Why ExecProtect matters long after an employee leaves

ExecProtect is built to stop one of the most simple, but dangerous, email threats in healthcare: display name spoofing. Instead of relying on malware or obvious fake links, these attacks borrow the name of a trusted person or department and try to get the recipient to act before they slow down and inspect the real sender address. ExecProtect lets a company choose which names and email addresses are allowed to use it.

When a message comes from an address that is not on the list of allowed addresses but matches a protected display name, it is quarantined before it arrives in the inbox. Administrators are then notified so they can look at it. ExecProtect+ can automatically find internal senders based on email traffic and add them as protected names, instead of relying exclusively on a manually maintained list. It makes impersonation security more scalable as the organization grows.

Why former employees remain useful to attackers

Former employees remain useful to attackers because trust lasts long after access is revoked. An identifiable name still has power, context, and emotional recognition in a company, especially if that individual was responsible for finance, HR, operations, clinical leadership, or executive decision-making. If the name alone can make an individual carry out an act, attackers do not require the real account. Fake messages work when they seem expected, urgent, and real.

According to a study from PLoS One, “Social networks are increasingly used in phishing attacks, but phishing by email remains the main risk in an organizational setting. This is due to the relative simplicity of designing and sending phishing emails and their potential to reach many individuals at the same time.”

People are more likely to reply fast if the message is personalized and urgent, and they are less likely to be suspicious if they know the organization. An old CFO can still make a request for an invoice feel authentic. Even if an HR leader has left, a request for a document can still feel normal. A former medical director might nevertheless make a request seem too urgent to put off.

Offboarding solves access, not identity abuse

Offboarding does not fix the same problem as impersonation defense. Disabling accounts, revoking access to devices, changing passwords, and terminating rights make it impossible for the former employee to directly exploit their systems. None of those processes prevents an attacker from sending a new email from a free or hacked external account with the name of the former employee in it.

That is the loophole that identity thieves use. In a healthcare study published in JAMA Network involving 95 simulated campaigns and over 3 million emails, 14.2% were clicked. In another long-running experiment, just 17.9% of employees didn't click on every phishing mail over 20 campaigns. At least two people clicked on at least two messages. Attackers only need one credible moment, not constant access to the real inbox.

Why the risk is especially serious in healthcare

Impersonation has a bigger impact on healthcare than on many other fields since the setting is fast-paced, stressful, and intimately related to patient care, privacy, and trust. Hospitals and health systems are frequent phishing targets, and one Journal of Medical Internet Research study warns that these attacks can be “impacting the quality of care and the safety of patients.”

A big reason is workload. A fake email that looks like it came from a billing manager, care coordinator, HR contact, or physician leader may arrive at exactly the wrong moment for someone to pause and inspect it carefully.

Why manual protection breaks down over time

A JAMIA study provides a promising look at the value of training, “We find that phishing click rates are alarmingly high, but generally improve with repeated simulated phishing campaigns. Importantly, the mandatory training program for employees who clicked on 5 or more simulated phishing campaigns itself did not have a meaningful impact on click rates—the ‘offenders’ remained more likely to click on phishing emails than nonoffenders did, with click rates between 10% and 25% post-training.”

Companies hire people, restructure them, promote them, merge teams, retire leaders, and add new systems that send on behalf of employees. If no one is continually verifying names, aliases, departments, alternate senders, and automated workflows, a protection list that is correct when it is first put into place can become incomplete in just a few weeks.

Paubox's own setup instructions show how hard it can be: companies may have to deal with personal email addresses used for professional communication, different nicknames, and internal systems like EHRs, CRMs, and document-signing platforms that might send messages on behalf of employees. Every exception makes maintenance more difficult. Being careful as a person cannot resolve that problem either. Even after many attempts, there is still a lot of risk. Click rates get better over time, but only slowly.

Why automation changes the equation

As ExecProtect+ makes it easier for administrators to design and update protection by hand. More and more imitation campaigns are going after regular employees and departments, instead of simply executives. A scalable defense needs to evolve with the company and change as communication habits change. Automation also makes matters more consistent.

The system can keep a wider baseline coverage and let administrators focus on exceptions and review instead of having to remember every new person, nickname variant, or changing operational routine. Paubox's ExecProtect+ is a solution to protect all employees, intercept fake messages from unauthorized senders, and make IT work simpler. That protection is part of its larger inbound security stack, which also includes sender validation, link and attachment scanning, contextual analysis, and quarantine procedures.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

What is a business email compromise?

Business email compromise is a form of impersonation attack in which an attacker uses a trusted business identity to manipulate someone into sending money, sharing data, or changing account details.

How can you tell if an email is spoofed or impersonated?

Warning signs include mismatched sender addresses, unusual urgency, requests for secrecy, payment changes, login prompts, unexpected attachments, and language that feels slightly off from the real sender’s usual style.

Can spoofed emails pass basic security checks?

Yes. Some spoofed or impersonation emails can still look convincing enough to reach inboxes, especially when attackers use lookalike domains, compromised accounts, or display name tricks.