In a recent case of cyber fraud, the human resources (HR) manager of a US-based IT company was tricked into purchasing Apple gift cards worth Rs 10 lakh. Cybercriminals, impersonating the company’s CEO, managed to deceive the HR manager into believing the purchases were necessary as gifts for all employees, The Indian Express reported.
The scam, known as a ‘whale phishing’ attack, led to an investigation after the HR manager reported the incident to Paud police station under Pune Rural police jurisdiction.
How was the whale phishing attack carried out?
The fraudulent activity began when the HR manager received a WhatsApp message from an unknown number with a US code earlier this year. The sender claimed to be the CEO of the firm, and the message included a profile picture of the CEO, making it appear legitimate. The message explained that the CEO was busy on a conference call and did not want to be disturbed, instructing the HR manager to purchase Apple gift cards worth Rs 5,000 each for the company’s employees via Amazon.
Trusting the message, the HR manager bought 100 gift vouchers and informed the sender of the completed purchase. The scammer then requested that another 100 cards be bought and sent to the email address provided. The HR manager complied, consulting with a senior company official based in India. However, suspicion arose when the senior officer inquired about how the gift cards were delivered, and the HR manager revealed the email address to which they were sent.
It became evident that cybercriminals had used a fake number and email to impersonate the CEO. Upon realising the scam, the HR manager approached the police, leading to an FIR being registered. Authorities have since launched an investigation into the phone numbers and email addresses involved in the scam, the national-daily added.
Pune City, a whale phishing hotspot?
Pune City has seen an increase in whale phishing attacks, with around 10 such cases reported since July of last year. Notably, global vaccine producer Serum Institute of India fell victim to a similar scam, losing Rs 1 crore. Another case in February saw a real estate company duped of Rs 4 crore.
What is a whale phishing scam?
A whale phishing scam, also known as whaling, is a sophisticated type of phishing attack that targets high-profile individuals within an organisation, such as executives, CEOs, or other senior leaders. These individuals are referred to as ‘whales’ because of their importance and the potential for significant financial gain if the scam is successful, similar to a whale in the sea.
In this type of scam, attackers craft personalised and convincing emails or messages to deceive the target into revealing sensitive information, approving large financial transactions, or granting access to confidential data. Scammers conduct thorough research on their targets, incorporating specific details about the person’s role, colleagues, or business operations to make their communications seem legitimate.
Because the targets are often key decision-makers within an organisation, the impact of a successful whale phishing attack can be devastating. It can lead to major financial losses, data breaches, or damage to the organisation’s reputation.
How does the scam work?
Whale phishing scams use social engineering techniques to manipulate the victim’s trust and create a false sense of urgency. The tactics typically include:
- Researching the target: Scammers gather detailed information about the target’s background, interests, and professional relationships to tailor the attack.
- Impersonating trusted individuals: They pose as well-known figures within the organisation, such as CEOs, board members, or even business partners, to make the scam appear credible.
- Sending convincing messages or calls: The scammer’s communication often appears urgent and legitimate, playing on specific concerns of the target. Scammers may use pressure tactics, fake documents, or fabricated situations to push the target into quick compliance.
- Exploiting vulnerabilities: Attackers may take advantage of current events, news, or internal matters within the company to make their requests seem more plausible.
How to protect yourself from whale phishing?
- Stay alert: Carefully examine any unexpected emails, messages, or requests, even if they seem to come from a familiar source.
- Verify the sender: Do not rely solely on the caller ID or email address. Always use known and official channels to confirm the legitimacy of a request.
- Watch out for pressure tactics: Scammers often create a false sense of urgency to rush you into making hasty decisions. Take your time to verify the situation before acting.
- Keep sensitive information private: Never share confidential information, such as login credentials or financial details, over email or phone without proper verification.
- Educate employees: Organisations should provide training on phishing awareness and cybersecurity best practices to ensure that staff can recognise and respond appropriately to potential threats.
