Whaling or spear phishing scams target businesses or organisations in an attempt to get confidential information for fraudulent purposes.
On this page
How this scam works
Whaling and spear phishing scams differ from ordinary phishing scams in that they target businesses using information specific to the business that has been obtained elsewhere.
The scammer sends a personalised email to either a group of employees or a specific executive officer or senior manager. The email is designed to look like it has been sent from a trustworthy source such as the employer or other staff members within the organisation.
The email addresses may look similar (but not identical) to frequently used email addresses. The subject of the email is usually about a fake ‘critical’ business matter, such as a legal subpoena or a customer complaint.
The scammer’s aim is to convince you that the email requires urgent action by following a link to a fake website. When you visit the fake, but convincing website, it will ask you to do one or more of the following:
- enter confidential company information and passwords
- provide financial details or enter them when making a payment for a fake software download.
If financial details are provided, the scammer will use them to carry out fraudulent activities.
Alternatively, the email may ask you to download an attachment. If you do, it will download malware onto your computer. Malware can record your key strokes, passwords and other company information, allowing the scammer to access it when you go online.
- You receive an email out of the blue, requesting your urgent attention to a matter which you may not be familiar with. For example, you may be asked to take immediate action in relation to a customer complaint or a legal subpoena.
- The sender's address is one you do not recognise, or similar to an address you are familiar with.
- The email contains an attachment or a link to a website that looks official. It may have the logos and branding of the legitimate site.
- You are asked to enter confidential work-related or personal details into the website, or to pay to download software so as to view an official document, such as a subpoena.
- If you receive an email at work from a sender you do not know, never click on the links or open any attachments.
- Do not use the contact details provided in the email. Verify the identity of the sender by calling the organisation directly – find them through an independent source such as an online search or a phone book.
- Look for the secure symbol. Secure websites can be identified by the use of 'https:' rather than 'http:' at the start of the internet address, or a closed padlock or unbroken key icon at the bottom right corner of your browser window. Legitimate websites that ask you to enter confidential information are generally encrypted to protect your details.
- Keep your office networks , computers, and mobile devices secure. Update your security software, change passwords and back up content regularly.
- Consider what personal and business information you post on social media and business networking sites. Scammers use publicly available information to identify potential whaling and spear phishing victims.
- Shred all business documents before you dispose of them.
- Seek independent legal advice if you receive a request regarding a legal subpoena or customer complaint.
Have you been scammed?
If you think you may have provided confidential employer details to a scammer, or opened a malware infected attachment, you should contact your employer’s IT support immediately.
We encourage you to report scams to the ACCC via the report a scam page. This helps us to warn people about current scams, monitor trends and disrupt scams where possible. Please include details of the scam contact you received, for example, email or screenshot.
Spread the word to your friends and family to protect them.