CEO Fraud and Whale Phishing - Six Tips to help you

CEO Fraud and Whale Phishing - Six Tips to help you

18 January 2016

Whale phishing is linked to CEO Fraud – it's about targeting a high-ranking executive in a specific company and mimicking this individual to commit a fraud. We've produced an overview of how it works, together with six ideas to help you protect yourself.


A typical example of a CEO Fraud;


Ms Smith, CEO of Petrochem International and based in London, calls a finance officer, Mr Jones, in the Singapore office. Ms Smith states she’s currently on holiday, without access to her emails, and needs to make sure a payment is made urgently on a highly sensitive acquisition. Otherwise, says Ms Smith, the company will lose millions.


Pressure might be placed on Mr Jones, or alternatively he might be told how he’d be an important part of this huge deal. He might be told to move quickly or transfer money in an unusual way, but sometimes just told to keep his actions secret until the deal is made public.


This is CEO Fraud. Common themes include giving reasons why someone should operate outside normal procedure: in this example, Ms Smith is on holiday meaning that she cannot be contacted through her normal email or telephone. In addition there is an urgent requirement for action and secrecy, with potentially serious financial consequences if Mr Jones doesn’t play his part. The fraudster has also picked out someone from a different part of the world – cultural differences and alternative working practices can be used in a well thought out fraud, as well as offices in a different branch of your organisational structure.


This is where Whale Phishing comes in - a technique of finding the information to enable this fraud. Most of the information needed to carry out the fraud can be easy to find; one tactic is finding open source information (such as that held on commonly used social media sites like Facebook and LinkedIn). Here are six easy tips to help you avoid becoming the ‘whale’.


  1. Choose your friends carefully! We all get invites to connect from people who we think we might have gone to school with but can’t quite remember or who we gave a card to at a conference – but do you really know who someone is? A common method of finding personal information is through fake profiles – your security might be high on Facebook but it’s likely that your friends can still find everything. Make sure you know who you’re sharing with.
  2. What is your mother’s maiden name? It’s easy to find out personal details on social media. For example, you might not have listed your mother’s maiden name, but it’s not always difficult to work out your family connections with a different name. Similar information might be where you went to school, or the name of a favourite pet. When you’re asked to use security questions, try to use information that doesn’t exist online – make up your own questions if possible, and if not choose something that no-one else knows the answer to.
  3. You HAVE To See This! Number 4 Is Unbelievable! Be careful what you click on. Links in email are particularly risky and should always be approached with caution. If in doubt, leave it well alone. If you don’t know if a link is legitimate, call the sender directly to check. You should also get into the habit of confirming that a link is genuine before clicking on it. It’s easy to fake the look of a website – best practice is to use your personal bookmarks or type in a web address rather than click on a link.
  4. Would you like us to remember your password? No you wouldn’t. It might be convenient but make sure you’re confident that your password is being stored securely. Make sure that you use separate passwords for everything, and that they aren’t just variations on one password. Also make sure that your passwords are long, complex and impossible to guess based on your online data. It is hard to remember a lot of passwords but keeping your personal and business details safe is worth the effort. Where it is an option, use two-factor identification, and if you have a shared corporate account make sure that everyone has their own login and password.
  5. Delete this post? Delete doesn’t delete. You should treat anything you write online as being permanent. Deleting Tweets, forum posts and Facebook information doesn’t necessarily remove all traces from the deep web and even if it does, other users may have already stored the information, shared it or taken note. Be sure before you post.
  6. Talk to your children. It’s not just you who knows when you’re on holiday or a business trip. Making sure that your children and family know how to stay safe online is essential in its own right but it can also reduce opportunities for fraud against you.


Specific Prevention Advice from NFIB about CEO Fraud:


  • Review internal procedures regarding how transactions are requested and approved, especially those in relation to verification.
  • Check email addresses and telephone numbers when transactions are requested. If in doubt request clarification from an alternatively sourced email address/phone number.
  • Don’t be afraid to question details when being tasked to transfer money at short notice. Ensure your staff know they should do this regardless of the circumstances without fear of censure.
View All News