My wife works for a non-profit company so seldom does her work and mine cross paths, but whaling and security management brought us together.
“Whale phishing” or “whaling” is a variation of “spear phishing.” A scammer sends fraudulent emails ostensibly from a known or trusted sender in order to get the targeted individuals to reveal confidential information such as bank accounts, credit card numbers, etc.
Spear phishing emails are sophisticated and often include actual business logos and look very official. They target individuals throughout an enterprise in an attempt to trawl for information. Whaling differs in that it targets upper management (CEO, CFO, etc.) with emails that appear to be peer-to-peer contact asking for a transfer of funds as payment for services rendered.
In my wife’s case, someone gathered enough information about her company’s contract to send an email to her client’s CFO requesting a wire transfer of $50,000 and provided the account information (routing number, bank account number) for the client to send the funds. The email looked to have come from my wife’s boss: his name was in the “from” field and the information in the email’s signature block had the correct name, mailing address, phone number, and email address.
The CFO followed the email’s instructions and wired the money. A few weeks later the CFO received a follow-up email saying that something went wrong with the transfer and requesting that the CFO again transfer $50,000. The CFO did as requested and sent the additional $50,000. Shortly after the client sent the second $50K, my wife’s firm sent their invoice. After not hearing from the client, my wife’s boss contacted the CFO for a status on the payment only to be told that he’d paid the claim six-weeks earlier. This started a series of events that now involves a criminal investigation.
The CFO was duped by what appears to have been a very preventable scam and there were several clues in the email.
- The email appeared to come from my wife’s boss, but when you place your computer’s cursor. over the “sender’s” name, an email address appears that doesn’t match the name or the email address in the signature block.
- There were several misspelled words throughout the email.
- The email included the phrase “wire transfer.”
The CFO acknowledged that the emails looked “off” but transferred the funds anyway.
What the CFO could and should have done was be more cautious especially because the email requested a wire transfer. Because something didn’t seem right, at a minimum, the CFO should have called the sender to check the email’s authenticity before sending the money.
As a basic security measure, all organizations should provide annual IT security training to its staff, and that training material should include a course about how to spot spear phishing and whaling. Had this CFO taken such a course it’s doubtful they would have been defrauded $100,000 by scammers and still owe my wife’s firm $50,000.
If the security of your company’s customers’ information is in any way compromised, it can cause you legal and commercial headaches. That’s why it’s vital for a company to have a prudent Information Security Management System (ISMS). And that’s where netlogx can help. We can guide your organization through your data-related challenges quickly and effectively.