Real-world examples of executives being targeted due to online personal information

This post has been modified to reflect new information since its original publication.

One of the biggest emerging threats to executive teams is the ready availability of personal information online. Details about your executives’ daily lives, such as where they live and what they do online and in real life, make them 9 times more likely than the average person to be targeted by scammers, criminals, and other bad actors.

In light of this new threat vector, you need to expand your executive protection strategy to include securing your team’s online privacy. Failing to do so will expose your executives to digital and physical harm.

Below are some of the top threats a lack of online privacy poses to your executives, including real-world examples of executives being targeted.

Online harassment

All it takes to become the focus of harmful online attacks in today’s digital environment is for someone to post the “wrong” opinion about a controversial topic. Since executives tend to have public profiles, they are especially vulnerable to online retaliation in the form of death threats, doxing, insults, or spam. In fact, according to a Proofpoint study, 84% (PDF) of the top 25 Fortune 500 CEOs experienced hate speech and threats on the dark web and Twitter.

For example:

Tuhina Singh—The CEO of the Singaporean tech firm Propine was doxxed, insulted, and threatened by an outraged online mob after people mistakenly identified her as a woman arrested for refusing to wear a facemask. Footage of the incident quickly went viral, spurring increasing numbers of social media users to post her phone number, her pictures, her email address, and the names of people she worked with.

Marissa Mayer—The ex-Yahoo-CEO’s abuser, Gregory Calvin King, was arrested for sending her more than 20,000 Twitter messages in 2010. Upon his release from prison, he immediately sent her 60 more messages.

Clarissa Windham-Bradstock—The CEO of AnyLabTestNow, was harassed online by a former vendor who wanted revenge when the company stopped using his services. Initially, the perpetrator posted negative things about Ms. Windham-Bradstock on an online forum. He then set up a fake Facebook profile to disparage her. The profile, which used Ms. Windham-Bradstock’s picture and a slightly altered version of her name, contained her home address and the names and pictures of her children.

Stalking

Your executive team’s responsibilities most likely include making public appearances, doing media interviews, and—increasingly—being active on social media. This puts them at higher risk of drawing the attention of ex-employees looking for revenge or of disturbed individuals looking for someone to fixate on.

If a stalker does target a member of your team, it is often trivially easy to find personal information online—a home address or a daily schedule—that allows the stalker to get dangerously close.

Here are some real-world examples:

Tim Cook—In 2019, Rakesh (Rocky) Sharma found Apple CEO Tim Cook’s address and used it to stalk him. He rang Cooks’ doorbell, tagged him in lewd pictures on Twitter, and even entered his home to leave champagne and flowers. Mr. Sharma also left voicemails for other Apple executives, claiming he knew where they lived and threatening gun violence.

Mark Zuckerberg—Pradeep Manukonda sent the Facebook CEO numerous threatening messages, including one that states “please help me, then I am ready to die for you.” He was later arrested attempting to enter Zuckerberg’s home—11 days after the online media company, Gawker, posted an extensive array of pictures of the residence.

Kidnapping

Kidnapping executives is such a common practice that over 75% of Fortune 500 companies have K&R (kidnapping and ransom) insurance policies. Unfortunately, the more personal data kidnappers can find online about your executives, the easier it is to mount a successful attack.

Here are some examples of executives being kidnapped:

Pavel Lerner—The CEO of a British Bitcoin exchange was kidnapped in 2017 and forced to pay a $1 million ransom in Bitcoin. Pavel’s kidnappers learned enough about his travel plans to ambush him and push him into a waiting car.

Elton Bryson Stephens Jr.—In 2020, the CEO of EBSCO Industries was kidnapped and robbed by Matthew Amos Burke and Tabatha Nicole Hodge, who had entered his house while he was sleeping. They took him to a trailer, where they made him transfer $250,000 to their bank account.

Spear phishing

Executives are perfect targets for social engineering scams like spear phishing given their decision-making power and access to sensitive information. The more detailed personal information appears about your leadership team online, the easier it is for scammers to manipulate them into granting backdoor access to company systems or conducting fraudulent financial transfers.

Some examples of spear-phishing attacks include:

• VP of compliance for a US-based finance firm—As part of a penetration test, security company CyberX sent emails to high-level employees, asking them to fill out a questionnaire for a feature in The Wall Street Journal. After a VP clicked the link in the email, the CyberX team was able to bypass the executive’s two-factor Authentication with a simple phone call and gain access to the business’s CRM system, which contained all of its customers’ credentials.

• Cofounders of an Australian hedge fund—Michael Brookes and Michael Fagan accepted a fake Zoom meeting invitation. By doing so, they unknowingly downloaded malware onto the company’s network, which allowed cybercriminals to gain control of the firm’s email systems. The hackers then composed fraudulent invoices from multiple real corporations and spoofed approvals for over $8 million in payments for the phony invoices.

Impersonation

Impersonation, also called CEO fraud or business email compromise (BEC), is another social engineering tactic cybercriminals use to target your leadership team to steal money or data. In these cases, scammers send spoofed or fake messages that appear to be from a CEO or other C-level executive to trick other employees into taking wiring money, sharing protected data, or doing something else to benefit the attacker. All an attacker has to do is look online to find lists of executives’ email accounts for sale.

According to the FBI, impersonation scams cost businesses more than $1.7 billion annually.

Here are some recent examples:

• British energy company—In this impersonation attack, the scammer used artificial intelligence to imitate the voice of the CEO’s boss. The imitation was so successful that the CEO willingly did as his “boss” requested, transferring $243,000 of the company’s money into the scammer’s bank account.

• Texas energy firm—A CEO’s executive assistant paid a $3.2 million fake invoice sent by hackers pretending to be the CEO. This attack worked because the criminals had built trust by mentioning personal details they had found on social media about the CEO’s involvement with his daughter’s soccer team.

• Chinese plane parts manufacturer FACC—This company lost nearly $60 million in a so-called “CEO fraud scam” in which scammers impersonated high-level executives and tricked employees into transferring funds.

• The Toyota Boshoku Corporation—In 2019, scammers used an email from a compromised account to convince an unnamed finance executive to transfer $37 million to their bank account instead of the correct account.

For more information

As you can see from these examples, a lack of online privacy can leave your leadership team vulnerable to fraud, abuse, and even physical danger. This makes reducing the size of their digital footprint a key goal of any comprehensive executive protection plan.

To learn more about how to minimize your team’s online exposure, give us a call. We are happy to offer free advice on the best way to lock down your executives’ online privacy. We also offer corporate privacy solutions that can automate the process for you.