The CEO Who Wired $47 Million to a Criminal

In 2016, Austrian aerospace manufacturer FACC lost €42 million (roughly $47 million) after attackers impersonated the CEO in emails directing employees to transfer funds for a fake acquisition. The CEO was fired. The CFO was fired. The company's stock dropped 17%. And it all started with a single phishing email crafted to look like it came from the top.

Executive phishing attacks — often called whaling — remain the most financially devastating category of cybercrime targeting organizations in 2025. According to the FBI's Internet Crime Complaint Center (IC3), business email compromise (BEC) schemes, the category that includes executive-targeted phishing, accounted for over $2.9 billion in reported losses in 2023 alone. That number has climbed every single year for the past decade.

This post breaks down exactly how threat actors target executives, why traditional defenses fail at the leadership level, and the specific steps I've seen actually reduce risk. If you're responsible for protecting your organization's leadership team, this is the playbook.

What Are Executive Phishing Attacks, Exactly?

Executive phishing attacks are highly targeted social engineering campaigns directed at C-suite leaders, board members, and senior executives. Unlike mass phishing blasts sent to thousands of inboxes, these attacks are researched, personalized, and often nearly indistinguishable from legitimate communications.

Attackers typically pursue one of three goals: credential theft to gain access to executive email accounts, wire fraud through impersonation, or malware deployment to establish a foothold for ransomware or data exfiltration. The common thread is that every attack exploits the authority, access, and trust that executives carry within an organization.

The term "whaling" exists because these aren't ordinary phish — they're going after the biggest targets in the organization. And the payoff for attackers is proportionally massive.

Why Executives Are the Perfect Targets

Authority That Bypasses Controls

When the CEO sends an urgent email to the controller requesting a wire transfer, most employees don't push back. Threat actors know this. They exploit organizational hierarchy as a weapon. An employee who would question a strange request from a peer will comply instantly when they believe the request comes from leadership.

I've seen this pattern in dozens of incident reviews. The employee who executed the fraudulent transfer almost always says the same thing: "I thought it was unusual, but it came from the CEO."

A Massive Digital Footprint

Executives are public figures within their industries. Their conference appearances, LinkedIn posts, press releases, SEC filings, and even personal social media accounts give attackers a goldmine of intelligence. An attacker can learn who the CEO's executive assistant is, which law firm handles the company's M&A work, and when the CFO is traveling internationally — all from public sources.

This open-source intelligence (OSINT) makes spear phishing emails terrifyingly convincing. A phishing email referencing a real deal, a real board meeting date, or a real vendor relationship doesn't look like a scam. It looks like Tuesday.

Executives Often Exempt Themselves from Security Controls

Here's an uncomfortable truth I've encountered repeatedly: executives are the most likely group in an organization to request exceptions to security policies. They want their personal devices on the network. They resist multi-factor authentication because it slows them down. They forward work email to personal accounts.

Every exception creates an attack surface. And attackers know that the C-suite often operates with fewer restrictions than the rest of the workforce.

The $4.88M Lesson in the 2024 IBM Report

The 2024 IBM Cost of a Data Breach Report found the global average cost of a data breach hit $4.88 million — the highest ever recorded. Phishing was the most common initial attack vector, and breaches involving compromised credentials (often harvested through executive phishing) took an average of 292 days to identify and contain.

Nearly 10 months. That's how long attackers sit inside your environment after stealing an executive's credentials. During that time, they read emails, map internal relationships, and prepare devastating follow-on attacks — including ransomware deployment or additional BEC fraud targeting your partners and clients.

The financial damage from a compromised executive account isn't just the initial fraud. It's the downstream breach costs, regulatory fines, legal liability, and reputational damage that compound over months and years.

How Executive Phishing Attacks Actually Work in 2025

Stage 1: Reconnaissance

Attackers spend days or weeks researching the target. They monitor LinkedIn for job changes, read press releases for deal announcements, and check court filings, patent applications, and regulatory submissions. They identify the executive's communication patterns, key relationships, and upcoming events.

Stage 2: Infrastructure Setup

The attacker registers a lookalike domain — maybe swapping an "l" for a "1" or using a .co instead of .com. They configure email authentication to pass basic checks. Some sophisticated groups compromise a real vendor or partner email account to send the phishing email from a truly legitimate address.

Stage 3: The Lure

The phishing email arrives during a moment of stress or urgency — right before a board meeting, during a merger announcement, or while the executive is traveling. The message is contextually perfect. It might reference a real legal matter, a real vendor invoice, or a real HR issue.

Common lures in executive phishing attacks include:

  • Fake DocuSign or Adobe Sign requests for "board resolution" documents
  • Spoofed emails from the company's outside counsel regarding "confidential litigation"
  • Impersonation of a fellow board member requesting a call or document review
  • Fake calendar invites for emergency meetings with credential-harvesting links
  • Fraudulent wire transfer requests sent to finance staff appearing to come from the CEO

Stage 4: Exploitation

If the executive clicks a credential-harvesting link, the attacker captures their username and password — often through a convincing replica of a Microsoft 365 or Google Workspace login page. If MFA isn't enforced, the attacker has immediate access. Even with MFA, attackers increasingly use adversary-in-the-middle (AiTM) phishing toolkits that capture session tokens in real time.

