CEOs, CFOs Targeted by Cyber Whaling Schemes

As a reminder, AAFCPAs warns of sophisticated cyber phishing attacks directed specifically at senior executives and other high level targets within businesses and organizations.  We have seen an uptick in the frequency of these types of attacks, called whaling schemes, where cyber criminals masquerade as a highly convincing business email which may appear to be sent from a legitimate business authority, or even from an internal colleague.  The content is tailored for upper management, generally with the goal of tricking financial staff into making fraudulent wire transfers to bank accounts controlled by thieves. These targeted attacks are known to exploit the close relationship between CEOs and CFOs.  Other Reports of Whaling Schemes include emails appearing to be a legal subpoena, or customer complaint.
Whaling Email ExampleThe FBI calls such campaigns Business Email Compromise (BEC), and noted that as many as 7,000 US businesses have been victimized by such scams over the past two years, resulting in some $740 million in losses.
AAFCPAs encourages our clients to develop countermeasures to risks, including regular security awareness training of employees, adequate internal control processes, and regularly updated & assessed technology controls.
At the minimum, use caution when responding to emails even if they appear to originate from a trustworthy source. Question the source and the intent of such emails. Do not reply to those emails; instead pick up the phone and verify the validity of such a request with the source.
For more information about cyber security and IT risk assessment, please contact your AAF Partner, or James Jumes, leader of AAFCPAs’ integrated business & IT advisory practice at: 774.512.4062 or

About the Author

James Jumes
James joined AAFCPAs in 2013 to lead the Business Consulting Services practice. He has more than 25 years of experience working with information technology systems and diverse business operational processes. James is highly experienced in IT controls and assurance, SOX 404, and Service Organization Control (SOC) reports: SOC 1 (SSAE 18), SOC 2, SOC 2+ and 3 attestation reporting.  James developed a unique methodology to delivering SOC reporting services, and he is an AICPA-approved Peer Review SOC Specialist, assisting peer review teams to review SOC 1, 2, 2+ and 3 engagements. He is a HITRUST Certified Common Security Framework (CSF) Practitioner, providing HITRUST CSF self-assessment consulting, or SOC 2 + HITRUST for assessing against the evolving compliance landscape shaped by HITECH, HIPAA, CMS and various other federal, state and business requirements.

Leave a Reply