Business Email Compromise (BEC) is one of the most financially devastating cybercrime categories in existence. The FBI reported $2.9 billion in BEC losses in 2023 — more than any other cybercrime type. Unlike ransomware, BEC doesn’t require malware. It requires research, patience, and a convincing email.
Whaling vs. Spear Phishing vs. Phishing
These terms are often conflated, but they describe different levels of targeting:
- Phishing: Mass, untargeted emails hoping someone clicks
- Spear phishing: Targeted emails crafted for a specific person or department
- Whaling: Spear phishing specifically targeting high-value individuals — CEOs, CFOs, board members, legal counsel
Whaling attacks are high-effort and high-reward. A single successful whaling attack can yield millions of dollars or sensitive intellectual property.
How Attackers Research Their Targets
The reconnaissance phase of a whaling attack is thorough and entirely passive — no hacking required. Attackers use publicly available information:
LinkedIn is the primary intelligence source. A corporate LinkedIn profile reveals:
- The target’s full name, title, and direct reports
- Recent travel, speaking engagements, and company announcements
- Employee names in finance and accounting (who processes payments)
- Vendor and partner relationships
Company websites reveal org charts, press releases with executive quotes, and financial disclosures. SEC EDGAR filings name officers and sometimes reveal compensation structures. Twitter/X and conference agendas show where executives will be and when they’ll be traveling — unavailable to verify requests in real time.
With this data, an attacker can compose an email that references real people, real projects, and real context. The target has no reason to suspect it isn’t legitimate.
Anatomy of a CEO Fraud Attack
Here is a realistic example of a BEC wire transfer scam:
From: [email protected] (spoofed or lookalike domain) To: [email protected] (CFO or AP clerk) Subject: Urgent — Confidential Wire Transfer
Sarah,
I’m currently in the Zurich acquisition meetings and need you to process a wire transfer today. Legal has cleared this — it’s time-sensitive and must be completed before market close.
Please transfer $347,000 to the following account:
- Bank: Deutsche Bank AG
- Account: [account number]
- IBAN: [IBAN]
- Reference: Project Falcon — NDA
Do not discuss this with anyone per our legal team’s instructions. I’ll explain everything when I’m back Thursday. Please confirm when sent.
— David Johnson, CEO
Notice the elements at work: urgency (before market close), authority (the CEO), secrecy (legal instructions), and context (real-sounding acquisition, travel confirmed from LinkedIn). The attacker even knows the CFO’s name.
Domain Spoofing and Lookalike Domains
Attackers use two main technical methods:
Header spoofing: Forging the From: display name while using an unrelated sending domain. The email appears to be from David Johnson <[email protected]> but is actually sent from a throwaway domain. Without email authentication, many mail servers accept this.
Lookalike domains: Registering domains that resemble the target company — acmecorp-finance.com, acme-corp.com, or using Unicode lookalike characters (homoglyph attacks). These pass visual inspection and are harder to catch.
Preventive Controls That Actually Work
DMARC, SPF, and DKIM
These three email authentication standards work together to block spoofed emails:
| Standard | What It Does |
|---|---|
| SPF | Specifies which mail servers can send email for your domain |
| DKIM | Cryptographically signs outgoing mail so recipients can verify it |
| DMARC | Tells receiving servers what to do with mail that fails SPF/DKIM — quarantine or reject |
A DMARC policy of p=reject means spoofed emails claiming to be from your domain are rejected outright. Every organization should implement this. Check your current DMARC record at mxtoolbox.com.
Callback Verification Procedures
Any wire transfer request received via email should be verified through a separate, established communication channel — not by replying to the email, not by calling a number provided in the email.
Finance teams should have a written policy:
- Any transfer above a defined threshold (e.g., $10,000) requires phone verification
- Use the phone number from your internal directory, not from the email
- Verification is mandatory regardless of apparent sender authority
This single control stops the vast majority of BEC attacks.
Additional Controls
- Dual-approval workflows for wire transfers — one person initiates, another approves
- Out-of-band alerts from banks for large outgoing transfers
- Email banners that flag external emails, even when display names look internal
- Security awareness training specifically simulating whaling scenarios for finance staff
- FIDO2 hardware keys for executive email accounts to prevent account takeover enabling real BEC
What to Do If You’ve Been Hit
Speed is critical. Wire transfers can sometimes be recalled if caught within 24–72 hours:
- Contact your bank’s fraud department immediately
- Request a SWIFT recall or wire reversal
- File a complaint with the FBI’s IC3 (ic3.gov) — they have a Financial Fraud Kill Chain program
- Notify law enforcement locally
- Preserve all email headers and communications as evidence
The FBI’s IC3 has successfully frozen and recovered funds in BEC cases when notified quickly. Time is the enemy — act within hours, not days.
Whaling attacks will continue to work as long as organizations treat email as inherently trustworthy and skip verification for “urgent” requests. The countermeasure is cultural as much as technical: build a culture where it’s expected and encouraged to verify any financial request, regardless of who appears to be asking.