Minnowing… The Opposite Of Whaling
A couple of weeks ago I wrote about phishing at the top of an organization or whaling. There is, of course, phishing at the lower end of the organization – minnowing. This is where the cyber-criminal targets the people in departments such as Accounts Payable to get them to pay a fictitious bill. We saw this happen late last year when a supermarket chain was targeted and the criminals were caught. This is happening more frequently and is either not reported, or not even noticed.
To begin with you need to pick the company – it needs to be ‘big’ so that people in accounts payable don’t necessarily know what has or hasn’t been done. You then need to find out a little more information about an individual – and this is where social networking sites prove to be a risk. People put other information (along with pictures) including where they work, the department and even phone numbers on the web for all to see. Armed with this, the attack vector is the same as the FAX scams of old, you email to find what has happened to payment and then escalate from there. If impersonating a real supplier, then a quick phone call can ascertain an outstanding bill… “I was just checking to see what happened to payment for invoice 1234″, “Don’t you mean 5678″… “oh, did you get the change in our bank details / address for payment…”
What can be done? In the same way as whaling needs people to pay more attention to the content, the same is true for minnowing. Awareness and education to those staff most at risk that this threat has been seen is important. Additionally, other process changes may be required to establish that the person on the end of the phone, or email is the actual supplier and not an impersonator.
comments
Leave a Reply
-
Connect with us
-
Get Email Updates
-
Recently Posts
- Common Criteria EAL +3 Security Certification – What’s all the fuss about?
- Cyber crime: a real risk to global stability
- Let’s get back to basics in 2012
- The challenges of securing industrial control systems
- The Power of Collaboration Against Cybercrime
- A View from the London Conference on CyberSpace
- Safety first when going virtual
- #smbrisk – a great debate
- Tainted love….remembering the love bug of 2000
- Get social, not paranoid
-
Pages
- announcements
- Application
- Availability
- backup
- botnet
- Cloud computing
- Complexity
- Compliance
- Consumerization
- cyber-crime
- data centre
- data-loss
- Denial of service
- disaster recovery
- Education
- Green IT
- impersonation
- Information Policy
- Insider
- IT equipment
- Miscellaneous
- misleading applications
- Patching
- Phishing
- Regulation
- Reputation
- SaaS
- security
- small business
- Social Media
- Spam
- Speaking
- Storage
- trojan
- Uncategorized
- Virtualization
- Virus
-
Blogroll
- Ask Marian Consumer Security Blog
- Bruce Schneier’s Blog
- Con Mallon’s Symantec Consumer Blog
- Gareth’s BE Blog
- Get Safe Online (The Blog)
- Gizmodo Gadget Blog
- Jonathan Schwartz’s Blog
- Phil Windley’s Technometria
- Security Bloggers Network
- Symantec French contributor - A blog from the French pen of Laurent Heslault
- Symantec Guide to Scary Internet Stuff – Botnets
- Symantec Guide to Scary Internet Stuff – Drive-by downloads - Video explaining the latest security threats in simple terms, on drive-by downloads
- Symantec Guide to Scary Internet Stuff – No 5 Rogue AV
- Symantec Guide to Scary Internet Stuff – No 6 Denial of Service Attacks
- Symantec Guide to Scary Internet Stuff – No7 Pests on your PC
- Symantec Guide to Scary Internet Stuff – No8 Losing your Data
- Symantec Guide to Scary Internet Stuff – Phishing
- Symantec Guide to Scary Internet Stuff – Underground Economy
- Symantec podcast channel - A channel of podcasts on current security and availability topics from the experts at Symantec
- Toby Stevens’ Data Trust Blog
