The Rising Threats to Corporate Executives

Across many Western countries, political polarization and pressure on corporate leaders to take public stands on controversial issues will likely increasingly drive some activists, hacktivists and violent extremists to harass, intimidate and attack executives and their families. On May 24, five members of the environmental activist group Greenpeace scaled a building near the Paris headquarters of TotalEnergies to display a mock wanted poster with the face of the firm's CEO. The poster called him "the leader of the most polluting French company which makes billions to the detriment of the planet and its populations." While nonviolent, the incident reflects a growing trend in which corporate executives are singled out for harassment, intimidation or targeted violence as proxies for the activities of their companies and/or their personal beliefs. While environmental campaigners have been at the forefront of publicly calling out C-suite executives for their alleged failures to take sufficiently aggressive action to combat climate change, these activists have largely remained peaceful (albeit disruptive) and reserved any violence for attacks against physical infrastructure rather than people. Instead, corporate leaders who have received physical threats have more frequently been targeted due to their and/or their companies' stances regarding other contentious topics like the Israel-Hamas war, electoral politics, and divisive social issues like LGBTQ+ and reproductive rights.

• On March 27, the U.S. cybersecurity company Recorded Future released a report indicating that domestic violent extremists are increasingly doxxing both private and public sector leaders in the United States. According to its findings, those who are doxxed are also at higher risk of facing physical security threats due to the release of personally identifiable information, or PII.
• In February 2023, BlackCloak, a U.S. cyber executive protection company, published a report finding a major surge in "swatting" attacks (in which perpetrators call in a fake emergency to trigger a large police response) against corporate executives, board members and other high-profile individuals over the prior four months. While the firm could not provide a clear rationale for the timing of the uptick, the attacks appeared to have been coordinated, and they heavily targeted certain corporate sectors, including healthcare, biomedical and pharmaceutical companies.
• In 2022-23, corporate filings indicated that U.S. asset manager BlackRock at first instituted and then significantly expanded personal protection for its CEO and president. While the firm did not provide details, there is widespread reporting that the decision was driven not only by backlash from "anti-woke" activists and conspiracy theorists aggrieved at the firm's ESG initiatives, but also from environmental campaigners who did not believe the company was going far enough.

Across the West, threats against corporate executives spiked in 2020 amid pandemic-era grievances, and since then, upticks have often coincided with controversial developments in different countries, at times spurred by disinformation and misinformation. While quantifying threats to corporate leaders is challenging given that many, if not most, do not become public, survey data indicates that the number of online threats to C-suite executives grew significantly in 2020 compared with prior years. This rise was likely driven in large part by the unique circumstances of the time, chiefly the COVID-19 pandemic, which fueled widespread restrictions on movement and contentious societal divisions over vaccinations, masking and other health protocols that roiled many companies. In the United States, deep societal polarization over the racial justice protest movement that emerged over the summer and the outcome of the 2020 presidential race in November further motivated various social activists, conspiracy theorists and more radical threat actors to threaten U.S. corporate leaders. Since then, there has generally been a more consistent tempo of anti-executive harassment, intimidation and attacks -- both in person and online -- though these threats have tended to flare surrounding contentious societal developments, such as election periods, high-profile court cases, and major legal or governmental policy changes. While this means that the timing of an uptick in threats often varies by country, some transnational issues that motivate activism across the West, such as the Israel-Hamas war or ESG issues, have resulted in a general increase across multiple geographies.

• In April 2023, two high-profile executives who oversaw popular U.S. beer brand Bud Light's marketing campaign with a transgender online influencer received death threats amid widespread backlash against the campaign, including numerous bomb threats to Bud Light facilities.
• The director of product strategy and security at Dominion Voting Systems went into hiding following the 2020 U.S. presidential election after supporters of former President Donald Trump repeatedly made violent threats against him and his family due to a baseless conspiracy theory that he rigged ballot-counting machines against Trump.

In the coming years, activists' growing frustration with what they see as governments' failures to address their demands will likely incentivize greater targeting of corporate leaders, despite efforts by many executives to avoid taking stances on contentious issues. Across the West, popular trust in national governments is on a long-term downward trajectory, with no reason to expect it to reverse significantly amid deepening political polarization and weakening institutions in many countries. As people increasingly lose faith in their political leaders to address their grievances, either due to a lack of intent or ability, individuals will find it more attractive to try to pressure companies and their leaders to make the changes they seek, especially when activists hold specific corporate policies responsible for their grievances. This can already be seen with environmental campaigners, who are increasingly focusing their activism on corporate targets because they believe that pressuring private firms that account for disproportionately high levels of emissions will lead to faster and more dramatic emissions reductions than trying to lobby governments. The same can be seen regarding other divisive issues, such as reproductive and LGBTQ+ rights, as campaigners increasingly seek to influence corporate policies as governments either roll back rights or are too divided to pass major national legislation. Looking ahead, artificial intelligence, data privacy, labor rights, and executive compensation and worker pay gaps are just a few of many issues that appear ripe for campaigners to seek to influence companies as governments struggle to form coherent policies. Regardless of the issue, activists' increasing focus on companies will stymie the hopes of many corporate leaders who want to remain publicly neutral on controversial topics as key constituencies -- including employees, customers, shareholders and regulators -- force them to take public stands. Even when they do not, remaining quiet will run the risk of generating backlash from all sides for not taking a public position. Overall, these risks will be especially heightened during election periods, which means the remainder of 2024 will be particularly risky for U.S. companies given the intensity of "culture wars" playing out on the campaign trail.

