Back to blog
Why Your Executives Are Your Biggest Phishing Risk (And How to Train Them Without Pushback)
Written by
Brightside Team
Published on
In January 2024, a finance employee at Arup joined what seemed like a routine video call with the CFO and several senior colleagues. The participants looked right. They sounded right. They discussed a real business matter. He authorized 15 wire transfers totaling $25.6 million. Every person on that call was a deepfake.
Six months later, a Ferrari executive received WhatsApp messages and a voice call from someone who sounded exactly like CEO Benedetto Vigna. The caller asked for urgent help with a confidential transaction. Before complying, the executive asked a personal question only the real Vigna would know. The caller hesitated. The fraud was stopped.
Two incidents. One organization lost $25.6 million. The other lost nothing. The difference came down to one thing: whether the targeted person had the instinct and confidence to verify. That instinct comes from training. And training only works if the people with the most authority, access, and financial control are actually included in it. Most aren't included at all.
Executives Are the Target, Not the Exception
There's a persistent assumption in security programs that executive training is a nice-to-have, something to pursue once general employee coverage is solid. That assumption gets the risk model exactly backwards.
Executives hold what attackers want. They approve wire transfers, vendor contracts, and HR data requests. They have authority that bypasses normal approval chains. A successful attack on a CFO or COO can accomplish in one conversation what would require compromising dozens of lower-level accounts otherwise.
Their professional visibility makes them easy to profile. C-suite names, roles, reporting lines, and organizational structures are documented on company websites, LinkedIn, regulatory filings, and press releases. Earnings calls capture the CEO's voice, conferences capture their face, and media interviews provide both. Attackers use exactly this material to build the personalized spear-phishing emails and voice simulations that make modern attacks so effective.
AI has lowered the barrier significantly. The same open-source intelligence that training platforms use to generate realistic simulations is the same data attackers use to build convincing impersonations. The tools are accessible, the source material is public, and the potential payoff is enormous.
The Verizon 2025 Data Breach Investigations Report analyzed 22,052 security incidents and consistently identified social engineering and phishing as the most persistent attack patterns across industries, with the human element remaining the critical factor in the majority of breaches. Proofpoint's 2025 Voice of the CISO report found that 67% of CISOs feel personally accountable when a cyber incident occurs. That accountability is hard to defend when the people most targeted by attackers are the ones exempted from training.
The Real Cost of Skipping Executive Training
The risks fall into four categories, and none of them are technical.
Financial exposure is the most immediate. The Arup incident resulted in $25.6 million in losses from a single deepfake video call. In March 2025, a Singapore firm lost $499,000 in a similar deepfake Zoom call. These aren't theoretical scenarios from threat reports. They're documented cases involving real organizations, real employees, and real financial consequences that weren't recovered.
Regulatory liability is becoming a board-level governance issue. NIS 2 Directive Article 20 requires management body members to personally approve cybersecurity risk management measures and undergo cybersecurity training. In the EU, member states may hold management body members personally liable for non-compliance, including temporary bans from management functions for essential entities. Organizations operating under NIS 2, DORA, or equivalent frameworks cannot legally exempt executives from their security training obligations.
Reputational risk is harder to quantify but real. High-profile incidents involving executive-level fraud attract regulatory attention, media coverage, and investor concern, particularly for publicly listed organizations. The Ferrari case avoided this outcome because one executive applied a verification instinct in the moment. That instinct doesn't come naturally. It's trained.
The cultural signal may be the most corrosive long-term effect. When executives are visibly excluded from training programs, it tells everyone else that security is a compliance burden for staff rather than a shared leadership responsibility. Security practitioners widely report that this dynamic undermines the broader culture that training programs are designed to build.
Why Executives Push Back (And Why Some of Their Objections Are Valid)
Before you can address resistance, you need to understand it honestly. Executive pushback on security training usually comes from one of five places.
"I'm too busy." This is often a legitimate objection to the format, not the principle. Annual e-learning modules and hour-long phishing courses are a real time drain. Many executives have sat through generic cybersecurity content that wasn't relevant to their role and concluded, reasonably, that it wasn't worth their time.
