Training, cyber hygiene and quick complaint: Pune police’s advisory on whale phishing attacks

The criticality of approaching the cyber police immediately after the scam has once again been stressed by the Pune city cyber police in an advisory they have issued for private companies after back-to-back major whale phishing attacks.

What are whale phishing attacks?

Under the umbrella term of social engineering scams, cyber criminals manipulate victims into doing something by exploiting the social dynamics. In the cases of ‘whale phishing’ attacks, cyber criminals exploit the hierarchies in companies. These cases, also known ‘CEO frauds’, suggest that the cyber criminals generally target finance and accounts department officers posing as the firm CEOs or Presidents. These scams are called ‘spear phishing’ or ‘whale phishing’ scams because these are targeted phishing attacks, contrary to general phishing in which an attempt is made to scam a large target group. The use of the term whale signifies targeting of CEOs or CMDs and the finance and accounts handlers.

This fraud was fairly common in the US in the late 2010s. It is also possible that such scamsters may even manipulate staffers into divulging critical information, which can be far more damaging than loss of funds. Deputy Commissioner of Police Vivek Masal said, “The cyber frauds often use publicly available numbers of company employees and contact them posing as company heads. We all get anxious when our bosses call and this aspect is cleverly exploited by the cyber criminals in CEO frauds.”

“The callers use the display pictures (DPs) of CEOs on their messenger contact and say that they are in a meeting and should not be disturbed. These CEO impersonators say that it is their very private numbers, thus exploiting the hierarchy to create pressure to act further. These fraudsters then ask the finance or accounting officials to make large transfers on various pretext and siphon money,” said DCP Masal.

Advisory by the cyber investigators

DCP Masal said an advisory has been issued for the private companies to avoid these scams. “The key for all companies to avoid falling prey to such scams is to adhere to basic cyber security hygiene. Not trusting unidentified communications, cross-checking every such fund transfer request, especially when it claims to be from the CEO. It has now become highly necessary that all the key officials in the companies are yber aware, especially about their vulnerability in whale phishing scams, man-in-the-middle cyber attacks among others.”

The advisory highlights ‘awareness and training on identification’ of these attacks. Employees, especially the ones in key positions, should be trained to recognize signs of phishing, including emails and messages from suspicious numbers or addresses that ask for sensitive information or financial transactions.
The advisory further stresses ‘verification of requests through alternate channels’. The advisory states that every payment request should be cross-verified with the persons from which it is coming. Cyber frauds can also use similar looking email addresses or hacked messenger accounts for issuing payment instructions. Employees should verify these directions through alternate communication methods like direct phone call or internal messaging platforms. Multi-factor authentication methods should be established for payments and sensitive information sharing.

The advisory seeks regular review of internal cyber protocols. “Today, the cyber criminals are using phone messenger for CEO scams. They might shift to another tactic in future. They are primarily targeting vulnerabilities and that is why security protocols should be reviewed on a regular basis.”

The advisory also seeks immediate communication to police and cyber helpline in case an entity falls prey to such a scam. The employees should know how to report phishing attempts, and designate a response team to quickly mitigate damage. “Only in the case of immediate complaint, can the siphoned amount be freezed before it is funneled to secondary mule accounts or is converted to difficult-to-trace cryptocurrency,” an officer said.

Major whale phishing cases in Pune

Since 2022, the Pune city and Pimpri Chinchwad police have together registered close to around 15 cases of ‘whale phishing. In one such case, Pune-headquartered global vaccine major Serum Institute of India was swindled of Rs 1 crore in 2022. In another case in January last year, a real estate company in Pune lost Rs 4 crores in a whale phishing attack.

In a case registered earlier this month, a city-based consultancy firm, which is part of a city headquartered multinational group of companies, lost Rs 1.9 crore in a whale phishing attack after cyber criminals, posing as the company director, messaged the firm’s accounts manager, asking him to make large fund transfer to fraudulent accounts claiming it was for a new project the company had received.

In the latest case, a business analytics firm in Pune lost Rs 2.34 crore to cyber criminals who posed as the company’s Canada-based CEO and manipulated the firm’s accounts officials to transfer large sums on the pretext of business transactions.