SHIELD

Organization and team

Exposed executive: specific threat model

Threats specific to the media or financially exposed executive, actual attack vectors, and proportionate measures.

Published 16 min read Critical

Last reviewed:

This version was translated with AI assistance and reviewed by a human.

Dirigeant en réunion regardant des données

The CFO receives a voice message from the CEO. The voice is right, the tone is right, the urgency is credible: a confidential acquisition, a deposit to wire before 5 p.m., and don’t mention it to anyone. He wires 340,000 euros. The CEO never made that call. The voice was synthesized from three minutes of a YouTube interview. I have debriefed this exact scene three times in eighteen months.

Angle de lecture

The usual trap

“We have corporate security.” That’s the answer I get nine times out of ten when I raise an executive’s personal security. It reveals a perimeter confusion that costs dearly. Corporate security protects the company: the infrastructure, the endpoints, the work email, the VPNEncrypted tunnel between your device and a server, masking your IP and traffic from your ISP. access. It does not protect the executive as an individual — their private life, their family, their personal assets, their personal phone, their reputation. The two perimeters barely overlap, and the blind spot between them is exactly where attackers walk in.

The second trap is subtler: the executive believes they are too important to be attacked carelessly, and too sharp to fall for a crude trick. Both beliefs are wrong. An executive is not attacked carelessly, precisely: they are attacked with care, with reconnaissance time, with a budget. And they fall for the trap not through stupidity but through bandwidth — they decide fast, under pressure, between two meetings, on their phone, which is exactly the attacker’s playground.

The dominant discourse adds a layer of theatre. Executives are offered phishingSocial engineering attack pushing targets to disclose credentials or execute code. awareness training designed for the average employee — spot the typo, the odd address, the suspicious attachment. None of those signals exist in a targeted attack against an executive. The message is clean, the sender is credible, the context is accurate. Generic training does not prepare for the real threat model. It reassures, which is worse.

The last trap is the asymmetry of treatment inside the organization. The executive is the only person who can refuse a security measure everyone else endures. They refuse constraining MFAMulti-factor authentication: combining two independent proofs of identity to log in. because they’re in a hurry, travel to risk countries unprepared because they’re used to it, use their personal phone for critical decisions because it’s convenient. Every exemption they grant themselves becomes the weakest and most valuable link in the entire chain.

Real threat model: why an executive is a distinct target

A standard employee represents limited access and an opportunistic adversary. An executive represents something different across several dimensions at once, and their adversaries are not just anonymous hackers. They are competitors in an M&A process, law firms in adverse litigation, journalists running due diligence, states conducting economic espionage, and sometimes a former partner or ex-spouse with a grudge and time.

The value of access. A single compromised CEO email account opens communications on ongoing M&A transactions, non-public strategic decisions, exchanges with shareholders, sensitive contracts. To an attacker, that’s a mine that can be worth tens of millions in the right markets — insider trading, a negotiating position, blackmail.

Direct influence over financial flows. A compromised or merely spoofed executive account allows wires to be ordered. CEO fraudScam where an attacker impersonates an executive to order an urgent wire transfer. — or BEC, Business Email Compromise — is the most profitable mechanism of the moment. According to the FBI’s IC3, global BEC losses exceed 55 billion dollars cumulatively over the past decade, with several billion reported every year. Europe is not spared, and the majority of cases are never reported.

Identifiable personal wealth. Public registries — company filings, land records in many countries, commercial registers — map an executive’s assets with disconcerting precision. That information feeds blackmail, targeted identity fraud, and in extreme cases physical threats against family members.

Geopolitical exposure. For an executive operating in China, Russia, parts of the Middle East, or any economically tense region, espionage is an operational reality. Several states’ economic intelligence services actively target traveling executives: hotels, phones, laptops left in rooms, controlled local networks.

Self-built media visibility. Every LinkedIn post reveals current topics, travel, contacts, projects. Every conference photo gives a geolocation and a set of acquaintances. Every interview details the strategy — and incidentally provides the voice sample that will feed the deepfakeAI-generated synthetic media (image, video, voice) imitating a real person.. This visibility is built for business, but it simultaneously and freely feeds the OSINTIntelligence from open (public) sources: social media, registries, archives. of anyone interested in the executive.

Specific attack vectors

BEC and CEO fraud

The typical scenario does not even require compromising an account. The attacker spoofs the domain — one character changed, a plausible subdomain, an identical display name — and writes to finance with an “urgent and confidential” wire request. When the account is actually compromised (phishingSocial engineering attack pushing targets to disclose credentials or execute code., credential stuffing, a leak databaseService indexing data from public or semi-public breaches. with a reused password), the attack becomes nearly undetectable: the message comes from the real inbox, in the real thread, in the real style.