"I already know this." Many executives have attended general security briefings and conflate broad awareness with actual readiness. There's a meaningful difference between knowing that phishing exists and being able to recognize a live AI-generated voice call as fraudulent in real time.
"This won't happen to me." Overconfidence is a well-documented barrier to risk perception. In cybersecurity specifically, the belief that one is too experienced to be deceived is most common among people who haven't been exposed to a realistic simulation. It's not arrogance — it's the absence of evidence.
"It's an IT problem." The legacy view that cybersecurity is a technical domain, not a leadership responsibility. NIS 2 Article 20 has made this position legally untenable in the EU, but the cultural assumption persists in many organizations.
The political reality for CISOs. Mandating training for people who outrank you creates friction. Proofpoint's 2025 Voice of the CISO report found that 66% of CISOs face excessive expectations from leadership while simultaneously navigating budget and resource constraints. In that environment, confrontational approaches to executive training don't survive contact with organizational politics.
Understanding these objections doesn't mean accepting them. It means choosing approaches that address them directly rather than pushing against them.
A Six-Step Framework for Executive Training That Actually Works
1. Lead with business risk, not technical threat.
The moment you frame executive training as a cybersecurity matter, you've already lost part of the audience. Frame it in the terms executives already track: financial exposure, personal liability under NIS 2 Article 20, and reputational risk. Use the Arup and Ferrari incidents as business case studies — not as cautionary tales from the IT department, but as documented governance failures and risk management decisions. Executives respond to financial and governance framing. They disengage from technical threat descriptions.
2. Match the format to executive reality.
Cognitive science research supports training modules of 5 to 10 minutes as the optimal length for focused adult learning — the window where attention peaks before declining. That's the format that fits executive schedules and actually works. Content should be role-specific: CEO fraud and wire transfer approval scenarios for finance approvers, deepfake video call recognition for anyone who authorizes transactions, spear-phishing scenarios personalized to the executive's actual role and organizational context. Not generic password hygiene content that has nothing to do with how they actually work.
3. Show them the real attack before you explain the defense.
Descriptions of threats don't move people. Experiencing them does. An AI-conducted vishing call, using a cloned voice that sounds like a trusted colleague or vendor, adapting dynamically to whatever the executive says in response is more persuasive than any slide deck or risk briefing. Many security leaders report that a single realistic simulation failure eliminates months of resistance in a single conversation. The Arup attacker sourced their deepfake material from existing company meetings and conference recordings. Training that doesn't reflect that level of personalization doesn't prepare executives for what they'll actually face.
4. Frame it as competitive intelligence, not compliance.
Executives engage with strategic framing. Presenting a simulated deepfake CEO call as a compliance exercise lands differently than presenting it as "here is the exact method being used against financial services firms in your peer group right now." Position the training as intelligence about how attackers specifically profile and target organizations of your size, industry, and leadership structure. That framing converts a perceived obligation into a perceived advantage.
5. Secure sponsorship before you launch.
Getting visible endorsement from the CEO, General Counsel, or board audit committee before rolling out executive simulations changes the political dynamic entirely. When the program is framed as a governance initiative rather than an IT request, the organizational friction drops. According to Heidrick & Struggles' 2025 Global CISO Compensation Survey, 42% of CISOs now report directly to the CEO — triple the proportion from the previous year. For those CISOs, this sponsorship is increasingly accessible. For those who report to a CTO or CFO, securing endorsement at that level is the practical equivalent.
6. Use simulation data, not advocacy, to make the case.
If an executive pushes back, a documented simulation failure is the most credible argument available. Present it privately. Frame it as "here is precisely how an attacker would target someone in your role, and here is what made this specific attempt convincing." Proofpoint's 2025 Voice of the CISO report found that business valuation has become boards' top concern following a cyberattack. Connecting simulation results directly to that concern — showing how a single successful vishing call against the CFO translates to financial exposure the board is already tracking — is more effective than months of general advocacy.