• Data from the Pew Research Center and Gallup indicates that U.S. public trust in the government, especially the federal government, is near a historic low and is significantly lower than in the mid-20th century when survey data began to be collected. While there is variance among European countries, survey data from large countries like France, Germany and the United Kingdom shows similar trends in which popular opinion has dwindling confidence in national institutions.
• The latest Bentley-Gallup Business in Society Report, released in October 2023 and based on a survey of 5,458 adults, found that 41% of Americans believe that businesses should take a public stand on current events. While a decline of seven percentage points from 2022, the headline figure still indicates that a large share of the population favors businesses speaking out. Moreover, majorities of key groups -- including self-identified Democrats (62%), Black Americans (61%) and younger Americans 18-29 years old (53%) -- still favor businesses taking public stances, and certain issues, like climate change, also find a majority of Americans in favor. The same survey also found that larger shares of Americans believe that businesses are more effective at positively impacting people's lives than federal, state or local governments.

Targeting corporate executives will also become simpler due to advances in generative artificial intelligence and multiple digital developments that are making it easier to find their PII and whereabouts, as well as those of their families. Just as advances in generative artificial intelligence, or AI, are making it easier to carry out a wide array of cyberthreat activities, such developments will also make it easier to target corporate executives. For instance, increasingly convincing synthetic media content will enable activists and cyber threat actors to create audio and visual deepfakes of corporate executives making statements or doing things that draw popular ire. Moreover, AI can help otherwise unskilled threat actors carry out at least rudimentary cyberthreat operations, or improve the sophistication of those with baseline skills. This means that, among other things, the ability to conduct spear-phishing attacks or disinformation campaigns targeting corporate leaders will become easier. Similarly, carrying out distributed denial of service attacks, website defacements, hack-and-leak operations and other common hacktivist activities targeting executives will also likely become more widespread. At the same time, the proliferation of a variety of open-source intelligence, or OSINT, tools will make it simpler to find corporate leaders' physical locations, personal residences, travel plans and other PII. Already, activists are exploiting publicly accessible information like property records to find executives' homes, and a growing cottage industry of OSINT tracking sites (such as for corporate jets) will only make it harder for executives to hide their whereabouts. A wide variety of PII readily available online will also reduce privacy. Additionally, the family members of executives often have less operational security and threat awareness, making them attractive targets and potential paths to executives themselves. A post-pandemic shift to working from home or other areas with less robust cybersecurity will also provide further vectors for initial access into corporate leaders' personal and corporate devices.

• In June 2023, BlackCloak and the Ponemon Institute, a U.S. information security research organization, released a report in which 42% of the 550 information technology security leaders surveyed said that hackers had targeted a senior executive or family member in the past year. In more than one-third of these cases, hackers gained access by breaching less secure home networks.
• In May 2023, the U.S. cybersecurity firm Dragos revealed that a cybercrime group tried to extort the company's executives in an effort that included contacting the CEO's wife and five-year-old son.
• Numerous media reports and industry surveys show that the PII of corporate executives, board members and their families is available for sale on online cybercrime marketplaces and data brokers' sites. For instance, in April 2022, a BlackCloak blog post detailed a survey of nearly 1,000 clients, most of whom are corporate executives or board members at large companies, in which 99% had PII available on dozens of data broker websites and 95% of executive profiles had personal or confidential information about their families.
• There are a wide variety of free online services that enable people to track corporate jets, personal yachts and the travel of other high-profile individuals. Following U.S. tech executive Elon Musk's 2022 takeover of X (then Twitter), he banned the well-known account of a programmer who had published a real-time feed of Musk's private jets, but the programmer then moved his tracker to another website.

