how to use internet.

← Back to Scams & phishing

Defend your organization from business scams

Progress 0 / 12
Chapters (12)

CEO fraud and whaling attacks

“Whaling” targets high-value individuals—CEOs, CFOs, and executives—with sophisticated social engineering. These attacks combine executive impersonation with urgency and authority to bypass normal controls, resulting in massive financial losses.

The Scale of the Problem

2024 Statistics:

  • 442% surge in vishing (voice phishing) attacks on executives
  • 42x increase in QR code phishing targeting C-suite
  • $2.9 billion lost to CEO fraud globally
  • $125,000 average loss per successful whaling attack
  • Voice cloning: 3 seconds of audio = 85% match accuracy
  • Deepfake video calls used in multiple $20M+ frauds

How CEO Fraud Works

Classic CEO Email Fraud:

  1. Research phase: Scammers research company hierarchy, relationships, communication patterns
  2. Impersonation: Email from spoofed or compromised CEO account
  3. Urgency: “In meeting, need urgent wire transfer”
  4. Authority: Leverages CEO position to bypass verification
  5. Confidentiality: “Don’t discuss with anyone, confidential deal”
  6. Result: Employee sends money without verification

Advanced Techniques (2024):

Voice Cloning:

  • AI clones executive’s voice from 3 seconds of audio (earnings calls, videos, voicemails)
  • Scammer calls finance team as “CEO” requesting urgent wire transfer
  • 85%+ accuracy makes detection nearly impossible

Deepfake Video Calls:

  • Real-time deepfake video impersonating executives
  • Used in $25M Arup fraud (Hong Kong, 2024)
  • CFO thought he was on video call with CEO and other executives
  • All were AI-generated deepfakes

QR Code Phishing:

  • QR codes bypass email filters
  • 42x increase targeting executives
  • Links to credential harvesting sites

Real-World Case Studies

Case 1: Arup Engineering Deepfake ($25-39M, 2024)

What happened:

  • Hong Kong branch finance worker received meeting request
  • Video call with “CFO” and other “executives”
  • All participants were AI-generated deepfakes
  • Authorized 15 transactions totaling $25-39M
  • Discovered only when contacted real CFO later

Red flags missed:

  • Unusual urgency for large transfers
  • No in-person verification for massive amounts
  • Didn’t verify through separate channel

Case 2: Retool Voice Cloning Attack (2024)

What happened:

  • IT employee received call from “IT manager”
  • Voice perfectly matched real manager
  • Requested credentials for “urgent system issue”
  • Employee complied, compromising multiple systems

How it was stopped:

  • Security team noticed unusual activity
  • Real manager had been traveling (couldn’t have called)
  • Quick response limited damage

Red Flags in Whaling Attacks

🚩 Communication red flags:

  • Unusual urgency (“need this in 1 hour”)
  • Confidentiality demands (“don’t tell anyone”)
  • Requests outside normal process
  • Sent during off-hours or when executive is traveling
  • Grammar/tone doesn’t match executive’s typical style

🚩 Request red flags:

  • Large wire transfers without standard approval
  • Changes to vendor payment information
  • Credential or access requests
  • Bypassing normal procurement procedures
  • “Trust me” rather than following protocol

🚩 Technical red flags:

  • Email from external domain ([email protected] instead of company domain)
  • Display name matches but email address doesn’t
  • Reply-to address different from sender
  • No previous email thread (starts new conversation)

Verification Procedures

For All High-Risk Requests:

The Out-of-Band Verification Rule:

  • Never reply to suspicious email/message
  • Always verify through separate communication channel
  • Call known phone number (not one provided in message)
  • Walk to executive’s office if possible
  • Use company internal chat (verify it’s not compromised)

Multi-Person Approval:

  • No single person authorizes large transfers
  • Implement dual-approval system
  • Require physical signatures for amounts over threshold
  • Use digital approval systems with 2FA

Challenge Questions:

  • Establish personal verification questions only real executive knows
  • “What did we discuss in Monday’s meeting?”
  • “What’s the project codename we discussed yesterday?”
  • Change questions regularly

For Voice/Video Calls:

Voice call verification:

  • Ask personal questions only real person knows
  • Listen for unnatural speech patterns or delays
  • Request callback on known number
  • Use video if possible (though now also fakeable)

Video call verification:

  • Ask person to turn head, smile, make specific gestures
  • Request they hold up item with today’s date
  • Switch to in-person or phone verification for large amounts
  • Real-time deepfakes have subtle artifacts (though improving)

For Wire Transfers:

Mandatory procedures:

  • Callback verification on known phone number
  • Dual approval required
  • Waiting period (24 hours) for unusual requests
  • Face-to-face verification for amounts over $50K
  • Never bypass procedures, even for CEO

Protection Strategies

Technical Controls:

  1. Email authentication:

    • SPF, DKIM, DMARC configured
    • Display external sender warnings
    • Flag emails from domains similar to company domain

  2. Domain monitoring:

    • Monitor for typosquatting domains (yourcompnay.com)
    • Register common misspellings
    • Alert on new similar domains

  3. Executive account protection:

    • Phishing-resistant MFA (FIDO2 keys, not SMS)
    • Regular password changes
    • Monitor for compromised credentials
    • Limit public information about executives

  4. Wire transfer controls:

    • Callback verification required
    • Dual approval system
    • Segregation of duties
    • Daily/transaction limits

Policy and Training:

  1. Clear policies:

    • Written procedures for wire transfers
    • No exceptions for anyone, including CEO
    • Verification required even if “confidential”
    • Employees empowered to verify

  2. Regular training:

    • Specific whaling examples
    • Practice verification procedures
    • Simulated attacks
    • Update on new techniques (deepfakes, voice cloning)

  3. Executive buy-in:

    • Executives must follow procedures too
    • Public support for verification culture
    • Praise employees who verify, never punish

  4. Code words:

    • Establish family-style verification codes
    • “If I don’t use the code word, don’t trust it”
    • Change periodically

Key Takeaways

  • 442% surge in executive-targeted vishing attacks
  • Voice cloning requires only 3 seconds of audio
  • Deepfakes used in multiple $20M+ frauds
  • Out-of-band verification is mandatory for high-risk requests
  • No exceptions - even CEO must follow verification procedures
  • Challenge questions help verify identity on calls
  • Technical controls: Email authentication, MFA, monitoring
  • Culture matters: Empower employees to verify, never punish caution

Remember: Legitimate executives will always understand and appreciate verification procedures. If someone claiming to be an executive gets angry when you verify, that’s a massive red flag. Build a culture where verification is expected, not questioned.

Author:
How To Use Internet
Last updated:
11/30/2025