote work have left the social engineering door wide open.

If you suspect an executive phishing attempt at your company, report it to:

• Your IT department. Take screenshots of any emails or SMS messages, and mark them as spam. Then, share them with IT so that they can inform the rest of the company, conduct a full investigation, and contain the scope of the attack. 
• Affected senior leadership. Impersonated executives may be the target of other scams or doxxing. Informing them early can prevent family, friends, and coworkers from falling for other types of phishing attacks.
• Banks or affected vendors. Banks can freeze and close compromised accounts and may even be able to stop fraudulent wire transfers. Vendors can shut down impacted applications and control the incident on their end.
• Law enforcement. Work with your IT department to report cybercrimes to local police. Use the resulting police report, financial transactions, screenshots, and other supporting evidence to file a report with the FBI’s IC3.

The most potent defense against executive phishing is to secure the channels that scammers might use to contact you. Here’s where you can rely on Identity Guard.

Complete with a password manager, Safe Browsing tools, and near-immediate fraud alerts, you’ll be the first to know if your information has been compromised.

Get 33% off when you sign up for Identity Guard today →