Executive targeting: a dynamic risk

Executive summary

• Successful social engineering attacks on executives pose a high security risk to companies, but one that falls between the silos of corporate and personal security. 

• Attacks on executives are evolving amid technological and societal changes; criminals can exploit public data, target executives on multiple channels, and use AI to enhance the credibility and precision of attacks. 

• Organisations should invest in executive security with digital exposure assessments to identify vulnerabilities and reduce both risks that span personal and corporate domains. 

Tyburn St Raphael is security consultancy specialising at countering cyber, physical, and hybrid threats to high-risk individuals. 

We are experts at digital footprinting exercises and providing tailored security recommendations to executives and other high-risk individuals.

CONTACT US

Executive targeting: a dynamic risk

Executives’ access, authority, and insider knowledge make them a lucrative target for criminals. Organisations that invest in enterprise cybersecurity can nonetheless be left exposed if they fail to address executives’ personal security risk. 

The level of targeting of executives increased from 2013 with the widespread adoption of cloud-based email [LINK, LINK, LINK]. This shift coincided with the emergence of business email compromise (BEC), also known as ‘whaling’ or ‘CEO impersonation’ [LINK]. The FBI first formally identified BEC as a major cybercrime threat in 2014 and estimated global losses exceeding USD3 billion in 2017 [LINK].

Executive targeting in the 2010s was largely email-centric and relied on social engineering techniques. In 2016, criminals compromised the enterprise network of FACC, an Austrian-based aerospace company, and observed the CEO’s writing habits before impersonating them with a spoofed email address [LINK]. Over EUR42 million was transferred to Chinese accounts, of which FACC managed to recoup EUR10.8 million in March 2025 after extensive cooperation with Chinese authorities [LINK, LINK]. Similar email-based attacks successfully targeted US agricultural firm Scoular Co and US technology company Ubiquiti Networks in 2015 [LINK, LINK].

Secured Recommendations

Conduct digital footprinting assessments for executives

Structured digital footprinting assessments identify and minimise executives’ online exposures in a discreet and safe environment. 

Engage external experts for personalised security reviews

Personalised reviews conducted by experts assess existing security practices and contextualise requirements to create tailored security recommendations. 

Implement continuous monitoring to stay ahead of threats

Continuous monitoring and routine takedown requests minimise exposure and reveal evolving risks in the digital environment before they escalate. This also builds resilience and confidence among clients and partners.

Growth in public data enables targeting

Convincing impersonation attacks traditionally required criminals to gain direct network access. However, the public availability of data now enables convincing impersonation without intrusion. 

Data brokers – online entities that collect, aggregate, and sell personal and other information – exemplify this trend. A 2022 study of 750 executives found that 99% executives’ data was available on more than 30 data broker sites, with 95% of profiles containing PII, contact details, and sensitive information about family and close associates [LINK]. Barriers to accessing this information are low, and criminals routinely exploit this information to launch targeted attacks [LINK, LINK].

Breached data further compounds this exposure. A 2025 study of over 10,000 chief executives found that 99% featured in data breaches, with personal or corporate credentials appearing in an average of 43 data breaches or compilations per executive [LINK]. Executives are often unaware of the risks associated with their exposure to data breaches, and this vulnerability is often targeted by criminals to compromise executives’ personal and corporate environments.  

Social media adds another layer of risk. Executives, like other people, often share personal information such as family information, location data, and video or audio content that can be aggregated to build detailed profiles. 

Criminal groups monitor the social media accounts of high-worth individuals before launching digital or physical attacks [LINK]. For instance, footballers John Terry and Jack Grealish were burgled in 2017 and 2023 respectively, when social media activity indicated they were away from the properties [LINK, LINK]. 

LinkedIn is not traditionally perceived as a social media platform for sharing personal information. However, some executives reveal personal and corporate information, including family details, promotion announcements, and new hires [LINK]. The failure to update account privacy settings can lead executives to reveal more than they intended. 

Changing working patterns and multimodal campaigns 

Changing communication and working patterns have given criminals more information and multiple ways of accessing executives [LINK]. 

Attackers have adapted to growing awareness of email-based threats by operating across both professional and personal domains, targeting the full spectrum of an executive’s digital footprint for compromise. Attacks have become multimodal, encompassing social media, messaging platforms, virtual meeting environments, and physical documents. 

In 2024, Arup, a British-based engineering firm, lost GBP20 million when malicious actors used multiple channels to trick an employee into transferring funds to foreign accounts [LINK]. The employee received a spoofed email impersonating the CFO. The employee was then invited to a video conference call with an AI-generated deepfake CFO and other familiar senior executives discussing the fraudulent transaction [LINK, LINK, LINK]. Arup only discovered the attack when the employee followed up with Arup headquarters later [LINK]. Similar impersonation attempts of executives have targeted Ferrari and password manager company LastPass in 2024 [LINK, LINK].

AI-assisted executive targeting 

The credibility and precision of contemporary executive targeting attempts has been increased by technological advancements. AI-generated deepfakes are one of the most common vectors used by malicious actors currently to impersonate executives. 

In May 2024, malicious actors exploited publicly available images and video and audio material of Mark Read, CEO of WPP, to create deepfake audio and video footage and attempted to convince an unnamed ‘agency leader’ to solicit personal details and money [LINK]. While the attempt on WPP was unsuccessful, an unnamed Singaporean branch of a multinational corporation lost over USD499,000 in March 2025 when malicious actors impersonated the company’s CFO and a senior partner of a law firm during a video conference [LINK]. The victim only became aware of the scam when the threat actor requested an additional USD1.4 million [LINK]. 

The barriers to creating credible deepfake material have been lowered by AI, with open-source tooling readily available to develop basic material. From our experience, creating convincing deepfake audio and video material requires only 500 frames or roughly 20 seconds of footage [LINK]. However, higher-quality and longer source material produces better results. 

Large language models (LLMs) are likewise amplifying the ease, scale, and precision of campaigns targeting executives. Malicious actors can ingest large volumes of publicly available data – such as executives’ writing styles, communication patterns, and personal information – into LLMs to generate highly credible, tailored attacks at scale and speed. Additionally, LLMs can lower language barriers by enabling non-English speakers to produce convincing phishing or social-engineering content in fluent English.

Conclusion

Executive security is an area where vulnerabilities created by an executive’s personal digital life can create risk for their employer. Equally, companies can contribute to executives’ exposure by featuring them prominently in marketing materials and encouraging them to maintain a high online presence. 

The security processes and controls needed to mitigate these risks fall outside the scope of enterprise cyber security. Organisations will also need to balance their executives’ right to a personal life and to recognise how far the lines between professional and personal digital activity have become blurred. Personal devices, social media accounts, and home networks will be essential to their working practices and professional identity. 

Organisations should therefore work closely with executives to manage their personal security. Digital footprinting and personal security reviews can identify points of exposure. Regular monitoring of executives’ online presence and takedowns of personal data can mitigate risk. Adopting these proactive, proportionate security measures addresses risks to executives and their organisations.