Cyber Crime
Whale Phishing: Know How This Pune Real Estate Firm Lost Rs 4 Crore In Deceptive Phishing Attack
Cybercriminals impersonated top executives to orchestrate a Rs 4 crore fraud, shaking Pune’s real estate sector.
PUNE:A prominent Pune real estate firm has become the victim of a sophisticated cyber fraud, losing a staggering Rs 4 crore to online tricksters. In what is suspected to be a “whale phishing” attack, one of the largest cybercrimes investigated by the Pune police, the attackers impersonated the company’s Chairperson and Managing Director (CMD) and deceived the senior accounts officer into transferring funds to bogus bank accounts.
Modus Operandi: Trust and Urgency
The scam unfolded in the last week of January. The unsuspecting accounts officer received a message from an unknown number, claiming to be the CMD.
The sender, feigning being stuck in an important meeting, instructed the officer to make an immediate Real-Time Gross Settlement (RTGS) transfer of Rs 60 lakh to a specified account.
ALSO READ: Frontline Fighters Against Cybercrime Unite: Highlights from FutureCrime Summit 2024
Trusting the message to be genuine, the officer complied and even sent the transaction confirmation number to the imposter.
Emboldened by their success, the cybercriminals continued to exploit the officer’s trust. Over the next few days, they posed as the CMD, requesting additional funds through text messages. The officer, believing he was following the CMD’s directives, made numerous transfers totaling Rs 2.2 crores over four days. This pattern continued for over a week, with the officer ultimately making 18 transactions amounting to a whopping Rs 4.06 crore.
Throughout the ordeal, the sender avoided phone calls, claiming to be too busy, and assured the officer that formalities would be completed later. Only after making the final transfer did the officer contact the actual CMD, who was abroad, and discover the fraudulent nature of the scheme.
ALSO READ: Excellence in Cyber Strategy Awarded to Dr JM Vyas at FutureCrime Summit 2024
Investigation Underway, Similar Cases Reported
The Pune City police have launched a comprehensive investigation into the case, assigning a team from the cyber crime unit to track down the culprits.
This incident is not an isolated one. Since July 2023, the Pune police have registered half a dozen similar “whale phishing” attacks, including one where Serum Institute of India was defrauded of Rs 1 crore.
Heightened Alert for Businesses
Whale phishing specifically targets high-profile individuals within organizations, exploiting their authority and trust to gain access to sensitive information and finances. Companies should implement robust security measures, including employee training on cyber awareness and multi-factor authentication, to mitigate such risks.
ALSO READ: Special Task Force (STF) of UP Police Honored with Award for Excellence in Cyber Law Enforcement
Whale Phishing (CEO Scam): Explained
- Targeted Approach: Whale phishing, also known as CEO scam or spear phishing, is a highly targeted form of cyber attack aimed at specific high-ranking individuals within organizations, such as CEOs, CFOs, or other executives.
- Impersonation Tactics: Cyber criminals impersonate company leaders, often through email or other electronic communications, to deceive employees into taking certain actions, such as transferring funds or providing sensitive information.
- Social Engineering: Perpetrators conduct thorough research to gather information about the target and the organization, allowing them to craft convincing messages that appear legitimate.
- Urgent Requests: Fraudulent messages typically convey a sense of urgency, exploiting the authority of the impersonated individual to pressure employees into complying with the attackers’ demands quickly.
- Financial Fraud: The primary objective of whale phishing attacks is usually financial gain. Attackers trick employees into transferring funds to fraudulent accounts under the guise of business transactions or emergency situations.
- Complexity and Sophistication: Whale phishing attacks often involve elaborate schemes, such as creating fake websites or using compromised email accounts, to enhance their credibility and evade detection.
- Consequences: Victims of whale phishing attacks can suffer significant financial losses, damage to reputation, and operational disruptions. Moreover, the disclosure of sensitive information may lead to further security breaches or legal ramifications.
- Preventive Measures: Organizations can mitigate the risk of whale phishing by implementing robust security protocols, including employee training on identifying phishing attempts, implementing multi-factor authentication, and regularly updating security software to detect and prevent such attacks. Additionally, establishing clear verification procedures for financial transactions and fostering a culture of skepticism regarding unsolicited requests can help thwart potential scams.