Phishing: an underestimated threat
Cybersecurity is a major issue for companies, and malicious phishing campaigns are among the most frequent threats. Yet corporate decision-makers, including CEOs and CTOs, are sometimes the weakest links when it comes to raising awareness.
As part of its mission to protect and raise awareness, Hackmosphere ran a phishing campaign targeting these strategic profiles. The results speak for themselves, underlining the need for increased vigilance in the face of malicious e-mails.
Definition of phishing
Before diving into the details of the research, it’s important to understand what phishing actually is. Phishing is a technique used by cybercriminals to deceive users and obtain sensitive information such as login credentials, passwords or financial information. Attackers use e-mails to pose as a legitimate entity, such as a bank, company or online service. They then ask victims to divulge their confidential information by clicking on a malicious link or by providing the information directly. Phishing can take many forms, including spear-phishing, which specifically targets an individual or organization, and whaling, which specifically targets a company’s senior management. These techniques are often highly sophisticated and difficult to detect.
Phishing campaign approach and methodology
To guarantee the reliability of our results, Hackmosphere has followed a rigorous, methodical approach.
Target identification
The campaign targeted two key decision-makers:
- CEOs, often exposed due to their strategic role and external interactions.
- CTOs, in charge of technological decisions and naturally more aware of digital risks.
Scenario customization
Two distinct scenarios have been developed to specifically address each target:
- An e-mail focused on a request for quote for CEOs, exploiting their reactivity to sales opportunities.
- An invitation to a technology summit for CTOs, playing on their expertise and interest in professional events.
Creating the infrastructure & sending e-mails
The e-mails were sent via a secure platform and optimized for deliverability. The creation method is a fairly complex process that could require a blog post of its own. We won’t go into detail here, but here’s our approach:
- Un nom de domaine a été acheté pour chaque scénario :
- meditech-innovation.fr for CEOs
- sommet-leaders-technologiques.fr for CTOs
- We created our own infrastructure (using a VPS from a private cloud. Installation of tools such as Postfix, Certbot or Mailgun).
- Warmupinbox was then used to increase the credibility of mailing addresses and improve main-box placement rates.
- Gophish was then used to create the campaigns and monitor their progress.
Retrieving results
To analyze the results, two metrics were taken into account:
- Click-through rates
- Performance of anti-spam software used by volunteers
Example of timeline (time mail received and time clicked by victim) :
Limitations : you might ask why we didn’t go further and ask for confidential information? The reason is simple: having volunteer CEOs and CTOs from a variety of industry backgrounds, it was difficult to find a scenario that would have been applicable to all. So we chose to simplify the campaign.
What are the results of the phishing campaign?
CEOs: a vulnerable target
The e-mail sent to CEOs simulated a request for a quotation for a tender. It read as follows:
Objet : Devis pour une prestation
Message :
Bonjour,
Je vous contacte car j’ai identifié votre entreprise dans le cadre de ma recherche dans le domaine {{.Position}}. Je suis intéressé par ce que vous faites et aimerais obtenir un devis.
Si vous souhaitez participer à l'appel d'offre, merci de prendre rendez-vous dans mon agenda ici : {{.URL}}Results :
- 64 e-mails sent
- 54 e-mails delivered to the main mailbox (84.5%)
- 24 clicks on the malicious link (37.5%)
- No clicks from SPAM e-mails
These results show that almost 4 out of 10 CEOs let themselves be tricked by a realistic simulation, highlighting their exposure to social engineering attacks.
CTOs: greater vigilance
The e-mail aimed at CTOs played on their technical expertise and interest in professional events:
Objet : Invitation : Intervenez au Sommet des Leaders Technologiques 2025
Message :
Bonjour,
Nous serions heureux de vous accueillir parmi nos intervenants, pour partager vos idées sur l'avenir de l'innovation technologique dans le domaine {{.Position}}.
Si vous souhaitez en savoir davantage sur notre conférence, vous pouvez télécharger notre programme ici : {{.URL}}Results:
- 46 e-mails sent
- 29 e-mails delivered to the main mailbox (63%)
- 6 clicks on the malicious link (13%)
- No clicks from SPAM e-mails
Despite a credible, targeted campaign, CTOs were generally more vigilant than CEOs.
Analysis and key findings
1. The importance of credibility
The e-mail sent to CEOs was more credible, as it was based on a concrete business need (a quote for a service), whereas that sent to CTOs was based on a less tangible promise (to speak at an event). This underlines the importance of adapting attacks to target audiences.
2. Anti-spam system performance
The statistics show a significant difference between the spam filters of the different providers:
- Gmail : only 2% of e-mails sent were classified as SPAM.
- Office 365 posted the best performance, with the highest SPAM rate.
3. Mailbox training
The e-mail for CEOs benefited from better training (via warmupinbox), which explains its higher deliverability rate compared to the e-mail for CTOs. This technical detail illustrates the importance of preparation in the success of phishing campaigns.
The potentially catastrophic impact of a real phishing campaign
Although this phishing campaign was designed purely for awareness-raising purposes, the results reveal the immense risk to which companies are exposed when faced with real cybercriminals. In this simulation, the interaction stopped after the victim clicked on the malicious link. However, in a real attack, this click could have redirected victims to a fraudulent site designed to collect sensitive credentials, install malware or exfiltrate critical data.
Beyond the immediate impact associated with this research, such as identity theft or system compromise, the consequences can extend to strategic levels. Companies may suffer significant financial losses, breaches of sensitive data or serious damage to their reputation. These scenarios underline the urgency of strengthening phishing defenses, as a single human error can open the door to a major cyber attack.
How can you protect your company from phishing threats?
The results of this campaign should encourage companies to step up their protection and awareness measures. Here are some key recommendations:
- Train your teams regularly
Offer awareness-raising sessions to familiarize your employees, including decision-makers, with the most common phishing techniques. - Strengthen your security systems
Choose robust solutions like Office 365, which stood out in this campaign for its anti-spam effectiveness. - Analyze incoming e-mails with vigilance
Encourage systematic verification of senders and links (mouse over URLs to see their true destination) before clicking. - Test your staff with internal campaigns
Organize regular simulations to assess your teams’ level of vigilance in the face of malicious e-mails.
Conclusion: raising awareness of cybersecurity is a strategic challenge
This phishing campaign, carried out by Hackmosphere, has highlighted significant vulnerabilities among corporate decision-makers. CEOs, who are particularly exposed, need to redouble their vigilance, while CTOs show greater resistance.
To protect your digital assets and strengthen your organization’s security, proactive awareness and effective tools are essential.
Don’t know your overall level of awareness? Take action with Hackmosphere
Would you like to test your teams’ vigilance or strengthen your cybersecurity? Contact us today to find out how Hackmosphere can help. Together, let’s build a safe and protected digital environment.