Home / Industry

Are Companies Doing Enough to Tackle CEO Impersonation on the DNS?

A recent study of CEO impersonation showed that phishing in its various forms is a threat not just to the world’s top companies but also to the top CEOs.

The investigation on 2,157 domains and 652 subdomains containing the top 100 CEOs on Glassdoor’s list revealed that:

  • More than 2,000 domains and 600 subdomains contain the CEOs’ names.
  • 92% of the 2,000 domains had redacted WHOIS records.
  • Only 2% of the 2,000 domains can be publicly attributed to the CEOs’ respective organizations.
  • Screenshot analyses revealed some suspicious redirects.
  • Some of the domains have been reported “malicious.”

These statistics prompted the questions:

  • Do companies include domains containing their top executives’ names to a sufficient extent in their brand monitoring efforts?
  • Do they register such domains and subdomains or buy them from registrants as part of their brand protection efforts?
  • Do they include their respective CEOs’ names in their roster of trademarks and copyrighted terms?

Noteworthy Facts and Figures

Chart 1: Domain distribution across the top 100 CEOs

Of the top 100 CEOs, the following had the highest number of registered domains:

  • Kevin Murphy of Ferguson Enterprises
  • Tim Cook of Apple
  • Tim Ryan of PwC
  • Rene F. Jones of M&T Bank
  • Marc Benioff of Salesforce

The remaining 1,124 domains were distributed across the remaining 95 CEOs.

Chart 2: Subdomain distribution across the top 100 CEOs

The top 5 CEOs in terms of number of subdomains, meanwhile, are:

  • Kevin Murphy of Ferguson Enterprises with 158 subdomains
  • Rene F. Jones of M&T Bank with 96 subdomains
  • Tim Cook of Apple with 57 subdomains
  • Tim Ryan of PwC with 41 subdomains
  • Matthew Stevens of The Bay Club with 35 subdomains

The remaining 265 subdomains were distributed across the remaining 95 CEOs.

Are the Top 100 CEOs’ Domains Being Protected by Their Respective Organizations’ Brand Protection Teams?

Of the 2,157 domains containing the top 100 CEOs’ names, only 2% are publicly attributable to the companies they’re part of based on WHOIS information.

While many organizations may already regularly monitor how their brands are used online to ensure these don’t get abused in malicious campaigns, not every company does. Bank of America is a great example of an organization that buys domains (e.g., bankofamerica4[.]com), even those that contain misspelled variants of its brand or company name, as part of its brand protection efforts.

Looking at the results for the top 100 CEOs, its CEO Brian T. Moynihan’s name only appeared in 24 domains and no subdomains. Among the domains containing the CEO’s name, 67% were owned by the bank. Bank of America could also be monitoring web properties whose domains contain its CEO’s name. That could be a good anti-BEC practice.

A similar attribution couldn’t be established for organizations like Apple, Milwaukee Tool, Fidelity Investments, and M&T Bank. What’s more, domains containing their CEOs’ names were dubbed “malicious” on Bambenek Consulting OSINT Data Feeds, Google Safe Browsing, and VirusTotal, including timcooktoo[.]com, stevenrichman[.]com, abbyjohnson[.]xyz, and renettejones[.]com. Interestingly, brianmoynihan[.]com (which could be related to Bank of America’s CEO) was also found malicious.

As this post showed, companies the world over may need to extend the brand protection efforts to include their executives’ names to the list of trademarks, copyright terms, brand names, and all other web properties and digital assets they monitor. Domains with their respective CEOs’ names could be misused or abused in BEC scams targeting their employees that will not only cost them financially but also tarnish their reputation.

For more information on the intelligence gathered in this post or to run a joint security analysis, feel free to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under


Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix


Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign


Sponsored byVerisign