Phishing and whaling

Phishing and whaling, which can often be the fraudster’s ‘way in’ to commit other kinds of cybercrime.

What is phishing?

Phishing is when cybercriminals attempt to trick you into giving away information, often through a link that may look genuine. This often occurs via email but can also be received on a text message, by phone, letter, or through social media.

Typically the communication is ‘spoofed’ so as to appear it comes from a genuine email address, and may be branded to look like it has come from a particular organisation.

How is this different from whaling?

Phishing and whaling are quite similar, but the warning signs can differ. Whaling is where the cybercriminal impersonates a senior member of staff and sends a communication under their guise. This is usually via a work email, but could come via text or even over the phone.

Often the pressure is piled on, asking the less senior member of staff to urgently provide information, make a payment, or hand over secure details.

What are the risks?

Phishing and whaling are often the gateways to many different types of cyber fraud. The communication may ask you to enter your username and password, to hack your account and steal data, money, or install ransomware or malware.

It may ask you, under the guise of a supplier or senior staff member, to urgently change the bank details of a creditor. This is known as mandate fraud. Cybercriminals often use social engineering; monitoring social media to time their emails with when people are on holiday or out of the office.


  • Look closely at email addresses to check if anything looks unusual.
  • Always review invoices to check for inconsistencies and error. Don’t assume an invoice is genuine just because it comes in on correctly headed paper.
  • Ask the caller to give you a main switchboard number for you to be routed back to them, if you are concerned about the source of a phone call. Alternatively, hang up and call them back using established contact details.
  • Never allow yourself to be pressured into bypassing agreed verification processes and procedures.
  • Look out for spelling and grammar mistakes.
  • Treat unusual requests for payments extremely cautiously. Always try to speak to the person face to face or by phone, rather than relying on email.
  • Never assume that a request is safe because a colleague trusts the source. It is the responsibility of the person changing the creditor details to verify that the request is genuine.

In 2017, a fraudster impersonating City of York Council’s Deputy Chief Executive contacted a senior manager asking for an urgent payment for “copyright infringement”. The invoice sent asked for a payment of almost £12,000. The email address appeared to be from the Deputy Chief Executive’s work email address.

Fortunately the senior manager who was contacted had doubts about the request and spoke to the Deputy Chief Executive directly to confirm the payment. On discovering the attempted fraud, Veritau and the council’s ICT department were alerted. The fake emails were traced to a server in Houston, Texas, and the bank account the fraudsters used was traced to a property in Oldham, Greater Manchester. Details were passed to the police.

Many organisations haven’t been so fortunate. The National Fraud Intelligence Bureau estimates that £32 million has been lost in the UK through this type of fraud. Last year, another council in Yorkshire was targeted by a sophisticated attack which combined mandate fraud with email interception and impersonation of the legitimate creditor.

The fraudster is suspected to have monitored emails between the council and third party suppliers. They then used the genuine email chain to lend legitimacy to their request for a change in bank account details, which was timed to coincide with an invoice which had been received from the genuine supplier. £16,000 was lost.