Our digital presence is growing, but so are the cyber threats we face. Recently, thousands of individuals have fallen victim to online scams that cost them their fortunes. The scammers are bringing new ways to dupe people and their tricks are not limited to liking YouTube videos or offering fake part-time jobs. These methods may fool some people, but to steal crores from companies, scammers are using more sophisticated and well-planned strategies. One such strategy is Whale Phishing, through which scammers managed to steal around Rs 4 crore from a Pune based firm.
The case was brought to light by a senior accounts officer from a real estate company in Pune who lost around Rs 4 crore after receiving messages from an unknown individual. According to The Indian Express, the officer got a message from an unknown number on January 25, claiming to be the Chairperson and Managing Director (CMD) of the company. The message said that the CMD was busy in a meeting and asked the officer to do a Real Time Gross Settlement (RTGS) transfer of Rs 60 lakh to a given account. Thinking it to be a legit call, the finance officer followed the instructions and sent the Unique Transaction Reference (UTR) number to the fake CMD.
The fraudsters then continued to demand more money from the officer over the next few days, pretending to be the CMD. On January 26, they asked for the company’s bank account details and told the officer to transfer Rs 27 lakh, Rs 50 lakh, and Rs 40 lakh. The officer made 14 more transfers in the next four days, adding up to more than Rs 2.2 crores. In total, the officer did 18 transfers, amounting to Rs 4.06 crores. During all this time, the fraudsters did not answer any calls from the officer and assured him via text that everything would be sorted out later.
However, the officer realised that he had been cheated when he spoke to the real CMD, who had returned from a foreign trip, and found out that he had not authorised any such transactions from his company. The Finance office then filed a complaint with the Pune City police and an FIR was registered.
What is Whale Phishing
So what happened and how the scammers managed to loot the company?
Well, the above case is a suspected case of whale phishing or CEO scam, a type of cybercrime that targets senior executives or other influential people in an organisation. The term Whale Phising is used because Whales are large marine mammals known for their size and value. Similarly, scmmers in such scams target individuals who hold high positions within an organisation and have greater access to sensitive information or financial resources, making them “valuable catches”.
In such scams, online criminals trick the senior executive into revealing sensitive information or transferring money to the attackers. To achieve this, they conduct extensive research on their target and their organisation, using online sources, social media, professional networks, or even data breaches to collect information. They then use this information to create a convincing message that mimics the style and tone of the person they are pretending to be.
The message usually asks the target to do something urgently or confidentially, such as:
- Click on a link that leads to a malicious website or downloads malware.
- Open an attachment that infects the target’s computer with malware.
- Provide sensitive information, such as financial data or business secrets.
- Approve a financial transaction, such as a wire transfer, to a fake account.
How to stay safe
In such cases, the target often does not realise they are being scammed until it is too late. Whale phishing can cause significant losses and damages to the organisation and the individual. Here are some safety tips to protect yourself from any such scams.
- Be cautious of any unsolicited emails, texts, or phone calls, even if they appear to come from someone you know. Verify the sender’s identity through a separate channel before taking any action.
- Never click on suspicious links or open attachments from unknown senders.
- Be wary of requests for urgent action or confidential information. Legitimate requests will usually not involve pressure or secrecy.
- Report any suspicious activity to your IT department or security team.