Whaling - targeting the big fish

February 10, 2016

A scam that looks so simple you would think staff won't fall for it. But they can, and in many organisations, they have.

CEO and CFO targeted attacks are on the rise in 2016 - up 55% in the past few months.

Whaling is essentially another email scam to get money, but instead of infecting a computer with a virus or malware and holding your data to ransom, Whaling uses social engineering techniques to trick your business execs into giving it away. 

How does it work?

Anyone can perform a simple online search to find out who the CEO and CFO are at most organisations. Armed with this information and using a technique called 'spoofing', an attacker will generate an email which appears to come from inside your organisation - more often than not, the attacker masquerades as the CEO. 

The attacker's email (which can sound very convincing) is sent to the CFO or a senior member of the finance team and instructs the recipient that an urgent payment needs to be made. The email might also end with "sent from my iPhone" which can explain why the corporate email signature is missing. Human behavior becomes part of the scenario because lets face it, if you get an email from the CEO which says "this wire transfer needs to be made immediately" your normal decision making process could be affected. After all, this email is from the CEO!

You might think this all sounds so obvious and that your staff would never fall for it, however large organisations such as Ubiquity have already lost millions to this type of attack. 

What can you do?

While ensuring your Anti-Virus, Anti-Malware and Email Content Filtering systems are up to date and well managed is important, Whaling attacks circumvent these traditional defences as the email appears legitimate as it does not contain attachments or URL's which would otherwise have caused the email to be blocked.

  • Awareness and Education. In particular, make sure your Accounts, Finance and Executive teams are aware of this type of threat and what to look for. 
  • Review your internal controls. For example, all payment requests and approvals sent by email should be verbally approved.
  • Technology. Email systems can be configured to notify users when responding to an email which has originated from outside of your organisation. E.G. "This email contains external recipients".

Technology is always improving and content filtering systems are blocking hundreds, thousands, tens of thousands, hundreds of thousands of emails daily which are identified Spam, Phishing, Virus, etc.

It's the targeted attacks we need to be aware of as they rely on human error rather than breaking through your technology defences.

Other articles


Top of Page

 Back to News


Rob Southwell

Rob Southwell's picture


Managing Partner and Partner – Private Business and Family Advisory

> View profile

Leon Mok

Leon Mok's picture


Managing Director

> View profile

Brendan Britten

Brendan Britten's picture


Managing Partner and Executive Director/Partner- Business Advisory and Assurance

> View profile

Nigel Fischer

Nigel Fischer's picture


Managing Partner - Private Business and Family Advisory

> View profile

Michael Minter

Michael Minter's picture


Managing Partner

> View profile

Tom Verco

Tom Verco's picture


Managing Principal - Private Business and Family Advisory

> View profile

Partnership fraud


Paperwork and independent advice saves partnerships from fraud

Discover more

Kia Ora Horse Stud


Pitcher Partners fills a Financial Manager gap to keep the business on track

Discover more

Fuel Injection Company Administration


A fuel injection company began life as an Australian public company before being acquired by a UK publicly listed company while in the research and development stage of a “green...

Discover more

@PitcherPartner TRACEY'S TOP 20 | Our Bris firm has celebrated the achievements of Tracey Norris, Dir. of our Bris firm, who has no… https://t.co/QRonXXHiej