Security Briefing for Executive PAs and EAs | CloseProtectionHire

A senior executive’s PA or EA holds a concentration of access that most security programmes do not adequately protect. Full diary management, travel booking, correspondence handling, contact directory maintenance, and daily coordination with the principal’s family and associates – these functions, combined, represent a more complete intelligence picture of the executive’s life than almost anyone outside the immediate family possesses.

Social engineering operations targeting corporate executives frequently bypass the executive directly and target the PA. The PA is accessible, professionally trained to be helpful, and holds the information needed to locate, schedule, and approach the principal. A well-executed impersonation call to a PA can produce a travel itinerary, a hotel name, and an arrival time within two minutes.

This guide covers the specific social engineering threats that PAs and EAs face, the verification protocols that defeat the most common attack methods, and the security discipline that protects the executive’s schedule without undermining the PA’s ability to function effectively.

Why PAs are primary social engineering targets

CPNI research on insider threat and corporate social engineering identifies executive assistants, front-of-house staff, and IT helpdesk as the three highest-value targets for social engineering attacks. The reason is structural: these roles combine high access with a professional culture of helpfulness and an environment in which questioning or slowing down a request feels obstructive.

For a PA specifically, the structural vulnerability is the diary. The PA’s core function is managing the executive’s time, which means they know – at any given moment – where the executive is, where they are going, how they are travelling, and who they are meeting. This information is available nowhere else in the organisation with the same currency and completeness.

The social engineering attack does not require a complex technical operation. A caller who claims to be:

• The executive, calling from an unfamiliar number to confirm a travel detail
• A security firm or CP company calling to confirm a pickup arrangement
• A hotel confirming a booking
• An IT team calling to verify account access
• A travel management company confirming a change to an itinerary

…and asks a single scheduling question has a reasonable chance of receiving an answer from a PA who has not been briefed on this threat and who has no protocol for verifying identity before providing schedule information.

The call verification protocol

The defeat mechanism for vishing is simple:

Before providing schedule information, personal data, or account credentials in response to a phone call, verify the caller’s identity through a channel that you control.

Specifically: end the call (politely, with a standard explanation), look up the contact on the number you already hold for that person or organisation, and call them back. If the caller is genuine, they will answer. If the number they provided is different from the number you hold, both numbers should be reported.

The most important element of this protocol is that the callback number must be one the PA already holds independently – not the number provided by the caller. A caller who impersonates an IT helpdesk and provides a callback number has simply created a loop back to themselves. The callback number must come from the organisation’s confirmed directory, the contact’s verified entry in the PA’s own contact record, or the official website – not from the call.

This protocol applies to:

• Any request for the executive’s travel or location information
• Any request for the executive’s personal contact details
• Any request to change a meeting location, hotel, or transport arrangement
• Any claim that the executive has lost their phone and needs their details read back
• Any urgent request citing a security or emergency context

The urgency and emergency framing is a social engineering accelerant – it is designed to suspend normal verification instincts. An urgent call is more reason to verify, not less.

Email impersonation and business email compromise

Beyond phone-based attacks, email impersonation targeting PAs is documented in the UK and globally. Business Email Compromise (BEC) – in which an attacker spoofs or compromises an email account to send requests that appear to come from the executive or a known contact – frequently targets PAs managing financial authorisations and travel logistics.

The indicators of email impersonation:

• An urgent request from the executive’s account for an action the executive would not normally request by email (wire transfer, ticket purchase, personal data provision)
• A slightly incorrect sender address (gareth.dean@company-name.com vs gareth.dean@company-nameuk.com)
• A request to keep the communication confidential from other team members
• A change to a payment account or banking detail in an otherwise routine email

The response to any instruction from the executive that involves a financial transaction or sensitive information disclosure should be verbally confirmed with the executive directly, not by replying to the email. This is standard BEC prevention guidance from the National Fraud Intelligence Bureau (NFIB) and the NCSC.

Physical security discipline

The PA’s security responsibilities extend beyond telephone and email. Physical security at the executive’s workspace involves:

Visitor management. A person who arrives at the executive’s floor claiming a reason to be there should be directed to reception for verification, not admitted on the strength of their explanation. This applies to contractors, couriers, and anyone else unfamiliar to the PA.

Document and device visibility. The executive’s diary, travel documents, and personal correspondence should not be left visible at the PA’s workstation in an open-plan area. A clean-desk approach at the PA’s desk, and screen orientation that does not expose the diary to passing observation, is the practical standard.

After-hours access requests. A call or visit requesting after-hours access to the executive’s office or documents should be verified with the executive or security manager before any action is taken, regardless of the claimed identity.

Tailgating prevention. A PA who holds access to a secure area (the executive suite, a confidential meeting room, a server room) should not hold the door for individuals who do not have their own access credential. This is a physical social engineering attack – following a trusted credential holder through an access-controlled door. The response is not impolite refusal – it is asking the individual to badge in independently.

Travel information security

Travel information is the highest-value schedule intelligence for anyone planning to approach or intercept the executive. The PA’s handling of travel data should follow a defined protocol:

Confirmed travel itineraries should be communicated only to confirmed parties on the executive’s authorised list. Ground transport providers receive only the information they need – arrival time and terminal, not the full itinerary. Hotels receive the booking without the purpose of the visit or the schedule of activities. Close protection teams receive the full information they need for operational planning; that information should be communicated by encrypted channel.

Itinerary documents should not be sent by unencrypted email to external parties. For executives with elevated threat profiles, itinerary communication to any external party should be by encrypted channel (Signal, ProtonMail, or a corporate secure messaging system).

Travel plan changes should be communicated to ground transport providers through a verification call to the confirmed provider number, not in response to a message claiming to be from the provider and requesting confirmation of arrangements. The confirmation call defeats an ambush or interception operation that depends on knowing the changed pick-up details.

Integration with the security programme

The PA’s role in the security programme should be explicit rather than assumed. For executives with a CP team or corporate security support:

The PA should know who the security manager is, how to contact the CP team, and what to report and when. An incident – a suspicious call, a vishing attempt, an unfamiliar contact asking for schedule information – should be reported through a defined channel, not stored as a private concern.

The PA should be included in threat briefings when the executive’s profile changes. A new controversy, a new country assignment, or a specific threat against the organisation all affect the PA’s operating environment. An uninformed PA who does not know the threat has changed cannot apply appropriate caution.

The PA’s security awareness training should be treated as a programme element with the same priority as the CP team’s operational briefing. The weakest link in a security programme designed around the executive is often the person who most consistently holds access to the executive’s movements.

For the corporate security awareness programme that the PA briefing sits within, see our employee security awareness training guide. For the insider threat framework relevant to trusted individuals with broad access, see our insider threat and corporate security guide. For the executive protection team structure that the PA interfaces with, see our executive protection team structure guide.

Sources

CPNI: Social Engineering in the Corporate Environment, Centre for the Protection of National Infrastructure, 2023. NCSC: Business Email Compromise – Guidance and Prevention, National Cyber Security Centre, 2024. National Fraud Intelligence Bureau: BEC and Wire Fraud Report 2024, City of London Police. ASIS International: Executive Protection and Principal Security Awareness, 2024. Control Risks: Insider Threat and Social Engineering in Corporate Environments, 2024. UK Finance: Fraud Losses and Attack Methodologies Annual Report 2024.