One of this year’s most insidious spam and phishing campaigns targets the folks who have access to an organization’s most sensitive data: executives.

The attacks began with an early-summer flurry of malicious e-mails that were purported to be from the Internal Revenue Service and the Better Business Bureau. The messages   specifically targeted senior-level corporate executives with phishing scams.

The messages informed recipients their company was the subject of a formal complaint. The execs who got the messages were told to click on an attachment to view the purported complaint.

Clicking on the attachment launched a “Trojan” that installed itself on the recipient’s computer. This piece of malware was in fact a keystroke logger that would upload everything typed by the user to a third-party Web site.

The cybercriminals who launched the attacks used this to collect sensitive info like passwords and account info.

The messages were aimed at high-level executives –  CEOs, CFOs and COOs. The spammers put the targets’ individual names and the names of their companies into the messages.

The targets’ e-mail addresses were likely acquired by fishing for execs’ names on corporate Web sites. The spammers then blasted e-mails  to common formulations of e-mail addresses based on those names.

The lesson: Be careful what you post on your corporate Web site. Talk to your communications folks about keeping the info behind a firewall or at least requiring registration on your site to access the info.

Company execs need to be vigilant about clicking on any attachments or embedded links they get in e-mail — even if the messge seems to be coming from an official government agency, such as the IRS, or even a trade organization.

And if an e-mail message asks for confirmation of passwords or ID’s, it would be a good idea to check with IT first before taking any action.