Let’s pretend you knew that Greg Abbott’s personal email was [email protected] (it’s not as far as I know). You send him an official looking email from [email protected] (or whatever domain you’re willing to register, it just has to look relatively legit) telling him that his computer has been compromised by porn companies and that he needs to install a “cleaner” along with a link. He clicks the link and downloads something called “Cleaner.exe”. When he runs it, the program hoovers up all of his browsing history on that system and emails it back to you along with a snapshot of his emails or some other identifying information proving it’s him.

You could also install a keylogger that way and get into whatever he’s allowed in. In addition you could install a remote client, connect to it while he’s not using it, and gain access to any system he has access to.

Even better, you don’t necessarily have to do it to him. He has an administrative assistant, there are other office folks, and if he takes his computer home you could even get his wife or daughter (if she still lives at home, I really don’t know) and grab his data that way. It only takes one person.

You may also be able to get information from his family’s Facebook pages to better phish them.

Obviously I’ve left a few things out that make it seem more legit and given fake addresses, but with a few logical leaps someone could do that to all the top folks in Texas. It happens to companies all the time. There was an oil company where the CEO regularly got phished. So everyone in the company had to take extra training, except he exempted himself because his time was worth too much. Someone in the IT department leaked who was the cause of all the extra training. There was much wailing and gnashing of teeth. That company is no longer in business.