Once inside the executive's mailbox, the game changes completely. The attacker can send emails as the executive, access confidential strategy documents, and launch secondary BEC attacks against employees, partners, and clients.

Defenses That Actually Work Against Whaling

Targeted Security Awareness Training for Leadership

Generic annual compliance training doesn't prepare executives for the sophisticated attacks they face. Leadership needs training that mirrors real-world whaling scenarios — specific, scenario-based, and frequent. Our phishing awareness training for organizations includes phishing simulation campaigns specifically designed to test how executives respond to realistic spear phishing and BEC attempts.

In my experience, the organizations that run quarterly phishing simulations targeting their leadership team see measurable improvement. First-round click rates for executives often exceed 30%. After four cycles of targeted training and simulation, that number typically drops below 5%.

Enforce Multi-Factor Authentication — No Exceptions

MFA must be mandatory for every executive account, every time, with no exceptions. Phishing-resistant MFA using FIDO2 security keys is the gold standard. CISA has been clear on this recommendation, and the CISA MFA guidance provides a straightforward implementation path.

Traditional SMS-based MFA is better than nothing, but it's vulnerable to SIM swapping and AiTM attacks. For your highest-value accounts — and executive accounts are always highest-value — invest in hardware security keys.

Implement Verified Wire Transfer Procedures

No wire transfer above a defined threshold should ever be executed based solely on an email request. Establish a mandatory out-of-band verification step: a phone call to a known number, an in-person confirmation, or a dual-approval process in your banking platform.

This single control would have prevented the FACC loss. It would have prevented thousands of BEC incidents. Yet many organizations still haven't implemented it because it feels like it slows things down. It does. That's the point.

Deploy Advanced Email Security

Native email filtering from Microsoft or Google catches bulk phishing but often misses targeted executive attacks. Layer in advanced email security solutions that analyze sender behavior, detect lookalike domains, and flag unusual communication patterns. Enable DMARC, DKIM, and SPF on all your domains and monitor them actively.

Adopt Zero Trust Architecture

A zero trust approach assumes that any account — including an executive account — can be compromised. It enforces continuous verification, least-privilege access, and microsegmentation. When an executive's credentials are stolen, zero trust limits the blast radius by preventing lateral movement and restricting access to only what's needed for each specific session.

The Psychological Levers Attackers Pull

Executive phishing attacks work because they exploit specific psychological principles that are amplified at the leadership level:

Authority bias: Employees comply with requests from perceived authority figures without questioning them. Attackers impersonate executives to weaponize this instinct.

Urgency: Whaling emails almost always create artificial time pressure. "This needs to happen before market close" or "The board needs this before tomorrow's meeting" short-circuits careful analysis.

Confidentiality: Attackers frequently mark requests as "confidential" or "do not discuss with anyone." This isolates the target from colleagues who might recognize the fraud.

Understanding these levers is the foundation of effective security awareness. Your team needs to recognize these tactics instinctively. Our cybersecurity awareness training program covers these social engineering techniques in depth, with real-world examples that resonate with both executives and the employees who support them.

What To Do When an Executive Account Is Compromised

Speed matters. If you suspect an executive email account has been compromised, take these steps immediately:

  • Revoke all active sessions for the compromised account — don't just reset the password
  • Reset credentials and re-enroll MFA on a verified clean device
  • Review mailbox rules — attackers commonly create forwarding rules to maintain access even after a password reset
  • Audit sent items and deleted folders to identify any BEC emails sent from the account to partners, vendors, or employees
  • Notify your bank immediately if any financial instructions were sent from the compromised account
  • Engage legal counsel to assess breach notification obligations
  • Report to the FBI's IC3 at ic3.gov — this is critical for potential fund recovery on wire fraud

The FBI's Recovery Asset Team (RAT) has successfully frozen fraudulent wire transfers when reported within 72 hours. Delay is the enemy.

Building an Executive Protection Program

The most resilient organizations treat executive cybersecurity as a distinct discipline, not an afterthought. Here's what a mature executive protection program includes:

  • Quarterly phishing simulations tailored specifically to executive roles and scenarios
  • Annual OSINT assessments showing each executive what attackers can learn about them from public sources
  • Personal device security reviews and hardening for executives who use personal devices for work
  • Travel security protocols including burner devices and VPN enforcement for international travel
  • Executive-specific incident response playbooks with direct communication channels to the security team
  • Board-level cybersecurity briefings that keep leadership engaged and informed about the threat landscape

This isn't theoretical. The organizations I've worked with that implement these measures consistently experience fewer successful attacks and faster response times when incidents do occur.

Executive Phishing Isn't Going Away — But You Can Get Ahead of It

Threat actors will continue targeting executives because the economics are irresistible. A single compromised C-suite email account can yield millions in fraudulent transfers, provide access to the most sensitive data in the organization, and serve as a launching pad for attacks on partners and clients.

The organizations that consistently beat these attacks share three traits: they train their leadership team with realistic, ongoing phishing simulations; they enforce technical controls like phishing-resistant MFA without executive exceptions; and they build verification procedures that don't rely on email alone for high-stakes decisions.

Your executives are your highest-value targets. Protect them accordingly.