GoPhish Tutorial

Executive-Targeted Spear Phishing

Test C-level executives with highly personalized campaigns while maintaining discretion and compliance.

Overview

C-level executives are the #1 target for sophisticated spear phishing attacks. This tutorial shows you how to design and execute realistic phishing simulations for leadership while maintaining appropriate discretion, confidentiality, and compliance with organizational policies.

What You'll Learn

  • Create VIP-only target groups with enhanced privacy
  • Design executive-focused phishing templates
  • Configure private reporting dashboards
  • Schedule non-disruptive campaign timing
  • Provide personalized remediation training

Step 1: Create VIP-Only Target Groups

Separate executive campaigns from general employee simulations to maintain confidentiality and enable custom reporting. Use restricted access controls to limit visibility to CISO and board members only. 

POST /api/groups
{
  "name": "Executive Leadership Team",
  "targets": [
    {
      "email": "ceo@company.com",
      "first_name": "Jane",
      "last_name": "Smith",
      "position": "CEO"
    },
    {
      "email": "cfo@company.com",
      "first_name": "John",
      "last_name": "Doe",
      "position": "CFO"
    }
  ],
  "access_control": {
    "visibility": "restricted",
    "authorized_users": ["ciso@company.com", "security-lead@company.com"]
  }
}

Step 2: Design Executive-Focused Templates

Craft realistic scenarios that executives actually face, such as board meeting invitations, investor communications, or legal compliance requests. Avoid obvious "test" indicators.

Effective Executive Phishing Scenarios

  • Board Meeting Schedule Change: Urgent calendar update from EA or board secretary
  • M&A Due Diligence Request: Confidential document request from "legal counsel"
  • Investor Relations Update: Earnings report review from CFO or IR team
  • Executive Compensation Review: HR request to verify bonus/stock information
  • Regulatory Compliance Alert: Urgent action required from general counsel
  • Vendor Contract Approval: Large purchase approval from procurement

Step 3: Configure Private Reporting Dashboards

Create executive-only dashboards that aggregate results without exposing individual performance. Focus on trends and organizational risk rather than personal metrics. 

POST /api/dashboards
{
  "name": "Executive Security Awareness",
  "type": "private",
  "anonymize_individual_results": true,
  "show_aggregated_metrics": true,
  "share_with": ["board-members"],
  "metrics": [
    "overall_click_rate",
    "reporting_rate",
    "time_to_report",
    "trend_analysis"
  ]
}

Step 4: Schedule Non-Disruptive Timing

Coordinate with executive assistants to avoid critical business periods like earnings calls, board meetings, or investor presentations. Send campaigns during normal business hours when executives are less stressed.

Recommended Timing

Day/Time Status Reason
Monday 6-9 AM ❌ Avoid Weekend catchup mode
Tuesday-Thursday 10 AM-2 PM ✅ Optimal Normal workflow hours
Friday After 3 PM ❌ Avoid Week wind-down
Quarter-End Weeks ❌ Avoid Financial close stress

Step 5: Provide Personalized Remediation Training

Offer one-on-one coaching sessions instead of generic training videos. Focus on the specific threats executives face, such as business email compromise (BEC), CEO fraud, and sophisticated social engineering.

Best Practices

  • Get Buy-In: Brief CEO/board before launching executive campaign
  • Annual Cadence: Run 1-2 targeted campaigns per year (not quarterly)
  • No Public Shaming: Never reference executive results in company-wide communications
  • Focus on Learning: Position as threat awareness, not compliance testing
  • Real-World Relevance: Use scenarios from actual threat intelligence

Next Steps