The central protection is not technical, it is procedural: systematic out-of-band verification for any wire above a threshold, through a channel different from the request, to an already-known number. This procedure must apply even — especially — when the request appears to come from the CEO. The executive must defend it publicly, otherwise the finance team will bypass it to avoid bothering them.

Targeted spear phishing

Unlike mass phishing, spear phishingTargeted phishing on a specific person, built from their OSINT profile. against an executive is built on deep reconnaissance: recent schedule gleaned from LinkedIn, an ongoing project mentioned in a press release, an event speaker list, an imitated communication style. The message is credible because it is accurate. It references a meeting that actually took place, a real counterpart, an ongoing matter.

The defense is behavioral, not technical. A link in an email, however credible, must never trigger a sensitive action without out-of-band verification. The reflex to install: slow down precisely when the message pushes you to speed up.

Audio and video deepfakes

Voice synthesis from a few minutes of audio is now accessible, fast and cheap. Real-time video deepfakeAI-generated synthetic media (image, video, voice) imitating a real person., still imperfect two years ago, is now usable on a degraded video call. Documented cases keep piling up: calls with a synthesized voice ordering a wire, fake “leadership” video calls approving an operation. The voice sample comes from your interviews, your podcasts, your public talks. You put it online yourself.

Protection cannot rely on recognizing the voice or the face. It relies on a shared verbal passphrase exchanged out-of-band for sensitive operations, and on the absolute rule that no financial or access order is approved on the strength of a call or a video call alone.

Attacks through the inner circle

The PA, the spouse, the adult children, the regular vendors — each is an indirect access vector, often simpler than the executive themselves. Compromising a PA’s phone yields the calendar, contacts, travel patterns. A child’s Instagram profile yields the family routine, the school, the holiday home. The attacker takes the least-guarded path, and that path almost always bypasses the executive directly.

The personal device as entry point

The executive’s personal phone concentrates everything: work email quietly synced, banking approvals, messaging, geolocated photos, poorly maintained apps. It is neither managed by the company MDM, nor covered by the EDRAgent on workstations/servers detecting suspicious behavior and enabling response., nor included in controlled backups. It is the most valuable and least protected asset. One SIM swapAttack where a fraudster convinces your carrier to port your number to their SIM. on the personal number, and the attacker intercepts the TOTP6-digit code generated every 30 seconds by an app (Google Authenticator, Authy, etc.). SMS codes of half the accounts.

The right approach: frame without controlling

The shift fits in one sentence: you don’t secure an executive by imposing the employee’s rules, you secure them by designing protection that fits their real bandwidth constraint. Any measure that slows the executive without reason will be bypassed. Any measure invisible once installed will be kept. The art is to move friction from usage to configuration.

Hardware MFA rather than constraining MFA. The executive refuses app-based TOTP6-digit code generated every 30 seconds by an app (Google Authenticator, Authy, etc.). because it means pulling out the phone, opening the app, copying a code, six times a day. Give them two hardware FIDO2Strong authentication standard using hardware cryptographic keys, phishing-resistant. keys (YubiKeyYubico hardware authentication key supporting FIDO2/WebAuthn, OTP, PIV, OpenPGP., one primary, one backup). A single touch, no code to copy, phishing-resistant by design. Friction disappears once the key is enrolled. It is the only MFAMulti-factor authentication: combining two independent proofs of identity to log in. an executive actually keeps.

Compartmentation rather than prohibition. Forbidding the executive from using their personal phone always fails. Giving them a second device dedicated to sensitive matters — M&A, litigation, personal data — works, provided it is as smooth as their own. The work device becomes the channel for critical decisions; the personal one stays for private life. The separation protects information without asking the executive to fundamentally change their habits.

Procedures that fire without them. The executive should not be the guardian of procedures, they should be the beneficiary. Out-of-band wire verification, access revocation on incident, automatic encrypted backupData copy kept separately for restoration in case of loss or compromise. of their devices — all of it runs in the background, operated by someone else. The executive approves the design once, then stops thinking about it.

A short, embodied briefing before risky travel. Not a 40-page document. A fifteen-minute exchange before a trip to a sensitive region: clean travel device, communications over SignalOpen-source messenger with E2EE by default, operated by Signal Foundation., no connection to systems from the hotel’s local network, what to do in case of a border searchSearch of electronic devices at borders by customs or police. or an unlock demand (compelled disclosureLegal obligation to provide passwords or decrypt devices under penalty.). Fifteen minutes anchor a reflex that forty pages never create.

