Whaling may be a term, when referring to cybercrime, with which you may not be familiar. By now, everyone is aware of the term “phishing” which refers to the social engineering crime by which scammers send emails purporting to be from a legitimate source in which they lure you into either clicking on malware infected links or directly sending them money. Often phishing emails are easy to spot because they may not be directed to you by name, but rather by a salutation, such as “Dear Customer” and not contain the type of information that would make you tend to believe that the email is legitimate. “Spear Phishing” is more refined phishing where the scammer has gathered, often through hacking of various websites and companies, personal information about you such that when you receive the phony email from the scammer it appears more legitimate. The latest criminal version of this tactic is called “whaling” and it is a type of spear phishing aimed at the big fish.
In January of 2016 I told you about Amechi Colvis Amuegbunam, a Nigerian in the United States on a student visa being arrested and charged with wire fraud based on scamming 17 Texas companies out of more than $600,000 through whaling. Amuegbunam is sent emails that appeared to be from high level company executives to lower level company employees who had the authority to wire funds on behalf of the company requesting that funds be wired to bank accounts he controlled. The FBI has said that in the last two years 7,000 American companies have been swindled out of approximately 740 million dollars using this technique.
The scammers who use whaling are sophisticated criminals who gather much personal information about the companies and individuals targeted before sending their whaling emails. They use this information to tailor their emails to make them appear legitimate. Often they are able to gather much of this information through social media such as Facebook where people sometimes have a tendency to share too much personal information.
In the case of Amuegbunam, one of the emails he is alleged to have sent was to a company executive for Luminant Corp which is a Texas electric utility company. However, if the company executive had looked closely at the email address of the sender, he would have noticed that the name Luminant was misspelled in the email address so that it actually read “lumniant.” This is an easy misspelling to miss, which is why scammers are able to get email addresses that when looked at quickly may appear to come from someone at the legitimate company, rather than a scammer. In this particular case, had the employee noticed that the email address of the sender was not legitimate, it would have saved the company $98,550.
The lesson for companies is to both educate employees as to the telltale signs of spear phishing and whaling as well as also have a confirmation protocol in place to be followed when authorizing the wiring of funds, particularly when they are being sent to companies or individuals that their company had not done business with in the past.
As for the rest of us, we should be careful to avoid spear phishing too. Consider how information that you post on social media could be used to defraud you before you post anything and remember that personal information about you and your business accounts can also be gathered through data breaches at companies with which you do business. Therefore, as I always advise you, never click on links in emails, send money or provide personal information in response to emails that you receive regardless of how legitimate they may appear until you have confirmed that they are indeed not scams.
As for Amuegbunam, he has been sentenced to 46 months in prison and ordered to make restitution to his victims.