Kudos! CEO Reveals He Got Phished

Evangelists-Roger GrimesThe other day I was participating in a company’s employee meeting when the CEO revealed he had been “caught” that morning by a real phishing attack email. 

It wasn’t even a particularly tricky one. It was something he and anyone else should have easily caught. He was just distracted, or it was just the right phishing pitch at the right time.

Either way, he clicked on the included rogue link. He immediately recognized the error and appropriately reported it. 

I was amazed! This CEO didn’t let his ego get in the way. He immediately told everyone in the company he had been successfully phished and that he had reported it. He didn’t make excuses. He didn’t appear embarrassed. He was just a human being human. 

How I wished more CEOs had the same sort of leadership. 

This is a CEO leading by example, showing that he, too, is susceptible to phishing attacks. He then told everyone that he had reported it and that the IT security folks were appropriately responding. It was a wonderful, teachable moment. 

When a CEO or other respected person in your organization shares that they were successfully phished, I think it does a bunch of good things. First, it shows to all employees that anyone is susceptible. Fighting phishing isn’t simply a matter of intelligence, common sense or smarts. Anyone is susceptible to the right phishing attack at the right time.

This isn’t to say that CEOs are innately brilliant. Many aren’t. But I think most people would agree that it does take something special to become a CEO of a successful company, leading lots of other people…and even people with that special skill set are susceptible to phishing. 

I was an employee at another company years ago where one of the most truly brilliant people in the company, a person respected for their smarts and thought leadership around the world, had fallen to a real-world phishing attack. 

It was a spear phishing attack. According to Barracuda Networks, even though spear phishing attacks only make up less than 0.1% of all email attacks, they account for 66% of successful data breaches. 

The phisher had taken over another company’s email account and found an ongoing thread that involved a project both parties were frequently exchanging messages over. The attacker then sent an email with a boobie-trapped document using the same thread subject. The recipient, the brilliant fellow, opened the document, but was surprised to see that it really didn’t have to do anything with the project.

He closed the email confused as to why the sender had sent it to him. A few hours later, on Super Bowl day no less, the strange message started to bother him. He worried that he might have been the victim of a phish. So, he reported it. And sure enough, it was a real phishing message and it had successfully placed malware on his system. But the attacker had not yet been able to take advantage of their success. The company’s IT team removed it before more damage could be done.

That company made that example a core part of their annual security awareness video that year. It was, like the CEO example above, one of the best examples to share with the rest of the company, for the same reasons. 

The second lesson these examples teach beyond that anyone can be susceptible, is to report it (appropriately per an organization’s policies), even if you aren’t sure, even if it’s later when you reach that conclusion. Better late than never. As an example, many ransomware groups that gain initial access to a company, don’t use that access for days, weeks or even months. 

Overall, I think that when a company’s best and brightest publicly report (at least to their employees) that they, too, fell victim to a phishing attack, it shows how committed the company is to stopping social engineering and phishing attacks. It says, “We are all in this together!” and that smarts and egos need to be set aside. Few things say more about the company and its leadership’s commitment to fighting phishing. 

If your company’s CEO gets phished and shares it, consider yourself in a great place that cares more about decreasing cybersecurity risk than protecting leadership’s self-esteem. 

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews