IN A suspected case of whale phishing attack and possibly one of the biggest cyber frauds probed by the Pune police, a prominent real estate firm in Pune was swindled of Rs 4 crore by cyber frauds who posed as the company’s Chairperson and Managing Director (CMD) and tricked the senior accounts officer into making 18 big transactions to fraudulent bank accounts.
The cyber crime police station of the Pune City police has launched a probe into the case of whale phishing attack, also known as ‘spear phishing scams’ or ‘CEO scams.’ In such cases, the cyber attackers pose as heads of companies and manipulate senior officials into transferring large sums of money to fraudulent accounts.
The Deputy General Manager (accounts) of the real estate firm, which has under its belt several key development projects in the city—both in the commercial and the residential sector—lodged a complaint in the case at the cyber crime police station.
According to police, the fraud was perpetrated in the last week of January. On January 25, the complainant received a message from an unknown phone number with the sender identifying himself as the CMD of the company. The sender texted him that he was in an important meeting and would not like to be disturbed. The message directed the complainant to make a Real Time Gross Settlement (RTGS) transfer of Rs 60 lakh to an account, the details of which were given in the message. The complainant made the RTGS transfer and even sent the Unique Transaction Reference (UTR) number of the transaction to the sender posing as the CMD.
Police said the cyber criminals continued to seek more funds on the following days and the complainant made the transfers, thinking the instructions were coming from the CMD himself. On January 26, the sender even sought the summary statements of a bank account of the company and then asked the complainant to make transfers of Rs 27 lakh, Rs 50 lakh and Rs 40 lakh.
Over the next four days, the complainant was asked to make 14 more transfers totalling close to over Rs 2.2 crores. The complainant made total 18 transactions, totalling to a whopping Rs 4.06 crores, said police.
All this while, police said, the sender who was passing the insructions of making the transfers never received the calls made by the complainant and kept texting that he was busy and all the formalities about the transfers would be completed later.
After making the 18 transfers over a period of more than a week, the complainant called the actual phone of the CMD after he returned from a visit abroad only to find out no such fund transfer instructions were issued by him. The company later approached the Pune City police and registered an FIR earlier this month.
“We have launched a coordinated probe in the case,” said a senior officer from the Pune City police. The investigation has been assigned to a team from the cyber crime police station and is being monitored by senior officials, Express has learnt.
‘Half a dozen whale phishing attacks since July last year’
Since July last year, half a dozen cases of ‘whale phishing attacks’ have been registered with the Pune City police, including one in which global vaccine major Serum Institute of India was cheated of Rs 1 crore.
In this case, the cyber frauds used a phone number with a phone messenger display picture of CEO Adar Poonawalla. In the last week of November last year, the Pune police arrested seven people–including two engineers, a science graduate and a bank employee–for defrauding the global vaccine manufacturer.
In May last year, a well-known real estate development company in Pune lost Rs 66 lakh to cyber frauds. While probing this case, the cyber crime police arrested two suspects from Bihar in October last year.
“While some important arrests have been made in the cases, the main racketeers and masterminds in the case remain at large. Those arrested are the mid level-operators of multi-layered and well-oiled rackets. The links to cyber criminals based abroad are being investigated,” said a senior officer from the Pune City police.
Unlike the typical phishing scams that target a broader set of possible victims, the whale phishing or spear phishing attacks are highly focused on specific individuals, often top officials of the company who handle finances. The term “whale phishing” emphasizes the targeting of influential figures. This type of fraud became prevalent in the United States during late 2010.
In addition to directly targeting high-profile individuals, there is a concern that perpetrators may manipulate employees to disclose sensitive information. This poses a greater risk than mere financial loss, as the divulging critical information could have far-reaching consequences on company operations, according to officials.