What is whaling?
25 October 2020
Whaling is where a cybercriminal impersonates a senior member of staff and sends a communication under their guise. It’s similar to phishing but specifically targets senior people in the organisation – also called ‘CEO fraud’. This is usually via a work email, but could come via text or even over the phone.
The ‘whaling’ email is usually spoofed so it appears to come from a genuine email address. Or there may be a really minor change in the sender’s address, like the addition of a dot or dash.
Cybercriminals often use social engineering, monitoring social media to time their emails with when people are on holiday or out of the office.
A ‘whaling’ email might ask you, under the guise of a supplier or senior staff member, to urgently change the bank details of a creditor. This is known as mandate fraud. Often the pressure is piled on, asking the less senior member of staff to urgently provide information, make a payment, or hand over secure details.
Examples in local government
In 2017, a fraudster impersonating a local authority’s Deputy Chief Executive contacted a senior manager asking for an urgent payment for “copyright infringement”. The invoice sent asked for a payment of almost £12,000. The email address appeared to be from the Deputy Chief Executive’s work email address.
Fortunately the senior manager who was contacted had doubts about the request and spoke to the Deputy Chief Executive directly to confirm the payment. On discovering the attempted fraud, Veritau and the council’s ICT department were alerted.
Fake emails were traced to a server in Houston, Texas, and the bank account the fraudsters used was traced to a property in Oldham, Greater Manchester. Details were passed to the police.
Many organisations haven’t been so fortunate. The National Fraud Intelligence Bureau estimates that £32 million has been lost in the UK through this type of fraud.
Last year, another council in Yorkshire was targeted by a sophisticated attack which combined mandate fraud with email interception and impersonation of the legitimate creditor.
The fraudster is suspected to have monitored emails between the council and third party suppliers. They then used the genuine email chain to lend legitimacy to their request for a change in bank account details, which was timed to coincide with an invoice which had been received from the genuine supplier. £16k was lost.
- Look closely at email addresses to check if anything looks unusual
- Always review invoices or payment requests for inconsistencies and error – don’t assume something is genuine because it appears to have the correct branding
- Never allow yourself to be pressured into bypassing agreed verification processes and internal controls
- Look out for spelling and grammar mistakes, or anything else unusual
- Treat unusual requests for payments extremely cautiously
- Never assume that a request is safe because a colleague trusts the source
- Make sure that your passwords are secure, so your account can’t be hacked and let a fraudster impersonate you
For more information, visit the National Cyber Security Centre
View infographic as PDF
Whaling infographic PDF (opens in new tab)