Skip to main content
A Better Partnership


Apr 2008
April 18, 2008

"Whaling" Through Fake Online Subpoenas

Over the last few years, we've all learned to be wary of e-mail "phishing" scams, which appear to be legitimate e-mails from financial institutions or other trustworthy organizations that alert you to an alleged problem with your account and invite you to click on a link to "correct" the problem. Of course, the e-mail is a fraud, and if you follow the instructions, you may end up giving crucial account access information to a scammer and maybe also wind up with malicious software on your computer that surreptitiously records all of your keystrokes.

A more polished variation of this scam is now targeting the personal information of top executives throughout the country in the form of e-mails that look like an official subpoena from a federal court, ostensibly requiring the recipient to appear before a grand jury. Each fake subpoena is personalized to include the executive's name, phone number, company name and correct e-mail address. When an executive clicks a link within the document for further information, however, a program secretly downloads and installs software that later records keystrokes and sends the data to a remote computer over the Internet. A second piece of the attack allows the recipient's computer to be controlled from a remote location.

According to The New York Times, researchers who have analyzed the downloaded file say less than 40 percent of commercial antivirus programs were able to recognize and intercept the attack.

Because the targets of the fake subpoena so far have been high-income people, this latest attack is called "whaling," as opposed to the general online fakery that is commonly called "phishing."

Online scams are among the biggest threats to companies today, and the criminals are getting more and more sophisticated. Because these scam e-mails are often received on work computers, they pose a threat not only to the individual who is targeted but also to the security of your company's information systems. To protect your information systems, you not only need technical controls but you must also train your workforce to be suspicious of these kinds of e-mails.

Warner Norcross & Judd battles these scams through its Privacy and Information Security Group. The group takes a cross-disciplinary approach to privacy issues by drawing on experienced attorneys in banking, health care and human resources to ensure businesses meet their legal obligations to protect electronic data and information systems. Members of the team review information security policies, audit third-party contracts, develop information security programs and train employees.

Additionally, our Rapid Response Team works with businesses that experience a data breach to limit liabilities, protect customer relationships and prosecute data thieves.

If you have questions regarding this issue or any other privacy and information security matter, contact a member of Warner's Privacy and Information Security Group.

NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.



+ -