The human resources manager (HR) of a US-based information technology company was manipulated into purchasing Apple gift cards worth Rs 10 lakh after she was duped by cyber criminals posing as the CEO of the same firm.
The fraudsters had told her that she needed to buy the cards as gifts for all of the company’s employees.
A First Information Report in the case was registered at Paud police station under Pune Rural police by the HR manager. A probe was launched into the whale phishing attack, also referred to as spear phishing scam or CEO scam.
Earlier this year, the complainant had received a WhatsApp message on her personal number from an unidentified number of US code. The person identified himself as the firm’s Us-based CEO and the profile picture of this number had the CEO’s face. The message said that he was busy with a conference call and would not like to be disturbed.
The message instructed the HR manager to purchase Apple gift cards on Amazon worth at least Rs 5,000, which was to be given as gifts to all the employees of the firm.
The HR manager purchased 100 vouchers online and messaged the number saying she had done so. The person then asked her to purchase 100 more and send all those gift cards to a mail address he sent her. The HR manager purchased 100 more in consultation with an India based senior office bearer from the company. A while later, when the other officer asked the complainant how she had sent the gift cards, she gave him the mail address on which she was made to send the cards. It was at this point it became clear that the firm had been cheated by cyber criminals using a fraudulent number and email address of the company’s CEO. The complainant later approached the police and an FIR was registered at Paud police station. Officials said they were probing the phone numbers and email addresses used by the cyber criminals.
Since July last year, Pune City police reported around 10 whale phishing attacks. In one such case, Pune headquartered global vaccine major Serum Institute of India was cheated of Rs one crore. In another case registered in February, a real estate company lost Rs four crore.
Unlike the typical phishing scams that target a broader set of possible victims, whale phishing or spear phishing attacks are highly focused on specific individuals, often top officials of the company who handle finances or can make money transfers.
The term whale phishing emphasises the targeting of influential figures. This type of fraud became prevalent in the United States during the late 2010s. In addition to directly targeting high-profile individuals, there have been recorded cases in which perpetrators manipulate employees to disclose sensitive information. This poses a greater risk than mere financial loss, as the divulgence of critical information could have far-reaching consequences on company operations, according to officials.
Click here to join Express Pune WhatsApp channel and get a curated list of our stories