The personal exposure audit, treated as intelligence. Defensive OSINTIntelligence from open (public) sources: social media, registries, archives. on the executive themselves, once or twice a year, by a third party starting from zero like a real adversary. The result is almost always more alarming than expected, and that is exactly what unlocks the executive’s buy-in to the other measures. Nothing convinces a CEO like seeing their home address and their PA’s face surfaced in four hours.

What this means concretely

Angle de lecture

For you, as an individual

Your personal exposure is the entry point of any attack on your organization. Not your firewall: you. The attacker builds their approach from what’s public about you, and you are the only person who can decide to reduce that surface. The exposure audit is not an option, it is your priority.

Your three priorities, this week:

  1. Two hardware FIDO2Strong authentication standard using hardware cryptographic keys, phishing-resistant. keys on your critical accounts. Primary email, banking, key work accounts. A YubiKeyYubico hardware authentication key supporting FIDO2/WebAuthn, OTP, PIV, OpenPGP. costs 50 to 70 €, get two (primary + backup). A single touch, no code to copy, and it’s the only MFAMulti-factor authentication: combining two independent proofs of identity to log in. that resists spear phishingTargeted phishing on a specific person, built from their OSINT profile.. Drop SMS codes, which are vulnerable to SIM swapAttack where a fraudster convinces your carrier to port your number to their SIM..

  2. The “never on the strength of a message alone” rule. Decide it, and tell your finance team and your PA: no wire, no change of bank details, no access is approved without a callback to an already-known number. Even if the request appears to come from you. It’s free and it stops CEO fraudScam where an attacker impersonates an executive to order an urgent wire transfer..

  3. An evening’s self-run exposure audit. Search for yourself in public company registries, check your email addresses on Have I Been Pwned, look at your LinkedIn while logged out. You’ll see what an adversary sees. Turn off geolocation on your posts. Ask your children to lock their social accounts. Budget: zero, apart from the FIDO2 keys.

The real cost of these three priorities stays under 200 €. The cost of a single fraudulent wire runs into hundreds of thousands.

For you, CISO / CIO / executive

The executive is the most exposed and least protected link in your organization. They refuse constraining MFA, travel unprepared, decide on their personal phone. Securing them is not a technical problem, it is a problem of design and governance. The shift reorganizes your approach across five points.

1. Treat the executive’s individual exposure as an organizational asset. The attacker does not target your infrastructure first, they target your CEO, your CFO, your general counsel. OSINTIntelligence from open (public) sources: social media, registries, archives. on the individual is the precondition for the attack on the organization. Direct consequence: integrate the exposure audit of key people into your security program, on par with an application pentest, once or twice a year per sensitive profile.

2. Design friction at configuration time, never at usage time. An executive bypasses any measure that slows them down in a meeting. Hardware FIDO2Strong authentication standard using hardware cryptographic keys, phishing-resistant., compartmentation via a dedicated device, procedures operated by a third party: all of it shifts effort to setup and frees usage. Direct consequence: ban SMS-based TOTP6-digit code generated every 30 seconds by an app (Google Authenticator, Authy, etc.). for exposed profiles, deploy two FIDO2 keys per executive, and never ask the executive to be the guardian of a procedure.

3. Institutionalize out-of-band verification and have the executive defend it. The anti-BEC procedure is only worth anything if it applies to requests coming from the executive themselves, and if the finance team is not afraid to trigger it. Direct consequence: a written threshold, an imposed callback channel, and a public statement from the executive that they want to be called back. Without that explicit sponsorship, the procedure is bypassed at the first “it’s urgent.”

4. Cover the personal device, which is outside your perimeter but inside your risk. The executive’s personal phone syncs work email, approves access, geolocates photos. It escapes the MDM and the EDRAgent on workstations/servers detecting suspicious behavior and enabling response.. Direct consequence: provide a work device dedicated to sensitive decisions, lock the number against SIM swapAttack where a fraudster convinces your carrier to port your number to their SIM. with the carrier, and migrate banking approval to an app or a key, never SMS.

5. Extend the standards to the operational inner circle. The executive assistant is an extension of the executive: calendar, contacts, travel, sometimes system access. Ignoring them creates an obvious gap. Direct consequence: train and equip the assistant to the same standards as the executive, and include them in briefings and incident response procedures.

