Pages Menu

3 tips to prevent ‘whaling’ – email scam that tricks business execs

Posted on Feb 21, 2016

A scam that looks so simple you would think staff won’t fall for it. But they can, and in many organisations, they have.

CEO and CFO targeted attacks are on the rise in 2016 – up 55% in the past few months.

Whaling is essentially another email scam to get money, but instead of infecting a computer with a virus or malware and holding your data to ransom, Whaling uses social engineering techniques to trick your business execs into giving it away.

How does it work?

Anyone can perform a simple online search to find out who the CEO and CFO are at most organisations. Armed with this information and using a technique called ‘spoofing’, an attacker will generate an email which appears to come from inside your organisation – more often than not, the attacker masquerades as the CEO.

The attacker’s email (which can sound very convincing) is sent to the CFO or a senior member of the finance team and instructs the recipient that an urgent payment needs to be made.

The email might also end with ‘sent from my iPhone’ which can explain why the corporate email signature is missing. Human behaviour becomes part of the scenario because let’s face it, if you get an email from the CEO which says, “this wire transfer needs to be made immediately” your normal decision-making process could be affected. After all, this email is from the CEO!

You might think this all sounds so obvious and that your staff would never fall for it, however, large organisations such as Ubiquity have already lost millions to this type of attack.

What can you do?

While ensuring your anti-virus, anti-malware and email content filtering systems are up-to-date and well-managed is important, Whaling attacks circumvent these traditional defences as the email appears legitimate as it does not contain attachments or URL’s which would otherwise have caused the email to be blocked.

  • Awareness and e In particular, make sure your accounts, finance and executive teams are aware of this type of threat and what to look for.
  • Review your internal controls. For example, all payment requests and approvals sent by email should be verbally approved.
  • Email systems can be configured to notify users when responding to an email which has originated from outside of your organisation, for example, “This email contains external recipients.”

Technology is always improving and content filtering systems are blocking hundreds, thousands, tens of thousands, hundreds of thousands of emails daily which are identified Spam, Phishing, Virus, etc.

It’s the targeted attacks we need to be aware of as they rely on human error rather than breaking through your technology defences.

Jordan Jeffery is a director at Pitcher Partners Solutions. For more information see