“This is my very personal number. Do not share with anyone.” “Immediately make these transfers and do not disturb me at all. I am in an important meeting.” These were some of the messages the cyber criminals used to trick the senior officials of some Pune-based companies using phone numbers and emails which had display pictures of their company’s Chief Executive Officers (CEOs).
In these cases, the cyber attackers posing as the company CEOs have manipulated senior officials into transferring large funds to fraudulent accounts. After six such cases reported since July last year with Pune and Pimpri Chinchwad police —including one in which global vaccine major Serum Institute of India was cheated of Rs one crore —cyber investigators have warned private companies about these scams known as ‘spear phishing’ or ‘whale phishing’ attacks and commonly known as ‘CEO scams.’
“Aren’t we all anxious when our bosses call? That is exactly what the cyber criminals are exploiting, well, other than the lack of basic cyber awareness,” said an officer who has investigated some of these cases.
Most Read
‘Surviving on bread, fighting for refunds’: Indian students in Canada struggle to find housing, food, jobs
Chandrayaan-3 mission: Dawn breaks on Moon, all eyes on lander, rover to wake up
In one such whale phishing attack in September last, cyber criminals targeted an official from Serum Institute of India (SII), a company which not just was the central player in the global supply of Covid-19 vaccine, but is the world’s largest vaccine manufacturer. On September 7 last year, Satish Deshpande, one of SII’s directors, received a WhatsApp message from a number with a display picture of the company’s CEO, Adar Poonawalla. He was instructed to transfer funds to several bank accounts. Deshpande believed the message to be authentic, instructed another employee to transfer Rs 1,01,01,554 to the specified accounts in 12 online transfers. These accounts were located in banks in Bihar, Madhya Pradesh, Odisha, West Bengal and Assam, as per the FIR registered in the case. The next day, when Deshpande spoke to Poonawalla on phone, it came to light he had not given such instructions and nor was it his mobile number, the FIR states.
In the last week of November 2022, the police arrested seven persons including two engineers, a science graduate and a bank employee. “While we have been able to make arrests in the case, we are yet to nab main racketeers and masterminds in the case. Those arrested are mid-level operators from these multi-layered and well-oiled rackets. The links to foreign operatives can’t also be denied,” said another officer, who is part of the investigation.
An officer from cyber crime police station said, “In the information security domain, there is a concept called social engineering, where criminals manipulate victims into doing something by exploiting the social dynamics. In this case, it is hierarchies in companies. These cases of CEO frauds suggest that the cyber criminals know which employee to target.These scams are called spear phishing because these are targeted phishing attacks as against phishing in which an attempt is made to scam a large target group. It is also called whale phishing as it targets top officials, CEOs or MDs of the companies, the heavyweights. This fraud was fairly common in the US in the late 2010s. It is also possible that such scamsters may even manipulate staffers into divulging critical information, which can be far more damaging than loss of funds.”