The executive floor as a phishing victim: a study confirms the risk

2025-06-17
-
Author:
Jan Tissler

First publication date: 04.10.2023

Managers remain preferred targets

A report by Hoxhunt from 2025, which analyzed 50 million phishing simulations and real attacks, confirms this: Executives are significantly more likely to click on malicious content than employees - a human risk factor that remains.

An investigation by the Financial Times also confirms the rise in AI-generated spear phishing attacks on executives: hyper-personalized, credible emails that easily bypass traditional filters.

While managers used to be around four times more likely to fall victim to phishing than employees(Ivanti, 2023), this gap has barely narrowed: the global base value of the click rate in simulations only fell by half a percentage point in 2024-2025 and remains at a high level of around 30-34%.

AI-supported attacks increase the risk

The development of phishing is increasingly being driven by AI:

  • AI-generated voice deepfakes convincingly imitate the voices of C-level executives on calls.
  • AI-based emails, barely distinguishable from real messages, achieve click rates of up to 54% - well above the average of conventional attacks.
  • Quishing (phishing via QR codes) and LLM-supported spear phishing achieve similarly high success rates, in some cases over 30% interaction.
  • Managers - accustomed to urgency and information overload - remain the preferred victims of "trust & authority" tactics.

Consequences: From data theft to millions in losses due to ransomware

Phishing is often the gateway to more serious attacks:

  • Business Email Compromise (BEC) - targeting C-level senders - causes an average of USD 4.67 million in damage per incident; global losses from BEC since 2013 have totaled over 55 billion USD.
  • Ransomware infections via phishing are on the rise: 32-35% of all ransomware variants are distributed via phishing channels.
  • The average cost per ransomware attack is now USD 5.13 million (2024) and is expected to rise to USD 5.5-6 million.
  • The total cost of ransomware worldwide is expected to reach 57 billion USD per year estimated.

In addition to data encryption, these losses also include system failures (an average of USD 53,000 per hour), recovery costs, reputational damage, possible fines and the loss of customers.

Recommendations for more resilience

This makes spear phishing and whaling more difficult:

1. specific training & simulations for managers

Standard training courses are not enough. Modern programs must include AI-supported simulations that realistically simulate deepfakes, quishing and BEC.

2. question psychological sensitization & self-confidence

Combat overconfidence ("I recognize phishing") with behavioral science-based measures - to close the gap between perceived and actual vulnerability.

3. advanced technical controls & behavioral analysis

Use UEBA (User & Entity Behavior Analytics) to detect anomalies. Use post-delivery threat detection tools that rely on behavioral patterns instead of just signatures (e.g. Cofense).

4. stronger BEC defense measures

Introduce multi-factor authentication for high-risk communication. In addition, call-back protocols should become mandatory for bank transfers.

5. supervision at Management Board level

Cybersecurity needs support from the very top: 72% of IT service providers will increase their security budgets in 2025. Explicit support from top management correlates measurably with better results.

6. external audits & compliance alignment

Regular, independent audits and alignment with NIS2/DORA or national standards are essential.

7. ransomware prevention instead of ransom payment

As ransomware payments continue to be widespread, companies need to focus more on prevention: Incident response, backups, cyber insurance and segmented recovery plans are critical.

Conclusion

Phishing remains the number one gateway for cyber attacks. The threat of hyper-targeted, AI-supported campaigns against executives continues to grow - as does the financial damage: millions lost per incident and sharply rising ransomware costs.

As budgets increase, strategic, AI-sensitive training combined with behavioral analytics and board-level support is becoming more important than ever.