Protect Your Agency from Whaling (CEO Email) Scams

By on Jun 30, 2016

In the last issue of TechTipsHow To Protect Your Agency from Ransomware — I talked about why the biggest cyber threat to your agency in 2016 may not be a data breach, but a ransomware attack. Be sure to read the comments as there were several examples of agencies being compromised.

Another threat you need to pay attention to, and train your employees to recognize, is CEO fraud.

This type of email scam is known as business email compromise (BEC), CEO fraud or whaling. These emails are sent by criminals attempting to impersonate an organization’s chief executive officer or some other high-ranking manager, and instructing employees via email to initiate rogue wire transfers.

The number of companies that wired money as a result of these email scams has grown 270% since January 2015.

The latest, and perhaps the biggest, example is FACC, a supplier to Boeing and Airbus located in Austria. They fired the CEO, Walter Stephan, a few weeks ago due to errors made in connection with what it called a “president fraud incident,” according to CSO Australia.

The attackers tricked FACC financial controllers into wiring €52.8m (about $47 million) to fraudsters in what appears to be several transactions. The company was able to halt €10.9m of the funds at recipient banks, but said it didn’t expect to recover this in the near future. The fraud also left FACC with an operating loss of €23.4 million, compared with a €18.6 operating profit had the incident not occurred.

These impersonation and whaling attacks appear legitimate and trick CFOs, HR directors, sales teams and even CEOs into divulging sensitive data. And, they are on the rise. Part of the reason they are so successful is that there is no malware and no link to identify or analyze.

Don’t think this is just a big company problem.

Earlier this year an agency owner contacted me and included an email thread where he requested his bookkeeper to send a wire transfer for $19,550.78 for professional services expense to a bank account in Florida. There were several emails back and forth to confirm the transfer. The bookkeeper wired the money.

It was a whaling scam!

The agency owner only found out about the wire transfer when the bookkeeper came into his office to clarify the GL account to charge it to. Normally, wire transfers are like handing someone cash. Fortunately, the agency owner was able to take fast action and retrieve the money.

Software security vendors are scrambling to add protection for these types of attacks to their products. In one example, Rpost added a new Anti-Whaling security feature to their product line. The RPost Anti-Whaling™ email technology is available in their RMail product for Microsoft Outlook (versions Outlook 2010, 2013, 2016) and Office 365 Outlook.

Prior to a recipient replying to or complying with an impostor email of this type, the RPost technology uses advanced algorithms to analyze message characteristics and patterns, alerting the recipient if a message is likely to be an impostor email of this type.

So what can you do? Here are a few thoughts:

  1. Train your employees to question any request for money transfers to an unknown entity.
  2. Set up multi-factor authentication with your bank for any money transfers. You may also want to include a requirement of a voice confirmation from your bank. Make a phone call to confirm every transfer.
  3. Check with your email security/spam protection provider to find out if they have added any capability to flag suspicious whaling emails.

Knowledge is power. Being aware — and making your employees aware — of this issue will go a long way to protecting your organization.

What have you done to prevent whaling attacks in your organization? Leave a comment in the Comment Section below.


  1. One of our largest clients just received a wire transfer request from his controller for $45,000. The request was actually sent to the bank but fortunately the info given to transfer the money was incomplete and the bank rejected it. After further investigation they figured out that it was fraudulent. The crazy part of it was they were able to make the email look like it was coming from his controller email address (not an outside email).

  2. Great article Steve! Over the years the tactics have definitely become more sophisticated. We get a few small phishing emails once in a blue moon but I think every agency owner should have a set protocol for unusual requests especially coming from a known source/business partner/client. Don’t be afraid to pick up the phone and verify. It’s the easiest and most effective and communicate this to those parties in a manner that makes them feel comfortable about questioning requests because at the end of the day you can’t completely control other party’s email security. Only your own.

Submit a Comment

Your email address will not be published. Required fields are marked *