Top 5 AI-Powered Security Training Platforms for Executive Protection
The framework above describes how to run executive training. Choosing the right platform is a different problem. Most legacy tools weren't built to deliver the simulations executives actually need — voice calls, deepfake video conferences, and hybrid multi-step attacks are far outside what standard email phishing templates can replicate. Here's how the leading platforms compare on the capabilities that matter most.
1. Brightside AI
Best for: Organizations that need self-serve, multi-vector executive simulations, including live AI vishing calls and voice cloning in a single platform.
Brightside AI is an award-winning Swiss cybersecurity awareness platform built for the AI threat era. Its vishing simulator runs fully live, adaptive AI phone calls with configurable social engineering tactics (authority impersonation, fear and urgency, pretexting, commitment escalation) alongside customizable caller personas and executive voice cloning from a 1 to 2 minute voice recording. Admins can also run hybrid attacks that combine a vishing call with a coordinated phishing email in a single workflow – the exact multi-step format used in real CEO fraud and BEC campaigns. Phishing simulations use AI-powered OSINT spear-phishing, automatically personalizing scenarios to each executive's role, department, tools, and tenure. Starting from €0.5/user/month.
Key capabilities for executive training:
Live adaptive AI vishing calls (self-serve recurring campaigns, not a managed demo)
Custom voice cloning for executive impersonation scenarios
Hybrid voice and email attack campaigns in a single workflow
AI-powered OSINT spear-phishing personalized to role and profile
Deepfake video simulation coverage
NIST Phish Scale alignment for difficulty calibration
Automatic follow-up training triggered on simulation failure
2. KnowBe4
Best for: Large enterprises prioritizing compliance documentation, content breadth, and Human Risk Management at scale.
KnowBe4 is the world's largest security awareness training platform, used by more than 70,000 organizations globally. It has repositioned around Human Risk Management, with AI Defense Agents and behavior-based intelligence that continuously adapt training to individual employee risk profiles. Its training content library and compliance reporting make it the default choice for enterprises with mature compliance programs. For executive training, it offers AI-driven spear-phishing personalization and role-based targeting. Vishing simulation comes in two forms: voicemail-style simulations (VST) from the Gold tier, and Callback Phishing, an email-triggered inbound call scenario, at Diamond tier only. Neither is a live adaptive AI conversation. Deepfake simulation is not a feature of the platform. Enterprise pricing, contact sales.
Key capabilities for executive training:
AI-powered spear-phishing personalization
Role-based targeting and segmentation
Human Risk Management dashboard with behavioral risk scoring
Compliance reporting for board-level documentation
Vishing: voicemail simulations from Gold tier; Callback Phishing at Diamond tier only
No live adaptive AI call capability
No deepfake video simulation
3. Hoxhunt
Best for: Organizations that want broad multi-vector simulation coverage, including vishing, voice cloning, and deepfake, delivered through an adaptive, gamified engagement model.
Hoxhunt's adaptive engine delivers phishing simulations that adjust difficulty based on each employee's prior performance, paired with positive reinforcement mechanics, like points, streaks, leaderboards, designed to sustain long-term engagement. It integrates natively with Microsoft 365, Outlook, Azure AD, and Defender, making it easy to deploy in Microsoft-centric environments. For executive training, Hoxhunt covers a broader threat surface than its gamification-focused reputation might suggest: the platform supports vishing simulation, live adaptive AI calls, voice cloning for impersonation scenarios, and deepfake video simulation. Multi-channel attack coverage extends to Microsoft Teams and Slack alongside email. Enterprise pricing, contact sales.
Key capabilities for executive training:
Adaptive simulation difficulty calibrated to individual performance
Gamified engagement model built for sustained organization-wide participation
Vishing simulation supported
Live adaptive AI calls supported
Voice cloning for executive impersonation scenarios
Deepfake video simulation supported
Multi-channel coverage: email, Microsoft Teams, Slack
Native Microsoft 365 integration
4. Jericho Security
Best for: Organizations in high-risk industries that need AI-native simulations across internal teams and external vendor relationships.