For you, as an executive

You are the most exposed link in your organization, and the least protected. Not through negligence. By construction. You’re a high-value target — an access, financial flows, a signature — and your personal exposure is the shortest path to everything else. The attacker doesn’t force your firewall. He studies you.

What changes concretely isn’t technical. It’s a matter of priority and personal discipline.

Audit your own exposure first. Before the infrastructure, before the EDR, before the next tool your CISO wants to buy: what’s publicly findable about you. Your home address, your recent travel, your assistant’s face, your email accounts in the breach dumps. A third party starting from zero, like a real adversary, once or twice a year. The result will surprise you, and that’s exactly what will make you accept the rest. You can’t protect what you’ve never looked at.

Put a physical key on your critical personal accounts. Not your work accounts, which IT already manages. Yours: your bank, your primary email, your social networks. Those are the ones that serve as the pivot to everything else. Two hardware keys, one primary, one backup. Drop the SMS code, which falls in a day for a target worth the effort. You’re always worth the effort.

Watch what you publish. Every post reveals a calendar, a location, a contact. Every interview hands over the voice sample that will be used to imitate your voice. You build this visibility for the business. It freely feeds the intelligence of anyone interested in you. You don’t have to disappear. You have to decide, knowingly, what you give away.

The weak link isn’t the employee who clicks the wrong link. It’s the executive who refuses the constraint because he’s the boss. The exemption you grant yourself — “I’m in a hurry, we’ll do it later” — is exactly the one the attacker is waiting for. Security starts with you, or it doesn’t start.

Mistakes we see all the time

  • Believing corporate security covers the executive. It covers the infrastructure, not the person. The blind spot between the two perimeters is exactly the attack zone.
  • Training the executive on phishing like an employee. Mass-phishing signals (typo, odd address) do not exist in a targeted attack. Generic training reassures without preparing.
  • Tolerating the executive’s MFA exemption. “They’re in a hurry, we’ll do it later”: that exemption is what makes the executive the most valuable link for the attacker. A FIDO2Strong authentication standard using hardware cryptographic keys, phishing-resistant. key removes the friction, no more excuse.
  • Keeping SMS as a second factor. A SIM swapAttack where a fraudster convinces your carrier to port your number to their SIM. bypasses SMS in a day for a target worth the effort. And an executive is always worth the effort.
  • Approving wires on the strength of an email or a call. That’s the entry point for CEO fraudScam where an attacker impersonates an executive to order an urgent wire transfer. and voice deepfakesAI-generated synthetic media (image, video, voice) imitating a real person.. Out-of-band verification costs two minutes and stops the attack.
  • Forgetting the assistant and the inner circle. The least-guarded path bypasses the executive. The untrained PA, the child who geotags, the spouse on public Wi-Fi: so many indirect entry points.
  • Traveling to risk regions without a travel device. The usual laptop left in a Beijing hotel room is no longer yours on return. A clean device costs 600 €, an economic-espionage incident costs a strategy.
  • Running an exposure audit only once. A two-year-old audit is wrong: new leaks, new filings, new photos. The cycle is six months, three for highly exposed profiles.

Actionable checklist

  • N1 Two hardware FIDO2 keys on email and critical accounts (drop SMS)
  • N1 Turn off geolocation on public posts and audit your logged-out LinkedIn
  • N1 Written rule: no wire or access approved on the strength of an email, call or video call alone
  • N2 Out-of-band wire verification procedure, applied even to requests from the executive
  • N2 Work device dedicated to sensitive matters (M&A, litigation, personal data)
  • N2 Lock the personal number against SIM swap with the carrier
  • N2 Executive assistant trained and equipped to the same security standards
  • N2 Shared verbal passphrase exchanged out-of-band for sensitive operations (anti-deepfake)
  • N3 Personal OSINT exposure audit, once or twice a year, by a third party
  • N3 Clean travel device and a 15-minute briefing before any risk region
  • N3 Quarterly tracking of the share of exposed profiles covered by the three baseline measures

Further reading

The official references are in the frontmatter: the FBI IC3’s BEC statistics give the real scale of CEO fraud, ANSSI’s recommendations frame multi-factor authentication for sensitive profiles, and the ENISA threat landscape situates the executive in the European picture.

This article applies a broader principle to a particular profile: your external exposure precedes any attack, and the executive is its prime target. To map what’s already public about you, start with The exposure audit. To durably separate your identities and channels, see Identity compartmentation. And to frame the travel of your exposed profiles without falling into documentary theatre, read Corporate travel policy.

Sources and further reading

Related articles