Rs 1.95 crore lost in 2 days in whale phishing attack on real estate firm

The whale phishing started with a WhatsApp message to the complainant from a number which had the display picture of the partner of the firm. The message asked, “Have you reached the office?” After the complainant replied yes, the sender told him that for an ongoing project in Kothrud, an amount of Rs 95 lakh is to be transferred to an account. Believing the message to be true based on the reference to Kothrud project, the account manager transferred the money to an account given by the sender posing as the firm partner. A probe revealed the account was a mule account registered in Karnataka.

Few hours later, the sender asked the complainant to transfer an additional Rs one crore to another account. When the complainant asked the sender about the TDS (tax deducted at source), the sender said he will take care of that aspect. Believing all this to be authentic, the complainant made the transfer. Hours later, the fraudster asked the complainant to transfer Rs 1.9 crore. Only this time the complainant checked with the partner on his landline number, only to find out that no instructions for a transfer had been given earlier. The company approached the police and an FIR was registered. Officials said a probe has been launched into the phone number and accounts used by the fraudsters.

In whale phishing attacks, also known as spear phishing attacks or CEO scams, individuals in companies are specifically targeted. These scams target top officials of companies who handle finances. The term whale phishing emphasises targeting key figures in companies. Since 2022, Pune City and Pimpri Chinchwad police have together registered close to a dozen cases of whale phishing attacks. In one such case, the Pune-headquartered global vaccine major Serum Institute of India was swindled of Rs one crore in 2022. In another case in January last year, a real estate company in Pune lost Rs four crore.

In February 2024 a young woman identified as Saniya Mustakim Siddique (21) was arrested from Faridabad in Haryana by Pune City Police’s cyber investigators in a Rs 4 crore whale phishing scam. She was identified as a key suspect based on the technical analysis of the phone numbers and bank accounts used in the whale phishing attack. As she was being brought to Pune on Duronto Express, she escaped from the train at Kota station in Rajasthan on February 18. After searching for her for months, she was finally arrested in December 2024.

An attempted whale-phishing attack last year targeted the Centre for Materials for Electronics Technology (C-MET), a key research institution under the Union Ministry of Electronics and Information Technology. Cyber criminals, posing as the organisation’s director general, sent emails to over two dozen scientists attempting to deceive them into transferring money.