A Real Life Whaling Scam


“Is this Fred? Hi sweetheart, I have the five thousand dollars, I can send it to you immediately…”

“NO! STOP! Redeposit the money immediately and don’t answer any further calls from unknown numbers, that wasn’t me and I’m not ‘in trouble in Europe’ or anywhere else.”

With a simple phone call to me directly to confirm a request, my grandmother avoided being scammed for thousands of dollars. Of course she had already gone to the bank in a rush and taken the money out, but this one safeguard prevented what would have been a huge loss.

We all know not to click-through to login links within emails purporting to “ensure your account is up to date” or “prevent your account from being locked out,” right? Right. But these standard phishing lures have recently given way to more insidious (and possibly far more costly) “whaling” emails.

Whaling refers to a specific and targeted attack that abuses trust through the use of techniques including social engineering, email spoofing, and time-delimited requests. The process usually goes something like this:

  • Attacker learns corporate structure via public org charts or social engineering

  • Attacker may compromise email accounts for one or more executives using traditional phishing methods

  • Emails are sent (or spoofed) from an executive account to operations requesting an immediate, time-sensitive wire transfer

There are variables, such as whether the transfer purports to be to a known vendor, what the immediate need is, or whether previous similar email requests have been compromised to more closely emulate protocol.

Some would say that is the responsibility of IT to lock down servers and prevent these types of emails from getting through, but if an account is compromised through phishing or social engineering, there is not much that can be done to prevent internal emails.

Consensus says that internal training is the best bet for preventing unauthorized transfers. Like my grandma in the above example, ALL users with access or ability to transfer company funds should be trained to ALWAYS confirm via a phone call before committing any transactions requested via any digital medium.