All Posts
Email Security
Threat Research
Ai
The Bullseye Report: Criminal Account-Based Marketing (ABM) Attacks and the New VIP Risk
Why C-Suites Face 51% of All AI Attacks
Written by
Vito Prasad
Published on
December 17, 2025

Editor’s Note: This is Part 3 of our 5-part series on “AI-Powered Spearphishing at Scale.” In Part 1, we covered the exponential growth of AI phishing. In Part 2, we walked through the automated pipeline that powers these attacks. Today, we reveal exactly who is in the crosshairs.

There is a dangerous myth in cybersecurity: “I’m not famous enough to be spearphished.”

Most executives assume that unless they are the CEO of a Fortune 500 company, they’re flying under the radar. They believe their obscurity is their security.

The data proves otherwise.

In our analysis of 1,921 malicious emails, we mapped the “victimology” of modern AI-powered attacks. The pattern is unmistakable: attackers have moved from a B2C spam model to a criminal Account-Based Marketing (ABM) model.

These hackers now build Ideal Customer Profiles (ICPs) for who they’re targeting next, and the ICPs are likely sitting amongst your own leadership team.

The New ICP: Executives and Founders

Attackers are rational economic actors. They want the highest possible payout for the lowest possible effort.

In the era of AI, that calculation has shifted decisively toward the top of the org chart. Our research confirms that 51.6% of all targeted AI attacks are directed at the C-suite and founders.

  • CEOs & Founders: 27.8% of attacks
  • Other C-suite (CFO, COO, CISO, etc.): 23.8% of attacks

In other words, if criminals were running a B2B sales funnel, your executives would be their Tier 1 target accounts. Why? Because it’s not just about personal wealth. It’s about authority and public footprint.

  1. The OSINT (Online Searchable Intelligence) Goldmine
    Executives speak on podcasts, post on LinkedIn, give media interviews, and appear on conference agendas. That public presence becomes raw material for AI: titles, topics, travel, partners, even internal projects mentioned on stage. This is exactly the context needed to craft the “perfect lure” described in Part 2.

  2. “God Mode” Permissions
    A junior engineer might need multiple approvals to pay a $500 invoice. A CFO can authorize a $50,000 wire with one email. A CEO can green-light strategic transfers or data sharing with a single “Looks good.” Attackers know this. The higher the privilege, the higher the potential ROI.

  3. Influence Radius
    Even if an executive doesn’t directly approve payments, their name can be weaponized. “Per [CEO Name]’s request…” in a subject line dramatically increases the success rate of downstream fraud.

The result: executives are no longer “too small to care about.” They are the primary entry point and the primary amplifier of AI-powered fraud.

The Secondary ICP Targets: Gatekeepers

If criminals can’t land a clean shot on the C-Suite, they pivot to gatekeepers that control the flow of money and information.

Our heatmap shows alarming growth in attacks against these specific roles:

  • Sales & Marketing (GTM): 11.1% of attacks
  • Finance: 8.4% of attacks

Why these teams?

  1. Sales & GTM: Inboxes Optimized for Strangers
    Salespeople are paid to open emails from unknown senders, click links, and respond quickly, as they are used to treating these as potential new deals and opportunities. Telling them to “be suspicious of unfamiliar contacts” is like telling them to miss quota. Attackers exploit this structural reality. A well-timed “prospect” email or “event opportunity” becomes the perfect Trojan horse to land in the Sales’ team platform or CRM, and then pivot laterally toward leadership.

  2. Finance: Direct Access to Cash Flow
    Finance teams handle high-leverage workflows such as invoices, refunds, payroll, and vendor onboarding that are attractive to attackers. A single fraudulent “updated payment details” email can reroute substantial funds.

Together, executives and gatekeepers form the perfect ICP bullseye of criminal ABM.

The Financial Impact: $9 Million at Risk

So what does this targeted focus cost?

When we analyzed the payload of these AI-driven attacks, we found that 9% of malicious emails contained a direct request for funds and the average requested amount per fraudulent email was $49,000.

Using typical attack frequency and success assumptions for a 1,000-person organization, the annualized financial exposure from these attacks is approximately $9 million.

That’s not a nuisance. That’s a material risk to your P&L and, for many companies, a board-level issue.

What This Means for Defenders

If attackers are running criminal ABM against your organization, you can’t defend with generic, one-size-fits-all controls. You need the equivalent of defensive ABM:

  1. VIP Protection is Mandatory
    You cannot apply the same security posture to your CEO that you apply to a new hire. Executives need white-glove filtering that prioritizes semantic analysis and behavioral signals over raw throughput. Their mailboxes should be the most instrumented and protected in the company, not the most bypassed for “convenience.”

  2. Protect the Gatekeepers
    Your Finance and Sales teams live in the blast radius, so they don’t just need more training but they need better guardrails. This could include tools that flag risky intent (unexpected wire requests, vendor banking changes, contract signature demands) even when the sender and language look clean, or better policies that add lightweight verification for high-value actions without breaking their workflows.
  1. Audit Your Executive Footprint
    Assume that if data of the members on your executive team is public, it’s already being weaponized. It would be advantageous to run an OSINT audit on your executives by reviewing the following questions:
    • What does a generic AI model learn about your CEO in 60 seconds?
    • Which conferences, topics, vendors, and partners are publicly associated with your leadership?
    • How much of their offline life—podcasts, donations, recurring events—could a stranger reconstruct from a quick search?
    • How exposed are they through family and friends’ public social media accounts?

Why Training Alone Won’t Save You

You might be thinking: “But we train our executives. We run phishing simulations. We spend heavily on Security Awareness Training. Why do we need to consider anything else?”

That’s the problem.

You’re trying to counter a systematic, automated, account-based campaign with individual memory and vigilance. Even the most diligent executive will eventually be tired, distracted, or rushed when that perfectly timed AI-crafted email arrives.

In Part 4, we’ll explain why the “Human Firewall” concept is fundamentally broken in the age of generative AI—and why relying on it as your primary control is, at this point, a policy failure.

[Download the Full Report: AI-Powered Spearphishing at Scale]

Don’t Miss the Next Big Threat
Subscribe today to receive updates on the newest cyberattacks, product innovations, and best practices for protecting your organization.

Subscribe

Success! We’ll be in touch soon.
Something went wrong while submitting.
Related topic articles
Read All Articles
Email Security
Ai
The Context Gap
Why AI Beats Training, But Can’t Beat You
Email Security
Threat Research
Ai
The Anatomy of an AI Attack
Anatomy of a Hack: How AI Clones Your Company in 3 Steps
Email Security
What Security Leaders Should Actually Measure with AI in Email
If “AI for email security” is on your roadmap, the real question isn’t what to buy—it’s what to measure.
Complete protection for your email security needs with our native Agentic threat detection
Book your free demo
Links
CompanyProductsBlogCareers
Contacts
About usContacts
Legals
Privacy PolicyTerms & Conditions
© 2025 Aegis AI. All rights reserved.