After one of our councils was targeted this month, we thought it was a good time for a reminder about whaling fraud, what it is, and how to avoid becoming a victim.
Whaling is where fraudsters impersonate a senior member of an organisation (the ‘whale’) and attempt to get a colleague to make an urgent payment. Email addresses are faked so communications at first glance appear genuine. Fraudsters will often monitor social media to time their emails when senior members of staff are out of the office making it harder for staff to verify the request.
Earlier this month an email was sent to a chief finance officer, purporting to be from a council director. The email asked for a payment to be made immediately to a Nationwide Building Society account. Thankfully the officer was vigilant and spotted that the email was not genuine.
This is not the first time that the council has suffered such an attack. Fortunately the council has not suffered a loss but many other organisations haven’t been so fortunate. The National Fraud Intelligence Bureau estimates that £32 million has been lost in the UK through this type of fraud. One company reported a single loss of £18.5 million.
In another case, a request was received by one of our member councils to pay nearly £12k for ‘copyright infringement’. The request was apparently made by a senior officer in the council however the recipient had doubts about the request and spoke to the senior officer personally to confirm the payment.
Once the attempted fraud was identified, Veritau and the council’s ICT department were alerted. Veritau traced the fake emails to a server in Houston, Texas. The bank account being used by the fraudsters was traced to a property in Oldham, Greater Manchester. All the details were passed to the police.
You can beat whaling fraud by:
- Always reviewing invoices to check for inconsistencies and error. Don’t assume an invoice is genuine just because it comes in on correctly headed paper.
- Treating unusual requests for payments extremely cautiously. Always try to speak to the person face to face or by phone, rather than relying on email.
- Asking the caller to give you a main switchboard number for you to be routed back to them, if you are concerned about the source of a phone call. Alternatively, hang up and call them back using established contact details.
- Looking closely at email addresses. If you are unsure then right click on the address and select Outlook Properties. If an email address has been spoofed then the actual email address will appear.
- If you have any doubts then please contact your IT team, or the fraud team on 0800 9179 247 or firstname.lastname@example.org.
For more information about whaling fraud and how to beat it, please see the advice from the National Cyber Security Centre.