Ahoy! Whaling Is The New Phishing: Is Your Boss Really Your Boss?

Security firm Mimecast warns phishing attackers are impersonating executives and tricking finance employees into sending them company funds.

Ahoy! Whaling Is The New Phishing: Is Your Boss Really Your Boss?
[Photo: Flickr user Jason Thompson]

If your boss tells you to move company money to a new account, you may want to double-check with him IRL.


Whaling attacks–during which phishers pretend to be high-level executives to trick employees into sending them money–appear to be on the rise, security firm Mimecast warned Wednesday.

“Emails appearing to be sent from the CEO or CFO are used to trick finance staff into making illegitimate wire transfers to the attackers,” the company said in an advisory. “Whaling emails can be more difficult to detect because they don’t contain a hyperlink or malicious attachment, and rely solely on social-engineering to trick their targets.”

Attackers can figure out who to contact and who to impersonate using LinkedIn, Twitter, and other social media services, and don’t have to rely on technical sophistication, according to the advisory.

They’ll often create fake domain names that sound similar to those of their corporate targets, and start with a simple message to a member of the target company’s finance team, according to Mimecast.

“The email is typically well structured, with correct grammar and spelling, making it look as innocuous as possible,” the company warns. “Typically the initial contact will be brief and to the point; something similar to ‘I need you to complete a task ASAP, are you in the office?'”

They’ll then follow with instructions to wire money to an account controlled by the attackers.


Mimecast reports a recent survey found that more than half of companies have seen an increase in whaling attacks in the past three months, with the majority impersonating company CEOs. The company advises executives to warn their staff about the possibility of such attacks and to take technical precautions, like having software clearly flag emails originating from outside genuine corporate domains.

“Carry out tests within your own business,” Mimecast suggests. “Build your own Whaling attack as an exercise to see how vulnerable your staff are.”

About the author

Steven Melendez is an independent journalist living in New Orleans.