New ‘Whaling’ scam has seen businesses lose millions of pounds

A new way to scam companies for potentially millions of pounds has come to light, and those working in the finance sector should be wary, so as to not be caught out.

The email scam has become known as ‘whaling’, because it goes after one large payout, rather than lots of small payouts as ‘phishing’ does.

The scam involves masquerading as someone with a high position in a company, and sending an email to an employee to make a payment, which then goes to the criminals.

In the past, the emails have been timed to coincide with the senior member being out of the office, so that it is much harder for communication between the employee and the person being imitated. This also gives more grounding for the request to make the payment, along the lines of the boss being out, and so cannot make a payment themselves, and therefore asking the employee to deal with the ‘urgent’ payment in their absence.

The emails are sent from addresses almost identical to that of the actual person who is being impersonated.

NCC Group was one such company target by the ‘whaling’ scam, but luckily managed to recognise it for what it was. The email was sent from the domain ‘nccgrrouptrust.com’, containing one extra ‘r’ than the legitimate domain used by the company. The company publicly discussed the incident in a blog post.

Another company, the US tech company Ubiquiti Networks supposedly lost $47million (£30million) to this type of scam.

Furthermore, it would seem that the scammers are not just targeting large businesses.

It’s becoming a big problem, especially for small companies that do not have the bodies to look into all the emails,” said Ben Johnson, the chief security strategist at Bit 9.

“The bad guys might only be after $100,000, but for a smaller company that’s a lot of money.”