10 whaling emails that could get by an unsuspecting CEO

Real-life whaling attempts show the intricate changes perpetrators try to make to trick a CEO.

01 whaling title
Whaling

Whaling threats or CEO fraud continues to grow with 70 percent of firms seeing an increase in these email-based attacks designed to extort money. There has been an uptick of activity lately as fraudsters spend the first few months of the year taking advantage of tax season, targeting finance departments with emails that look like they are coming from a company’s senior executive. Case in point are Snapchat and Seagate as companies that inadvertently gave up employees’ personal information.

Email security company Mimecast has shared a handful of real-life examples of fraud attempts targeted at the person in the corner office.

Note: Names and domains have been modified to preserve recipient privacy. Source domain styles and homograph attack techniques have been maintained.

whaling
Too busy to talk

This attempted attack originated from New York, where the attacker has registered a similar domain name, replacing the “o’s” with similar and easily overlooked zeros. Additional social engineering tries to keep the conversation to email to avoid detection.

whaling
Need the money fast

The server was tracked down to Toronto, where the attacker has registered a similar domain name, replacing the “m” in the domain is replaced with an “rn”.

whaling
A little too quick with this attempt

This one seems a little amateurish as the number 1 really sticks out in the email address. But a busy CEO might not look close enough when dealing with 10 million other things. This message was tracked down to a server in New York.

whaling
Sneaky suspectsssss

The attacker has registered a similar domain name, using a double “s” which is easily overlooked.

whaling
King of whaling

Perhaps this is the same person as the last slide by dropping in an extra “s” at the end of the email address to dupe the CEO. And who uses the word “soonest”?

whaling
I said immediately

The attacker, who was tracked back to Johannesburg (or at least that is where the server was located), has registered a similar domain name, using a double “c” which is easily overlooked.

whaling
I would gladly pay you Tuesday for a hamburger today

Kind of has that Popeye character “Wimpy” ring to it, no? The attacker has created a Hotmail account that could appear to be a CEO webmail service. Red flags should appear when you see an email address like that.

whaling
Breaking bad

Hopefully the CEO broke away from this email immediately when he noticed it was Walter White (maybe not the one from Breaking Bad). The attacker has registered a similar-looking domain name to the actual White Chemicals.

whaling
Gmail?

It just seems like this attacker is lazy in using a Gmail account to try and fool the CEO.

whaling
Too busy

The attacker has created a Gmail account that could appear to be a CEO webmail service. Additional social engineering tries to keep the conversation to email to avoid detection.