SOME of the nation’s biggest CEOs have been tricked out of millions of dollars with criminals trolling their personal social media to fool their firms into transferring money.

A confidential brief to the Federal Government has warned of a burgeoning trend in “CEO whaling”, with vast amounts of money lost through an average of just three to six plain text emails.

But while authorities know it is occurring at an alarming rate, the scale of loss is largely a mystery with firms and bosses too embarrassed to report the attacks and insurance companies likely to dismiss claims as an internal failing.

News Corp Australia has learned authorities have identified organised crime groups both in Australia and abroad indirectly recruiting young genuine marketing and digital workers from all industries to, in some cases, unsuspectingly help in the fraud.

The Australian Signals Directorate, a Defence intelligence division, noted most of the cyber whaling crimesoriginate in Eastern Europe.

“Big whales, big fish, big catch when it happens they make a lot of money, we’ve seen examples of that in Australia typically $100,000, $200,000 and a couple of biggies out there into the millions but people don’t talk about it and generally they are not covered off by insurance, typically because it is fraud and an internal failed process,” a cyber security has revealed.

CEO whaling works on researchers working with professional criminals trawling through the personal lives of bosses, looking at their Facebook, Instagram or LinkedIn accounts or, if high profile, the news media sites, to study where and when they holiday, their families, their friends, their football teams and social habits.

This then leads to the identity of close colleagues in the company, with any gaps in the public intelligence-based profiles, built from information from the dark web.

The social engineered fraud occurs as highly personalised emails are sent to the accounts division or colleagues, specifically noting a recent holiday, new car or friend postings, enough exchanges and detail to request a certain invoice or transfer, with money then disappearing offshore.

The amount lost is generally reflective of the size of firm; the bigger the company the bigger the fraud.

Craig McDonald, founder of leading cyber security firm MailGuard contracted to advise various government agencies and globally partnered with Microsoft, said fear of reputational damage prevented a lot of businesses reporting crime and more so for embarrassed CEOs.

“Some of the emails are literally ‘hope you had a great time surfing on the weekend, need to get invoice paid urgently and I’m on a plane as you know’, enough for the other to think ‘yep this is our CEO’,” he said.

“It’s not a lot of work, it’s not about building all this up over months or years, it’s fairly quick, they’ve got it down pat, scrapping things off the internet.”

Mr McDonald said companies were racking up huge financial losses in secret, including small businesses, the scam beyond the usual ransom ware or brand hijacking.

This year more than 30 per cent of small businesses experienced a cybercrime, at an average cost of $276,323 per incident with the overall cost to the economy topping more than $1 billion.