Mind the whaling: Hackers impersonating CEOs to perform fraud

Not only personal emails are targeted on phishing scams, but recently, a more sophisticated type of phishing message is threatening CEOs, finance officers and information chiefs. With cyber threats infiltrating business environments so assiduously, the need for companies to up their game in cybersecurity is more than evident.

Phishing email messages, websites and phone calls are artifacts designed by fraudsters aiming to steal money from someone. The ambition of cyber criminals, though, is going beyond mere ‘gmail’ account holders. Whaling is a form of business email compromise (BEC) through which criminals impersonate high ranking businesses leaders, like CEOs, CIOs and CFOs, maneuvering employees into making fraudulent payments or disclosing confidential information.

Whaling is sophisticated, clever and astoningshly expensive for companies exposed to such practices. The American Federal Bureau of Investigation (FBI), reported last year that there was a 270% increase in victims of such scams in one year and that it had cost companies more than $2.3 billion in losses over three years. The level of expertise of hackers is so high that even prominent corporate institutions are falling for it. Whaling is a process, overall, is thought through and is successful in part because, in the busy environment of offices, little time is spent examining the validity of the email or sender. For example, as seen the picture below, hackers will create an email domain that looks like the one from the company they are targeting and use names of chiefs and managers to send messages to the finance staff requesting payments to be done.

See below examples of how whaling makes its victims:


The multinational toy company Mattel Inc., famous for producing Barbie dolls, also has a past with Chinese whaling fraudsters, in 2015.  In the case of Mattel INC., fraudsters took advantage of the fact that the company had a new-come CEO, Christopher Sinclair, who had been in office for less than a month. The Finance executive in Los Angeles got a message from Sinclair, requesting a payment to vendors in China – a routine procedure within the offices. The payment was approved by two high-ranking managers and the protocol was double-checked. A few hours after, $3 million were already in the Bank of Wenzhou.

One victim of whaling in Europe was an Austrian aerospace manufacturer, FACC, which cost the company €50 million in the beginning of 2016. The attack took form in an email which legitimately appeared to come from the CEO or a senior board member of the company. The message was addressed to the finance department and requested a money transfer out of the company.

There is not set way of preventing yourself from being a victim of whaling since the practice is planned and calculated to be completed as a normal transaction within the company departments. The approach to take is to check the financial transactions as much as you can and run them by other members of the team to confirm the request is valid. As cases of hacks and frauds become more and more frequent, ensuring that transactions are done securely must be placed as a top priority in companies.

Online fraud and cyber-crime are UK’s most common offences and cases like whaling show that anyone can be a victim. Chief Constable Jeff Farrar, from the National Police Chiefs’ Council said “the ability to commit crime online demonstrates the need for policing to adapt and transform to tackle these cyber challenges.”

The new legislations suchs as PSD2 and GDPR are coming into force soon as measures to counter cyber-crime and scams and will require merchants and online payment processors to up their game regarding cyber security.