The Better Business Bureau and law enforcement officials are warning businesses about a new internet crime underway called the whaling scam, which specifically targets senior management who have complete access to sensitive data or company money.
These attacks on management are sometimes called whaling, in reference to the “big fish” targets. The goal is to steal sensitive information such as financial data, personal details about employees, or money from the company by duping high-level employees online.
By targeting lower-level employees, scammers can gain general access to a business's inner workings. But by targeting high-level executives – also known as the “big fish” – scammers can gain complete top-down access to all of a business’s operations.
“We believe there has been a recent uptick in whaling scams aimed at businesses, and we want to warn companies to alert their employees about this potential fraud,” said Katherine Hutt, national spokesperson for the Better Business Bureau.
Whaling Scam Is Similar to Phishing Scam
The whaling scam is a twist of the typical phishing scam, Hutt noted.
“It uses the name of a high-level executive to fool employees into doing something that they most likely would never do if a stranger asked them,” she said. “So employee education is the key to stopping this scam.”
Phishing scams generally imposter a company, government agency, or well-known brand and use fear and intimidation to get the target to act before thinking it through, Hutt explained.
“Whaling imposters an individual that the victim knows and wants to please,” Hutt said. “Fear and intimidation may play a factor, but mostly the targeted employees want to do a good job and help out their boss or company CEO.”
A related internet crime is the CEO impersonation scam, where the con artist reaches out to high-level employees who can pay a large bill or provide wide-sweeping information, according to the Better Business Bureau.
With the CEO impersonation scam, the scammer pretends to be the CEO or CFO to give the request legitimacy and urgency, Hutt explained.
“The request will often be for a large money transfer via wire, which is non-recoverable,” Hutt said. “Scammers can often make their requests more plausible by using details gotten by researching the company or hacking emails.”
Recent Cases of the Whaling Scam
Detective Tim Lohman, who solves forgery, fraud and financial crimes in Southern California, has investigated several recent cases involving the whaling scam.
The most recent case involved an employee who received an email from an imposter who the employee thought was the CEO of the company.
“The email basically said I need you to do me a favor,” Detective Lohman explained. The email, from the supposed CEO, went on to state that he’d be in meetings all day, and not available by phone.
“In this case, the scammer was trying to give a reason why he couldn’t be able to get on the phone and wanted to do everything by email – that’s because it was fake,” Detective Lohman said.
The scammer told the employee, via email, to go to the store to purchase Apple gift cards. More specifically, the employee was asked to purchase $1,600 worth of gift cards.
This employee, not knowing the email was from a scammer, went to the Apple store, “but Apple is aware of this scam, and told the employee you can only get $500 at a time and that it sounded like a scam,” Detective Lohman recalled.
However, the employee, still believing the request was legitimate, produced two more credit cards to charge the additional amounts.
“So what ended up happening, the employee still ended up getting the requested amount of gift cards that the scammer was asking for, even though they were warned by the store that this was a scam,” Detective Lohman said.
To make matters worse, the employee used one corporate card to charge the transaction – and used two personal cards to charge the remaining transactions.
“This was a fairly new employee, so she wasn’t aware of how things worked; she ended up emailing all the gift card numbers to the scammer who she thought was the CEO,” Detective Lohman said. “Once you read those numbers, the money is as good as gone. Once the scammer has those numbers, they can use those and offload those cards.”
How do these scammers know who to target at the company, like the treasurer or whoever has access to the company’s money?
“It’s simple nowadays,” Detective Lohman said. “You can go on Google and get company names and emails. And they’ll send an email to that employee with hopes that they will follow through.”
Spoofing the Email of a CEO
The reason why emails from whaling scammers appear legit at first glance is that they look like they’re actually coming from the company’s CEO or others in the top ranks, including their actual name the company’s internet domain.
“They’ll spoof it so the name of the CEO and the related email address looks legit,” detective Lohman explained.
Other specifics in the scammer’s request are also designed to look legit.
