Businesses are being warned about a new email scam – dubbed ‘whaling’ – which targets the finance departments of SMEs.
Financial Fraud Action UK (FFA UK) claims that there has been a significant rise in incidents of the scam in recent weeks in both the UK and the UK, with several British SMEs reporting having lost sums of between £10,000 and £20,000.
In the scam, fraudsters obtain publicly available details about businesses, such as the staff names and email addresses, and use software to send fake emails to finance staff purporting to be from senior managers.
The email typically requests that an urgent payment is made outside of normal procedures, often giving a pressing reason such as the need to secure an important contract. However, the account to which the payment is made is in fact controlled by the fraudster, who quickly withdraws the funds.
The scam has been dubbed ‘whaling’ because it targets one specific victim, as opposed to the scattergun approach of ‘phishing’ fraud.
Katy Worobec, Director of FFA UK, said: ‘Fraudsters will do all they can to make these scam emails look genuine, so it’s important for businesses to be alert. While an urgent request from the boss might naturally prompt a swift response, it should in fact be a warning sign of a potential scam. That’s why it’s vital that finance teams carefully check any unusual demands for payment through an alternative method, such as over the phone or face to face, before making the payment.’
FFA UK has issued the following advice to businesses, particularly staff in finance and accounts departments:
- Always check any unusual payment requests directly, ideally in person or by telephone, to confirm the instruction is genuine. Do not use contact details from the email.
- Establish a documented internal process for requesting and authorising all payments and be suspicious of any request to make a payment outside of the company’s standard process.
- Be cautious about any unexpected emails which request urgent bank transfers, even if the message appears to have originated from someone from your own organisation.
- Ensure email passwords are robust.
- Consider whether the email contains unusual language or is written in different style to other emails from the sender.