You are using an outdated browser. For a faster, safer browsing experience, upgrade for free today.

Shooting for the Biggest Fish: the rise of Whaling, and how to protect against it

“​Hi, am stuck in a meeting, but please see attached instructions for a payment that was supposed to go out last week. It needs to be processed immediately; can you action? Thanks so much. Speak shortly.”

Even at top executive level, it’s an easy mistake to make: you receive an email from a trusted supplier, partner office abroad, or someone you know in your finance team. They’re asking you to give you a couple of pieces of company or personal details, to transfer some funds or click through to access a document. They sound like your contact, they know private details about you, and their request sounds perfectly legitimate. They might even have followed up their email with a phone call, or make contact on LinkedIn. It’s only when you’ve acted on their request that you realise: you’ve fallen victim to highly sophisticated cyber crime.

C-suite Targeting, or ‘Whaling’

This form of cyber fraud comes with a variety of names: C-suite Targeting, Business Email Compromise (BEC), CEO or Digital Invoice Fraud, or ‘Whaling’. Whatever the label, it’s a sophisticated form of phishing designed to trick a senior executive or budget holder into revealing sensitive information, transferring funds, or clicking on a malicious link or attachment.

Unlike standard phishing emails which get sent to millions of people willy-nilly, BEC attacks are cleverly crafted to target specific individuals, gather personal information about the recipient from online channels, and use sophisticated business terminology to make the email sound personal and credible. All of which makes them increasingly tricky to sniff out.

A growing problem

Relatively low effort and low-tech for the criminal (with significant rewards), C-Suite targeting is markedly on the rise, threatening organisations of all sizes and sectors. In 2019, the FBI put the financial cost of BEC crime over the previous 3 years at $26 billion worldwide . But 2020 has seen the problem spiral further: with COVID lockdown, increased reliance on digital transactions and widespread remote working there has been a surge in email-based cyber crime: one estimate puts the increase at more than 75% in Jan-Mar 2020 followed by an astonishing 200% jump in April and May, as isolated employees and dispersed offices revealed their vulnerability . Lloyds Banking Group reported that 8 out of 10 cyber attacks experienced by their commercial customers in the period January-April 2020 were cases of BEC fraud.

Needless to say, the impact of such an attack can be devastating - Pathé Netherlands lost €19million after a cyber criminal posed as their French headquarters asking them to transfer millions for the acquisition of a company . Even if you’re not talking millions, the fall-out for both the company and the individual who actions the fraudulent request can be severe.

Be on the look-out

The good news is, despite the trickery of the fraudsters, there are tell-tale signs you can look out for to guard against falling for it. Suspicions can be raised by an urgency in the wording of the email, uncharacteristic or unnecessary references to personal information, a slightly different tone to that your contact would normally take, or an excuse given as to why the contact can’t ring (e.g they’re stuck in a meeting or boarding a plane). If you’re at all suspicious, ring the contact purportedly emailing you before taking any action (even just clicking a link). Also, check their email address – often whaling emails come from a very slightly mis-typed or spoof email address one letter different to that of your real contact.

Arm yourself: education and planning

As an organisation, your best form of defence against BEC is to educate your C-Suite. Make sure they know what to look out for, and what to do if their suspicions are raised. At Hexegic we run Board-level Cyber Security Awareness Training specifically aimed at alerting your highest executives to the targeting and social engineering threats they personally face, and giving them the know-how to recognise and diffuse them.

Secondly, you do need to accept, in the face of increasingly sophisticated whaling tactics, that even with the right awareness and training one of your C-Suite might fall for the fraudsters. To mitigate such disaster, you need an effective Cyber Incident Response plan in place. Unfortunately, in most cases of BEC fraud, the police will simply direct you to Action Fraud, who have frustratingly limited means to investigate. As an organisation you need your own well-communicated checks and processes in place to action should the worst occur; helping you minimise the impact, maintain business continuity, avoid the heftiest regulatory fines, and learn from your experience.

To speak to the experts at Hexegic about Board-Level Awareness Training or Incident Response Planning give us a buzz on 0870 76 22 111 or email

Back To Blog Page