CYBERCRIME ALERT

Whale Phishing Fraud

June 2025 By Aryan Agarwal

As businesses and organisations become increasingly digital, they are more vulnerable than ever to cybercriminals, who use different tactics to deceive them and access their monetary holdings. One particularly dangerous method is whale phishing, a form of attack that focuses on “Big fish”, the top decision-makers like CEOs, CFOs and other executives, who have access to sensitive company data and financial resources. As these attacks grow in complexity and frequency, it’s crucial to understand how they work

What is whale phishing?

Whale phishing, also known as whaling, is a highly targeted form of phishing attack aimed at high-level executives within an organisation, such as CEOs, CFOs or other senior decision makers. The term "whale" refers to the attackers' focus on these "Big fish", as they are the ones who typically have access to sensitive company information or financial accounts.

Modus operandi:

In whale phishing attacks, cybercriminals invest significant time researching their targets. They gather information from publicly available sources like company websites, social media profiles or other public records. This allows them to craft highly personalised and convincing fraudulent messages, designed to look like legitimate communications.

These messages often appear to come from trusted sources, such as business partners, internal departments or legal counsel, making them seem authentic. The goal is to deceive the recipient into taking harmful actions, such as authorising large financial transfers, sharing confidential information or clicking on malicious links.

A common tactic in whale phishing is creating a sense of urgency. Attackers often pressure the target to act quickly, either by claiming that time is running out or that the action is critical for the company's success. They may also emphasise that the transaction is confidential and instruct the recipient not to discuss it with others. This combination of urgency and secrecy can lead the victim to make rushed decisions without proper verification.

Preventive measures:

To safeguard against whale phishing attacks, it is important for company executives to carefully verify any messages received through communication channels like Email, WhatsApp or Skype. Cybercriminals often create email addresses that closely resemble those of legitimate company officers to deceive their targets. To confirm the authenticity of such messages, always check that the email domain matches the company’s official domain.

When handling large transfers or sensitive transactions, it’s essential to directly reach out to the company’s headquarters or legal team for verification. Adopting domain authentication protocols like DMARC, DKIM and SPF, can help prevent email spoofing, while minimising public exposure of company leadership and sensitive information can further reduce the risk of being targeted by these attacks.

Steps to take in case of whale phishing fraud:

In case you fall victim to a whale phishing fraud, it is crucial to act without delay by notifying your bank and reporting the incident to the nearest police station. Additionally, a complaint should be filed through the National Cyber Crime Reporting Portal (www.cybercrime.gov.in) or by calling the cybercrime helpline at 1930.