Pune-based firm loses Rs 1.9 crore in whale phishing attack

Earlier this month, when the accounts manager was at home, he received a WhatsApp message from an unidentified number. The number had the Display Picture (DP) of the firm’s director. The message in English said it was the director’s new number and asked the accounts manager to save the number. The message further said the company had bagged a new project for which Rs 1.9 crore had to be immediately transferred to a bank account. The message also had details of the bank account where the amount was to be transferred.

Trusting the message to be authentic, the accounts manager transferred Rs 1.9 crore to the fraudulent account registered in Churu district of Rajasthan. Some time later, the accounts manager received another message from the same number, asking him to transfer another Rs 3 crore. When the manager replied that there weren’t enough funds in the company’s account for routine transactions, the cyber criminals asked him to liquidate Fixed Deposits of the company.

“It was at this point that the accounts manager got suspicious and contacted the director on his known number. The director denied having given any such directions for transferring money. The company soon approached the cyber crime police station and an FIR was registered based on the director’s complaint. A probe has been launched into the phone number and bank accounts used by the cyber fraudsters,” a police officer said.

Whale phishing attacks, also known as spear phishing attacks or ‘CEO scams’, are highly focused on specific individuals in companies. The modus operandi is different from typical phishing scams that target a broader set of possible victims by sending a large number of messages. These scams specifically target top officials of companies who handle finances. The term ‘whale phishing’ emphasises the targeting of key figures in companies.

This type of fraud had become prevalent during the late 2010s in some countries in the West. In addition to directly targeting high-profile individuals, in some cases there is a concern that the perpetrators might manipulate employees to disclose sensitive information. This poses a greater risk than mere financial losses.

Since 2022, the Pune City and Pimpri Chinchwad police have together registered close to a dozen cases of whale phishing attacks. In one such case, the Pune-headquartered global vaccine major Serum Institute of India (SII) was swindled of Rs one crore in 2022. In another case in January last year, a real estate company in Pune lost Rs 4 crore in a whale phishing attack.

In February last year, a young woman identified as Saniya Mustakim Siddique (21) was arrested from Faridabad in Haryana by Pune City police’s cyber arm in the Rs 4 crore whale phishing case. She was identified as a key suspect based on the technical analysis of the phone numbers and bank accounts used in the fraud. While she was being brought to Pune on Duronto Express, she escaped from the train at Kota station in Rajasthan on February 18. After a months-long search for her, she was finally arrested in December last year.