A whale of a fraud

Bank Midwest has been the target of a type of fraud attempt called whaling that is growing in popularity. Instead of going after small fish (individuals), attackers are beginning to target bigger ones like organizations.

All companies, even small ones, must remain alert for this growing type of attack since there currently isn’t any type of fraud detecting software on the market to help prevent this from happening.

What’s a Whaling Attack?

A whaling attack is fairly straightforward. An attacker sees a successful organization and spoofs an email from an executive within that company. An employee at the company receives the email which appears to be a legitimate request from an executive for a transaction.

The attacker hopes the employee targeted has access to the company’s accounts. The request is to make a transfer or deposit money into a designated account outside of the organization.

An employee of Bank Midwest received one of these messages but did not follow through with the request. She was keen enough to verify the request by contacting the executive directly to learn that this was not legitimate.

In the email message we received, the attacker spoofed an ‘executive’s’ email address.

While the “From” email label looked like it came from John Johnson, the actual sender’s address is in brackets [mailto:[email protected]]. The message was sent from a ‘CEO mailboxx’ Gmail account — not the company’s email account.

If you receive an email that appears suspicious:

  • Do not click on any portion of the message.
  • Do not reply to the message or call/write using information contained in the original message.
  • Verify the legitimacy of the request by contacting the requester using contact information that you have available elsewhere (not provided within the email). If you use any contact information contained in the email, you’ll be reaching out to the fraudsters directly for verification if indeed it’s a whaling attempt.


Any company could fall victim to this kind of fraud. Don’t be one of them.

Learn more about this type of fraud in Forbes, Five Best Practices to Keep Spear-Phishing and Whaling Attacks at Bay.

‹ Return to the Blog