When a Click Becomes a Crisis: Phishing Surge Sparks Executive Awareness Overhaul

The Challenge

In late 2024, Clearhome Leasing, a well-established property management company, began experiencing a wave of increasingly sophisticated phishing attacks. These emails were not the usual generic spam. They were carefully crafted messages that referenced internal projects, mimicked real vendors, and used personalized language to target senior leadership. Over the course of two months, simulated phishing tests revealed that directors and executives were the most likely to click on malicious links or down…

This trend uncovered a deeper issue. A review of company training records showed that the last mandatory cybersecurity training for executive-level staff had occurred nearly two years earlier. Participation had been voluntary, and no metrics were in place to track completion or effectiveness. Executives, while highly capable in operational leadership, had become a blind spot in the company's cybersecurity posture.

The issue escalated when a spoofed email, designed to look like it came from the CEO, instructed a finance manager to initiate a wire transfer. Although the request was caught before funds were moved, the incident set off alarms across the organization. There was no formal policy linking cyber awareness to executive accountability, and cyber risk had not been on the board agenda in over a year.

Our Solution

We were brought in to address this gap at the leadership level. Our first step was to create a tailored executive cyber readiness program that included quarterly tabletop exercises, simulated phishing campaigns, and role-specific incident walkthroughs. Participation metrics were integrated into leadership performance reviews.

We helped launch a cybersecurity dashboard that provided visibility into executive engagement, awareness completion rates, and testing results. Governance protocols were revised to require that cybersecurity be discussed at every quarterly board meeting. Additionally, senior leaders were required to participate in at least one simulated incident drill annually.

To shift company culture, we also worked with HR and communications to embed cyber awareness into leadership development plans. Executives began sponsoring awareness campaigns for their departments, and cyber readiness became a visible part of Clearhome’s leadership philosophy.

The Value

Within six months, phishing susceptibility among leadership dropped by over 50 percent. The organization developed a stronger top-down security culture and built resilience by embedding awareness at the strategic level. Clients and stakeholders took notice, citing the company’s transparency and leadership-driven approach as evidence of reliability.

Implementation Roadmap

1. Launch a tailored executive cyber readiness program with real-world scenarios

2. Introduce a performance dashboard tracking executive cyber engagement

3. Tie cyber awareness participation to executive compensation plans

4. Include senior leaders in annual simulated incident drills

5. Make cybersecurity a standing agenda item for all board meetings

Info Sheet

(Story 10 text included above in the compiled stories)

Info Sheet

Industry Sector: Real Estate and Rental and Leasing

Applicable Legislation:

  • PIPEDA
  • Cybersecurity Culture Best Practices – Canadian Centre for Cyber Security

Necessary Action Type: Executive Accountability and Awareness Integration

Steps to Be Taken:

  • Tie cyber awareness to leadership performance reviews
  • Implement mandatory simulations and training at all levels
  • Launch executive cyber readiness dashboards
  • Engage change management to build security culture
  • Track and report quarterly awareness metrics to the board

Involved Third Parties:

  • Cybersecurity simulation vendor
  • Internal learning and development team
  • Executive leadership council