Whaling And Wailing

By Guy Bunker | August 21, 2008 | 1 Comment 

Guy Bunker

The Chief Executive of HBOS has been a victim of fraud after a thief stole his identification details – probably from a bank statement. What does this show? Well, anyone can be targeted and everyone needs to be careful. Whaling is the practice of targeting the people at the top of an organization, OK so its usually done by phishing rather than theft – of course the rewards are still the same for the cyber-criminal, money, with the benefit that (hopefully) the man at the top has more than those further down.

What to do? It all comes down to one thing, protect those paper based items from the bin rustlers (or dumpster divers) by shredding them. It doesn’t take much to buy a cross-cut shredder and then it is just a case of getting into the habit of shredding anything and everything with names, addresses and important numbers (bank account details, credit card details, etc) as well as any of those very annoying ‘you have been pre-approved’ applications for credit cards. Put the shredder somewhere where you open the post or where you store old statements so you do it immediately.

It may sound daft, but you need an Information Protection policy for home (as well as at work), protecting both electronic and paper based information. It doesn’t have to long and complex – just a set of simple rules for you and your family. Go out and buy a cross-cut shredder today – you can even get one that will mash up old credit cards and CD ROMs!

Minnowing… The Opposite Of Whaling

By Guy Bunker | April 29, 2008 | Leave a Comment 

Guy Bunker

A couple of weeks ago I wrote about phishing at the top of an organization or whaling. There is, of course, phishing at the lower end of the organization – minnowing. This is where the cyber-criminal targets the people in departments such as Accounts Payable to get them to pay a fictitious bill. We saw this happen late last year when a supermarket chain was targeted and the criminals were caught. This is happening more frequently and is either not reported, or not even noticed.

To begin with you need to pick the company – it needs to be ‘big’ so that people in accounts payable don’t necessarily know what has or hasn’t been done. You then need to find out a little more information about an individual – and this is where social networking sites prove to be a risk. People put other information (along with pictures) including where they work, the department and even phone numbers on the web for all to see. Armed with this, the attack vector is the same as the FAX scams of old, you email to find what has happened to payment and then escalate from there. If impersonating a real supplier, then a quick phone call can ascertain an outstanding bill… “I was just checking to see what happened to payment for invoice 1234″, “Don’t you mean 5678″… “oh, did you get the change in our bank details / address for payment…”

What can be done? In the same way as whaling needs people to pay more attention to the content, the same is true for minnowing. Awareness and education to those staff most at risk that this threat has been seen is important. Additionally, other process changes may be required to establish that the person on the end of the phone, or email is the actual supplier and not an impersonator.