Jericho Security is one of the most technically advanced AI-native platforms in the market, trusted by the US Government and backed by $20 million in funding that includes a DoD contract. The platform uses dark web intelligence to build simulations that mirror genuine attacker reconnaissance, generating personalized spear-phishing, vishing, SMS, and deepfake scenarios that escalate in difficulty over time. A notable differentiator for executive training is coverage of external vendor simulation, testing employees against fake third-party vendors and suppliers, which is a common CEO fraud entry point. Live adaptive AI calls and voice cloning are core capabilities. Enterprise pricing, contact sales.
Key capabilities for executive training:
Live adaptive AI vishing calls
Voice cloning for executive impersonation
Deepfake video simulation
SMS/smishing simulation
Dark web intelligence for simulation personalization
External vendor impersonation simulation
Automatic difficulty escalation per individual
5. Proofpoint Security Awareness
Best for: Organizations using Proofpoint for email security that want AI-automated, threat-informed simulations built from real attacks hitting their environment.
Proofpoint's platform has evolved with the Satori Phishing Simulation Agent, which automatically deploys simulations using AI-guided, threat-informed recommendations, and the AI ThreatFlip Workflow, which converts real phishing emails caught by Proofpoint into live training simulations. The People Risk Explorer surfaces individual risk profiles and directs training toward the highest-risk employees. Proofpoint's tightest value proposition is in environments where email threat intelligence flows directly into simulation generation, though the platform is positioned as a standalone behavior change tool as well. Vishing is not a core documented feature of the platform. Enterprise pricing, contact sales.
Key capabilities for executive training:
Satori Phishing Simulation Agent (AI-automated, threat-informed simulations)
AI ThreatFlip Workflow (converts live phishing emails into training)
People Risk Explorer for role-based risk targeting
SMS/smishing simulation
Real threat intelligence integration
Vishing not a core documented feature
No live adaptive AI call capability
Feature Comparison
Feature | Brightside AI | KnowBe4 | Hoxhunt | Jericho Security | Proofpoint |
|---|---|---|---|---|---|
Email phishing simulation | ✅ | ✅ | ✅ | ✅ | ✅ |
AI-powered OSINT spear-phishing | ✅ | ✅ | ✅ | ✅ | ✅ |
Self-serve vishing (recurring) | ✅ | △ Gold/Diamond tier | ✅ | ✅ | △ Not a core feature |
Live adaptive AI calls | ✅ | ❌ | ✅ | ✅ | ❌ |
Voice cloning | ✅ | ❌ | ✅ | ✅ | ❌ |
Hybrid voice + email attack | ✅ | △ Diamond tier only | △ Email + Teams/Slack combos | ❌ | ❌ |
Deepfake simulation | ✅ | ❌ | ✅ | ✅ | ❌ |
SMS/smishing simulation | ❌ | ✅ | ❌ | ✅ | ✅ |
Automatic follow-up training | ✅ | ✅ | ✅ | ✅ | ✅ |
Live threat intel → simulation | ❌ | Partial | ❌ | ✅ (dark web) | ✅ (ThreatFlip) |
NIST difficulty alignment | ✅ | ❌ | ❌ | ❌ | ❌ |
Pricing | From €0.5/user/mo | Enterprise | Enterprise | Enterprise | Enterprise |