At least a subset of more aggressive activists, hacktivists and violent extremists will likely increasingly harass, intimidate and attack corporate executives, board members and their families via a range of digital and in-person tactics. To be sure, most activists have an interest in keeping their anti-corporate campaigns high-profile but peaceful in order to avoid serious legal charges and prevent popular backlash against their cause. That said, even nonviolent acts like Greenpeace's wanted banner can generate personal safety risks for executives, as attaching their faces to high-profile and highly critical statements can make them much more likely to be recognized in public, and thus harassed or intimidated, or otherwise become a future target for other threat actors. To this end, there are other threat actors, such as criminals and extremists, who have fewer inhibitions about engaging in violence or other threatening behavior. Insiders, whether witting or otherwise, also provide a pool of people close to a corporate target (physically and/or online) who can either directly present a threat or unintentionally enable a third party to gain access to a corporate leader. The growth of digital tactics to go after targets also means that the pool of potential attackers is even larger because physical distance is no longer a constraint on conducting various forms of cyber harassment, intimidation or attacks. While many high-profile executives have some level of personal protection while conducting their work duties, this is uncommon for executives below the highest echelon of the C-suite, board members and/or executives at smaller firms. Moreover, even if a corporate leader has personal protection while conducting work functions, only the highest-profile individuals typically extend protection to their personal residences and private lives, which means their families often remain vulnerable to various security threats. Given these realities, there is a wide range of physical and cyber tactics that different threat actors can use to single out corporate leaders and their families, including:

• Media stunts: As seen in Greenpeace's wanted banner, myriad nonviolent acts can still raise security threats for corporate leaders by increasing public scrutiny of the target. Other examples include creating hashtag campaigns on social media or publishing fake public statements.
• Website defacements: While arguably the most rudimentary of hacktivists' tactics, these attacks could nonetheless spark significant negative public scrutiny of corporate leaders if the perpetrators post defamatory statements. Direct safety risks would also rise if the hackers posted PII or other sensitive information, especially if family members' information was included.
• Spyware: The proliferation of commercially available, advanced spyware will lower the threshold for threat actors to target corporate leaders and their families. While once the preserve only of nation-states, spyware is becoming cheaper, easier and more accessible to more threat actors. Various cyber threat tactics, ranging from more basic spear-phishing attacks to much more sophisticated zero-click exploits, can enable threat actors to plant spyware on their targets' devices and those of their families. In fact, first targeting family members who likely have less cybersecurity awareness would be an attractive way to target corporate leaders for surveillance and various attacks.
• Hack-and-leak operations: Gaining access to private communications (such as emails, phone calls or text messages) -- especially if they are controversial, embarrassing or otherwise sensitive -- gives threat actors a vector to coerce corporate targets or threaten to publish them. Should they be published, such communications could put negative public scrutiny on corporate leaders and also potentially their families.
• Deepfake extortion and tricks: Criminal groups are already using deepfakes to extort or otherwise trick their targets into paying them, and such tactics could easily be applied to target corporate leaders and their families to coerce or trick them into providing sensitive information like personal addresses, phone numbers or financial information.
• Deepfake impersonations: Advances in generative AI will only make it easier, cheaper and faster to create realistic audio and visual deepfakes of corporate leaders saying or doing things that cause blowback against them. While until now, threat actors have primarily used these tactics against public officials, there is ample scope to extend them to target executives.
• Doxxing: Doxxing has become a preferred method of harassment and intimidation, and it is a crucial tactic because spilling corporate leaders' PII often opens the door to other tactics. Doxxing that spills the PII of family members would enable threat actors to escalate their targeting and offer new inroads to find corporate executives by co-locating them with their loved ones.
• Swatting: Numerous executives have been the victims of swatting attacks, and these will remain attractive forms of harassment and intimidation because they are no-cost and can be done anonymously. In rare cases, these attacks may even lead to violence if there is an altercation between police officers and the corporate target. Threat actors who seek to cause greater fear could also expand their targeting beyond corporate leaders to their families.
• Personal threats: While unsophisticated, sending threatening messages (via email, phone and/or physical mail) is nonetheless an effective way to instill fear into not only corporate targets but also their families, which in some cases may be singled out. The widespread availability of corporate leaders' PII online makes sending threatening messages easy and can often be done anonymously.
• Targeted protests: Increasingly, activism can extend to corporate leaders' homes as it becomes easier to find their personal addresses, either via PII circulating online or by targeting their family members. Even if peaceful, protests can be very disruptive and cause fear and significant media attention. Risks can also extend to an array of public events that are part of corporate leaders' work responsibilities, such as shareholder meetings, as well as to other parts of their private lives, such as vacations or meals in public venues as it becomes easier to track targets.
• Property destruction: If threat actors seek to be more aggressive but do not want to conduct violence against people, targeting property can be an attractive option. Such attacks can range from less intense forms of vandalism (like graffiti) to much more aggressive and destructive acts, like arson (which also carry a risk of causing casualties if people are inside the targeted location). Given the relative ease of finding corporate leaders' personal residences (including by targeting their families), these will be constant risks.
• Violent attacks: In the most extreme scenario, harassment, intimidation and threats can result in targeted violence. While only the most aggressive threat actors are likely to contemplate this course of action, a wide range of conspiracy theorists, extremists and others have repeatedly shown at least an intent, if not in most cases the capability, to commit violence against corporate leaders. These attacks range from nonlethal beatings to kidnappings to assassinations, and it would almost always be easier to commit such attacks against corporate leaders' families, should threat actors seek to do so.