Mrs Phillips and The Whale

Last Updated on 22nd January 2021

It was a cold winter morning just after the Christmas break. Mrs Phillips, the school secretary, had just got into work after being stuck in heavy traffic. She had thrown off her coat and sat down at her desk ready to face the mountain of emails which had landed in her inbox since before the end of the last term.

Right at the top of Mrs Phillips’ inbox was an email which was labelled: URGENT: GIFT CODES NEEDED FOR LATE CHRISTMAS PRESENTS. The email was sent from Mr Smith, the school’s experienced and long-serving finance officer who was in charge of buying Christmas gifts for teachers and school staff. Mrs Phillips had known Mr Smith for many years and had both started working at the school on the same day.

After a hectic start to her morning, a slight panic set in as Mrs Phillips read further down the email.

It read:

Good morning Mrs Phillips,

I hope you had a nice Christmas. Sorry to get the new term off to such a busy start but I need you to do me a favour as a matter of urgency.

Embarrassingly, there are some members of staff that were left off the school’s Christmas present list and didn’t get to go home with their annual gift.

Could you purchase some gift codes from Amazon to the cost of £500 and send them on to me? This needs to be done within the next half an hour please as I want gifts ready for each staff member as they arrive at the school gates this morning.

Many thanks,

Mr Smith

Although lacking energy after the Christmas break, Mrs Phillips didn’t want to let Mr Smith down.

She immediately made the purchase, copy and pasted all of the details into an email and sent it to Mr Smith.

Well, who she thought was Mr Smith.

Mrs Phillips hovered her mouse over the ‘Mr Smith’ email address.

From: [email protected]

She froze. Mrs Phillips knew that this wasn’t a legitimate school email address and in a matter of minutes, £500 worth of school funds had been sent to an unknown scammer.

In a panic, Mrs Phillips called Mr Smith, who wasn’t to return to school until several days later. He told her groggily, “I don’t know what you’re talking about Mrs Phillips, I’m sorry. All staff members received a gift, I ticked every name off the list.”

Mrs Phillips was a victim of whaling: a type of phishing scam that targets senior staff and bosses, executives and other similar management roles to obtain sensitive data and/or money by deception. Just like in this example, there is usually more than one victim. Often whaling attacks will impact a whole company, in this case a school, or companies due to the sensitive data breached.

For the purposes of this example, our character Mrs Phillips was frauded in an email scam. Research had been carried out by the scammer posing as Mr Smith, as they’d found out the name of the school bursar, someone Mrs Phillips could trust. Whaling attacks can work because the criminals have done their research well and know who they should impersonate. Whaling also often involves using incredibly similar company websites and email addresses to fool victims – such as ‘Mr Smith’s’.

Mrs Phillips had worked with Mr Smith for years and there was a huge amount of trust between the two. That’s what whaling relies on; you’ll spot an email pop up from ‘Mr Smith, who you’ve worked with for 25 years’, or ‘Patricia, your best work friend’, or ‘Jonathan, the new COO who just started but seems lovely’ asking for some details or urgent bank payment and before you know it, you’ve been caught in a net.

What is Whaling?

Whaling is a type of email fraud. It involves targeted phishing attacks where fraudsters pose as senior managers asking colleagues to provide sensitive information or urgent financial transactions. What whaling describes is essentially ‘business email compromise’.

Fraudsters use ‘social engineering’ to research a company, school or local authority to scam unsuspecting victims by impersonating colleagues and bosses. The use of social media for businesses, local authorities and schools is commonplace and fraudsters may use information shared publicly to convince victims of their legitimacy. While senior managers are targeted and impersonated in these attacks, there are often multiple victims.

How does it happen?

Victims are tricked into handing over sensitive details, such as passwords, bank details or making urgent purchases. They may also be prompted to click on malicious links that download malware.

Many businesses, local authorities and schools are operating under emergency regulations and using more online communication. The sophistication of these scams adds to their likelihood of success.

Similar to other scams, whaling attempts will typically have a few things in common:

A sense of urgency to act (sometimes an offline interaction to legitimise the scam)
An appeal to emotion or ego
Imitation of email addresses to appear legitimate
The use of institutional language or jargon

How to catch a Whaling Attempt

The number one preventative measure you can take is to share this article with your staff, partners and colleagues. Awareness of this type of fraud is an investment in protecting your organisation.

Always double-check the full email address of who you’re communicating with when sensitive requests are made – does it match your organisation fully?
Compare any request to those previously received via email, if in doubt follow up with a phone call to the person requesting action using other trusted methods of communication
Be aware of any sense of urgency to act, including potential follow up calls prompting you to act quickly
Verify that any website you are directed to is secured, familiar and legitimate
Be cautious of any financial ask that is unusual or high risk – like buying gift vouchers or making external payments
Remember that it’s easy for criminals to create a website and email addresses with similar names to your own company
Be aware of how much information you share online about your workplace, this can be used to masquerade as a colleague