![](data:image/svg+xml,<svg display="block" role="presentation" viewBox="0 0 5100 5100" xmlns="http://www.w3.org/2000/svg"><path d="M 2500.024 0 C 2553.328 0 2595.834 43.879 2595.834 97.125 L 2595.834 1876.506 L 3119.201 176.066 C 3134.891 125.086 3188.553 96.12 3239.425 112.351 C 3290.111 128.521 3317.762 183.113 3302.122 233.925 L 2779.762 1931.097 L 3779.21 461.931 L 3779.21 461.931 C 3809.253 417.765 3869.112 406.54 3912.791 437.34 C 3956.212 467.961 3966.827 528.293 3936.952 572.213 L 2940.571 2036.873 L 4325.625 929.91 C 4367.382 896.541 4427.806 904.057 4460.434 946.369 C 4492.863 988.434 4485.764 1049.285 4444.263 1082.452 L 3060.321 2188.526 L 4709.544 1539.817 C 4759.253 1520.266 4814.696 1545.603 4833.629 1595.492 L 4834.055 1596.658 C 4852.106 1646.063 4827.965 1701.593 4778.86 1720.913 L 3133.595 2368.073 L 4897.112 2235.63 C 4950.287 2231.63 4995.887 2272.239 4999.739 2325.374 L 4999.739 2325.374 C 5003.591 2378.46 4964.398 2425.357 4911.272 2429.348 L 3146.284 2561.899 L 4871.594 2956.552 C 4923.482 2968.425 4955.466 3020.57 4943.999 3072.498 C 4932.513 3124.564 4881.447 3157.944 4829.411 3146.042 L 3104.198 2751.408 L 4635.446 3637.4 C 4681.451 3664.017 4697.226 3723.193 4671.331 3769.585 L 4671.331 3769.585 C 4645.308 3816.215 4586.707 3832.86 4540.454 3806.104 L 3005.937 2918.221 L 4209.67 4218.413 C 4245.476 4257.082 4244.03 4317.683 4206.57 4354.549 L 4205.679 4355.411 C 4167.427 4392.128 4107.211 4390.593 4070.811 4352.262 L 4069.949 4351.351 L 2863.424 3048.138 L 3632.211 4648.15 C 3655.046 4695.671 3636.222 4753.253 3589.443 4777.295 L 3588.334 4777.86 C 3540.507 4801.675 3483.064 4781.335 3459.942 4733.221 L 2689.559 3129.881 L 2954.004 4888.23 C 2961.916 4940.841 2926.469 4990.659 2873.852 4998.868 C 2821.132 5007.086 2772.499 4970.211 2764.574 4917.511 L 2500.003 3158.32 L 2235.433 4917.511 C 2227.506 4970.211 2178.874 5007.086 2126.154 4998.868 C 2073.538 4990.659 2038.091 4940.841 2046.004 4888.23 L 2310.449 3129.871 L 1540.054 4733.221 C 1516.934 4781.335 1459.495 4801.675 1411.666 4777.86 C 1364.085 4754.154 1344.776 4696.048 1367.789 4648.15 L 2136.531 3048.237 L 930.091 4351.351 C 893.789 4390.564 832.92 4392.415 794.361 4355.411 C 756.039 4318.634 754.286 4257.389 790.37 4218.413 L 790.37 4218.413 L 1994.186 2918.132 L 459.517 3806.104 C 413.263 3832.86 354.662 3816.215 328.639 3769.585 C 302.745 3723.193 318.529 3664.017 364.525 3637.4 L 1895.723 2751.438 L 170.629 3146.042 C 118.603 3157.944 67.537 3124.564 56.04 3072.498 C 44.584 3020.57 76.568 2968.425 128.455 2956.552 L 1853.763 2561.899 L 88.728 2429.348 C 35.602 2425.357 -3.591 2378.45 0.261 2325.364 C 4.103 2272.239 49.713 2231.63 102.888 2235.621 L 1866.342 2368.063 L 221.081 1720.903 C 171.59 1701.435 147.458 1645.18 166.322 1595.487 C 185.106 1545.988 239.826 1520.657 289.238 1539.361 L 290.397 1539.811 L 290.397 1539.812 L 1939.997 2188.674 L 555.875 1082.452 C 514.375 1049.285 507.275 988.434 539.705 946.369 C 572.333 904.057 632.766 896.541 674.514 929.91 L 2059.407 2036.744 L 1063.117 572.213 C 1033.242 528.293 1043.857 467.961 1087.279 437.34 C 1130.957 406.54 1190.816 417.766 1220.86 461.932 L 2220.177 1930.909 L 1697.876 233.925 C 1682.237 183.113 1709.887 128.521 1760.574 112.351 C 1811.446 96.12 1865.108 125.086 1880.799 176.066 L 2404.214 1876.665 L 2404.214 97.125 C 2404.214 43.879 2446.718 0 2500.024 0 Z" fill="rgb(165, 140, 255)" height="5000.014289657591px" id="KrZEL4sI2" stroke-dasharray="" stroke-linecap="round" stroke-linejoin="bevel" stroke-width="50" stroke="rgb(165, 140, 255)" transform="translate(50 50)" width="5000px"/></svg>)
Try our vishing simulator
Experience the most advanced voice phishing simulator built for security teams. Create scenarios, test voice cloning, and explore automation features.
