Business email compromise is the most expensive category of cybercrime the FBI tracks. In 2024, the IC3 recorded 21,442 BEC complaints with adjusted losses exceeding $2.77 billion — more than ransomware, more than data breaches. In 2025, total reported cybercrime losses reached $20.8 billion, with BEC and investment fraud leading the figures.
Corporate security teams respond to this with email gateway filtering, zero-trust architecture, and endpoint detection. These controls intercept payloads. They do not address the phase that makes the payload credible. For a wider view of how executive digital exposure enables these attacks, see our Executive Digital Privacy hub.
A targeted whaling attack — BEC aimed specifically at a C-suite executive or board member — succeeds or fails based on the quality of the pretext. The pretext is built during the reconnaissance phase, using open-source intelligence. If the reconnaissance returns thin or outdated information, the pretext fractures under scrutiny and the attack fails.
This means the most effective countermeasure against whaling is not a better email filter. It is reducing the raw material available to the attacker. The Executive Exposure Checklist is a practitioner self-diagnostic across the ten reconnaissance surfaces where that raw material typically lives.
How Pretexts Are Built
A well-constructed whaling pretext does not rely on urgency alone. It relies on context — details specific enough that the recipient does not question the sender’s identity.
The CrowdStrike 2026 Global Threat Report found that 82% of threat detections are now malware-free. Adversaries do not need to write exploits when they can log in using harvested credentials, or convince a finance director to authorise a transfer using a pretext built from publicly available information.
When we reverse-engineer the reconnaissance behind successful BEC campaigns, the data consistently comes from three vectors.
Corporate exhaust and vendor mapping
Attackers map the target’s business environment without touching the primary domain. They query historical WHOIS records, passive DNS databases, and SSL Certificate Transparency logs to identify vendor portals, shadow IT infrastructure, and supply chain relationships. Public contract awards, B2B review sites, and municipal filings reveal which partners the executive works with and what payment schedules look like.
None of this triggers a security alert. All of it builds the pretext.
Family and social exposure
Executives receive OPSEC briefings. Their families do not. Threat actors use cross-platform correlation to map familial relationships and daily patterns. A spouse’s public Instagram post tagging a hotel in Geneva, cross-referenced with a corporate flight tracker, places the executive in a specific city at a specific time.
That context enables the attack: an urgent email from the “CEO” to a finance team member regarding a payment required in Switzerland, sent precisely when the real CEO is in flight and unreachable.
The Security Executive Council’s analysis of 424 attacks on corporate executives from 2003 through 2025 found that incident volume doubled in 2025 compared to the prior year. While 85% of documented incidents involved physical activity — assaults, stalking, protest actions — the report noted a growing intersection between digital reconnaissance and real-world targeting. Attacks on non-CEO senior executives are rising fastest.
Credential and breach data
Adversaries parse dark web breach compilations and stealer log marketplaces. They are not only looking for active passwords. They map password reuse patterns, historical email addresses, and answers to security questions exposed in third-party breaches years earlier.
This threat vector is expanding as consumer tools contract. Google shut down its Dark Web Report feature in January 2026, citing poor user experience. The replacement — generic security tips within Google’s Security Checkup — provides no visibility into credential exposure. Executives relying on consumer-grade monitoring are increasingly blind to what circulates about them underground. We mapped the mechanics of credential leak exposure in a previous investigation.
Case Study: Arup, $25 Million, One Video Call
The most instructive recent case is Arup’s $25 million deepfake fraud, disclosed in May 2024.
Attackers targeted a finance employee in Arup’s Hong Kong office with an email purportedly from the company’s UK-based CFO, requesting an urgent confidential transaction. The employee was initially suspicious — the email had the hallmarks of phishing.
What overcame that suspicion was a video call. The attackers had created deepfake recreations of multiple Arup colleagues, including the CFO, and placed them in a fabricated multi-person video conference. The employee, now seeing what appeared to be familiar faces confirming the request, authorised 15 wire transfers totalling $25 million to five attacker-controlled bank accounts.
The fraud was discovered only when the employee contacted Arup’s actual headquarters to discuss the transaction. No one there had authorised it. No one had been on the call.
This attack required two things: the technical capability to generate deepfakes (increasingly commoditised), and enough personal intelligence about the CFO, the colleagues, and the employee to make the pretext credible. The reconnaissance — who reports to whom, what a normal request looks like, which office handles transfers — came from publicly available data.
We dissected the anatomy of AI-assisted social engineering in more detail in our analysis of vishing and KYC bypass techniques.
Reducing the Reconnaissance Surface
If open-source intelligence is the raw material for whaling, the countermeasure is reducing the supply.
This is not the same as locking down a LinkedIn profile or enabling MFA — both of which are baseline hygiene, not strategic countermeasures. Reducing the reconnaissance surface means systematically removing or suppressing the data that attackers rely on during the planning phase:
Data broker records. Broker listings aggregate home addresses, phone numbers, family relationships, and employment history into structured profiles that AI agents and human investigators alike can query. The February 2026 JEC report found that data broker breaches alone cost US consumers over $20 billion, and that some brokers actively hid their opt-out pages from search engines. Removing records from primary aggregators — not just secondary nodes that repopulate from upstream — requires tracing the data supply chain and submitting jurisdiction-specific legal requests.
Breach database exposure. Identifying which credential pairs, personal emails, and security question answers circulate in breach compilations, stealer logs, and dark web markets. This is not a one-time check. New breaches continuously introduce fresh material.
Public registry data. Corporate filings, property records, and historical domain registrations that link an executive’s personal and professional identities. In the EU, GDPR Article 17 provides a legal basis for erasure requests against data controllers — but the request must be specific, documented, and directed at the correct entity.
The practical execution of this requires manual investigation. Automated removal tools — as the UC Irvine study of 543 data brokers demonstrated — fail against 40% of brokers and cannot handle cross-jurisdictional legal requirements. A Shield engagement combines the forensic mapping of the exposure surface with active threat monitoring and coordinated removal across jurisdictions.
The Cost Calculation
An executive whose personal data has been methodically removed from broker databases, breach compilations, and public registries is a harder target to research. When the reconnaissance phase returns thin results, the attacker faces a choice: invest significantly more time and resources, or move to an easier target.
That calculus matters. BEC operations are volume businesses. Attackers optimise for return on effort. An executive who is difficult to profile is an executive who is expensive to attack — and most threat actors will not pay that premium when softer targets exist.
The question for security teams is whether they are managing this exposure proactively, or waiting for the pretext to arrive in someone’s inbox.