In a recent case for instance, in which the company’s name and employee are not used in this article to protect their privacy, an employee at a tax services company received an email from what appeared to be the company’s CEO.
The scammer noted specific details of the wire money transfer requested, including the wire transit number, the name of the related bank and address, the account number, account holder’s name, and what the payment was for. The scammer ended the email by stating: “Get back to me with the confirmation once you are done with the wire.”
One way to determine if the sender is, in fact, the company’s CEO is to hover over the sender’s email, which will show the actual email address where it’s coming from.
But if the receiver of the email doesn’t do this initially, and hits “respond” out of instinct, “it’s going to go back to the hacker because that email is being spoofed,” Detective Lohman warned.
Other ways to tell if the request is legit is to check the language in the email being sent. For instance, if it’s riddled with grammatical or spelling errors, it’s likely a scammer.
Additionally, “look for things like the words ‘kindly’ or ‘regards’ at the end of the email that appear before the supposed CEO’s name,” Detective Lohman advised. “Also, check to see if there’s some sort of urgency in the email like you need to do this right now or as soon as possible.”
In one recent case, the employee receiving the scammer’s email had the opportunity to communicate with the actual boss directly to verify the request.
“His boss told him, ‘I never write regards,’” Detective Lohman said.
Verification Can Help Employees Avoid Whaling Scam
An easy way around the whaling scam is verification, Detective Lohman emphasized. Of course, the best way to verify the request is to talk to the CEO directly, in person or by phone. If this option isn’t available, Detective Lohman said to open up a new email, type in the CEO’s legitimate email address, and simply verify the request being made.
In other words, do not reply directly to the sender’s email, even if it looks like it’s legitimately coming from a boss.
“If you’re receiving an email from somebody requesting money or gift cards, open a new email, pull your boss’s address, and send a direct email to him or her,” Detective Lohman re-emphasized. “Do not hit reply, because once you’re in that email thread, you’re replying to the scammer, even though it says the boss’s name.”
Companies and employees not aware of the whaling scam can potentially lose hundreds of thousands of dollars – or worse, he said.
“I’ve had a dozen or more of these cases and they weren’t small – I had one for $285,000 and one for $1.3 million. That’s not chump change,” Detective Lohman warned.
He added that if you’ve fallen victim to the whaling scam, no matter how much money was lost, it’s important to report it to the FBI’s Internet Crime Complaint Center.
“It’s always good to report it because maybe they weren’t successful with your company, but they could have been with another company using the same tactics,” Detective Lohman explained. “There are different ways to trace it. So I would recommend, especially when it comes to internet-type crimes, they contact the FBI and submit a complaint online.”
Educate Employees About the Whaling Scam to Avoid Falling Victim
Employers should make sure to train employees about how to spot business scams, the Better Business Bureau advises.
BBB’s 5 Steps to Better Business Cybersecurity is a good place to start.
“Employees who get an unusual request should double check it,” Hutt said.
In the case of whaling, check with a supervisor or other person who can authorize the transaction, she advised.
“Don’t use your own money to purchase company supplies unless you are familiar with the reimbursement policy and have followed all procedures,” Hutt said. “In general, be wary of anyone who asks you to pay through a wire transfer, gift card, or prepaid debit card.”
Tips to Prevent and Prepare for Potential Whaling Attacks
The Better Business Bureau offered the following tips to help prevent people for falling for the whaling scam:
Be wary of short, generic messages. Scammers won’t write a long email; they’ll try to pass off something short and generic as harmless, hoping you’ll click quickly without thinking.
Double check before clicking or downloading. A mouse click is all it takes to inadvertently grant access to your computer, accounts, and information, or unleash malware on your systems.
Think about how you share. Never send sensitive, personal, or proprietary information via email regardless of who's asking you for it.
Watch out for emails to groups. Sending an email "from the CEO" to a staff or employee email list is the fastest way for a scammer to attack and affect an entire business.
Set up processes. Make sure your company has a procedure for all requests involving sensitive information or payments, and make sure that procedure is followed. For particularly wide-reaching requests or large payments, require employees to check with their manager first.