Frequently Asked Questions
Can I legally run phishing and vishing simulations on executives without telling them in advance?
In most jurisdictions, employers can conduct simulated security tests without prior individual notice as part of a legitimate security training program, provided the testing is proportionate, documented in HR or security policy, and not used for punitive disciplinary action. In the EU and UK specifically, organizations should include simulation testing in their data processing documentation and consider a Data Protection Impact Assessment if individual-level behavioral data is retained over time. Requirements vary by jurisdiction, and legal review is advisable before launching executive simulations in regulated industries or across multiple geographies.
What if an executive fails a simulation and reacts badly?
Framing matters more than the result. Executives should understand before any simulation program launches, not the specific timing, but the purpose, that this is about organizational risk reduction, not individual evaluation. When a failed simulation is presented privately as "here is precisely how an attacker would target someone in your role, and here's what made this attempt convincing," most executives engage constructively. The Ferrari incident is useful here: even a near-miss, framed correctly, becomes a learning moment rather than a source of embarrassment.
How long should executive security training actually take?
Cognitive science research identifies 5 to 10 minutes as the optimal length for focused adult learning the window where attention peaks before declining. Executive micro-modules should target this range and cover a single scenario or attack type per session. Beyond the micro-modules, an annual 30 to 45 minute strategic briefing covering the threat landscape, recent real-world incidents relevant to your industry, and organizational exposure is valuable at the board level, delivered by the CISO directly rather than through an e-learning platform.
How is executive training different from what we already run for all employees?
Standard all-employee training covers broad hygiene: password management, general phishing recognition, device security, using generic simulation templates. Executive training needs to be role-specific and simulation-driven, CEO fraud and wire transfer approval scenarios for finance approvers, deepfake video call recognition for anyone who authorizes transactions, spear-phishing personalized to the executive's actual public profile and organizational role. The Arup attacker built their deepfakes from video and audio sourced from existing company meetings and conferences. Training that doesn't reflect that level of personalization doesn't prepare executives for the real threat.
What data should I use with individual executives versus what I report to the board?
These serve different purposes and should never be conflated. Individual simulation failure data which executive failed which simulation, what tactic succeeded, is appropriate only for private, one-on-one follow-up conversations with the executive themselves, framed as personalized coaching. Board-level reporting should always use aggregate cohort data: the executive population's overall risk score trend, failure rate movement over time, comparison against organization-wide benchmarks. Exposing individual failure results to the full board erodes the trust you need to sustain the program long term.
What's the best way to get buy-in from a CFO or CTO who's actively resisting?
Request 10 minutes to run a demonstration, not deliver a briefing. Use a live vishing simulation tool to conduct a simulated call against a willing participant – a security team member or a colleague from another department with the resistant executive watching in real time. A live AI-conducted call that uses a cloned voice and adapts dynamically to whatever the participant says is more persuasive than any threat report or compliance document. The Ferrari incident shows that even a well-informed executive can be momentarily convinced by a convincing deepfake. Experiencing that vicariously often closes the buy-in gap that months of advocacy can't.
The Bottom Line
The executives at Arup weren't careless. Neither was the Ferrari manager who nearly authorized a fraudulent transaction. They were operating without training that matched what they actually faced.
The question worth asking before your next board meeting: has anyone on your executive team ever experienced a live AI voice call designed to manipulate them? If not, they haven't been tested for the threat that's actively targeting them.
