How a Whale Phishing Scam Cost a Firm ₹2.34 Crore — And What Organizations Must Do to Prevent It

In a recent cyber fraud case reported in Pune, a business analytics firm was deceived by fraudsters posing as the company’s CEO, resulting in transfers totaling ₹2.34 crore to accounts controlled by criminals. This type of social engineering scam — known as a whale phishing or CEO fraud — leverages trust and urgency to manipulate employees into authorizing large, fraudulent payments.

Understanding this case is crucial for all organizations, not just those in Pune or India. The methods deployed by the attackers are widely used around the world. A failure to detect or prevent such attacks can lead to financial loss, operational disruption, and significant reputational damage.

The Incident: Whale Phishing Scam Unfolded

In the third week of February 2025, an accounts manager at a Pune-based analytics firm received a missed call from an unidentified number while a colleague was attending to a family emergency in hospital. Immediately afterward, the employee received a message from the same number claiming to be from the company’s founder and CEO, saying it was their new contact number.

The fraudsters requested details of the firm’s bank account balances, asserting they wanted to make business-related payments. Based on this forged instruction, the firm’s staff were manipulated into authorizing 13 separate transfers across multiple days, cumulatively amounting to ₹2.34 crore to several mule accounts spread across different states in India.

Only after another senior director independently inquired about the legitimacy of the instructions did the firm realise it had been deceived. A complaint was filed at the cybercrime police station, and an FIR was registered.

This was not an isolated incident. Pune city and Pimpri-Chinchwad police have registered nearly a dozen such cases over the past few years, with other firms losing amounts ranging from lakhs to several crores in similarly executed whale phishing scams.

What Is Whale Phishing (CEO Fraud)?

Whale phishing — also referred to as CEO fraud or spear phishing — is a highly targeted form of social engineering where attackers impersonate senior executives or trusted partners. Unlike general phishing, which casts a wide net, whale phishing zeroes in on key individuals responsible for financial transactions or sensitive data.

Attackers typically research their targets beforehand, using publicly available information (e.g., LinkedIn, company websites) to craft convincing messages that mimic internal communication styles. The fraudster’s goal is to create a sense of urgency or authority that bypasses standard verification checks.

In this Pune case, the fraudster exploited trust on two fronts:

• Sender legitimacy: Messages and calls appeared to originate from a telecom number previously associated with the CEO.

• Recipient vulnerability: The accounts team acted without independent verification because of situational context (emergency and urgency), compounded by the appearance of internal authority.

The Core Problems

1. Lack of Multi-Layer Verification

   The staff acted on what appeared to be a direct instruction from the founder. There was no requirement to verify payment instructions through alternate channels (e.g., a video call, internal authenticated messaging, or cross-department sign-off).

   
   

2. Over-Reliance on Informal Communication Channels

   The attackers used phone SMS/WhatsApp and a familiar phone number to convey legitimacy. Without digitally secure channels or enterprise messaging platforms, it was difficult for staff to differentiate between authentic and fraudulent communications.

   
   

3. Absence of Policy-Driven Authorization Controls

   Standard operating procedures (SOPs) for fund transfers — especially high-value ones — were either absent or not enforced. Controls such as dual authorization, defined transaction limits, and reconciliation checks were bypassed.

   
   

4. No Real-Time Alerting or Suspicion Triggers

   There were no systems in place to flag unusual patterns (e.g., multiple transfers in quick succession to diverse accounts), which could have raised alarms earlier.

What Should Have Been Done

Ttreat such incidents not as isolated “errors” but as failure points in broader cyber and financial governance. Here’s how one should approach prevention and response holistically:

1. Implement Strong Process-Driven Authorization Controls

   We emphasize multi-party sign-off for all high-value transactions. Specifically:

   • Any payment above a defined threshold must be approved by at least two independent signatories who verify the instruction via a secure internal channel before execution.

   • Role-based access ensures that no single employee — regardless of title — can initiate large transfers alone.

   This significantly reduces the risk of social engineering working in isolation.

   
   

2. Deploy Secure Corporate Communication Channels

   We enforce the use of authenticated enterprise platforms (e.g., corporate email with strong DMARC/DKIM, encrypted messaging) for all internal communication related to financials.

   • Personal messaging apps like WhatsApp are fine for informal communication — but never for transaction approvals.

   • Alerts and approvals are routed through secure workflows that log and timestamp every action.

   This reduces the possibility of impersonation via spoofed phone numbers or unmanaged messaging systems.

   
   

3. Integrate Behavioral Detection and Alerts

   Indus Systems would layer behavioral risk analysis into the finance function:

   • Unusual patterns, such as transfers to newly added beneficiaries or to multiple geographically dispersed accounts, trigger automated risk alerts.

   • These alerts enforce cool-off periods or trace approvals before execution.

   This adds an automated risk buffer against human lapses.

   
   

4. Conduct Regular Cyber Awareness and Simulation Training

   Whale phishing is fundamentally a social engineering threat. We advocate frequent training and simulation exercises so that employees:

   • Recognize red flags in impersonation attempts

   • Know when to escalate ambiguous instructions

   • Understand internal verification protocols

   Even highly experienced staff can fall prey without regular reinforcement of cognitive vigilance.

   
   

5. Immediate Reporting and Early Intervention

   From law enforcement advisories, it’s clear that timely reporting (within hours, not days) can help freeze fraudulent accounts and assist in fund recovery. Prompt reporting maximizes the chance of intervention before funds are moved through multiple mule accounts.

Conclusion: Beyond Technology — Governance First

This whale phishing case is a stark reminder that cyber threats are not always malware-driven technical attacks. Some of the most damaging attacks exploit human trust and process gaps. Financial fraud can be engineered through psychologically compelling scenarios that feel legitimate — especially when time pressures and authority cues are present.

Successful prevention hinges as much on governance, policies, and employee awareness as it does on technology. Organizations should treat these threats as enterprise-wide risk vectors, integrating controls at procedural, behavioral, and technological layers.

Adopting structured authorization workflows, secure communication channels, behavioral alerts, and continuous training can dramatically reduce the likelihood of falling victim to whale phishing or similar social engineering scams.

In today’s threat landscape, trust without verification is the vulnerability — and closing that gap is where resilience begins.