Over the past couple of weeks we have been working very closely with a customer who was the victim of a phishing scam. Specifically it was a whale phishing (or whaling) technique, a type of spear phishing attack that is directly targeted at senior individuals within an organisation. (The opposite of Whale Phishing is Minnow Phishing or Minnowing where the attack is specifically directed at the apparently less significant members of a company such as receptionists or call centre workers – as seen in the recent Norton & Yahoo Cybergeddon movie)
Phishing is a fascinating area of security as it typically relies on our humanity (or you can read that as stupidity) to be successful. I see this with family members who quite happily delete emails from banks they don’t have accounts with, yet contact me to ask whether ‘this email that’s come from their bank’ is legitimate. Banks and other organisations that deal with our personal data are getting very good at providing a small piece of personal data that identifies they are legitimate, but even so, never assume anything.
In this case, despite all of the numerous security procedures, solutions and teams looking after them, the phisher was successful and the email was replied to with the response they had asked for. We became involved to try and understand how it had happened and where things had gone wrong. How had a senior individual of an organisation handed over his network login and password on the basis of a brief two line email?
What we uncovered was a series of errors and assumptions, all made by humans, that conspired to let this to happen. In part two, I will look at each area to highlight how it happened and how many other organisations can easily fall prey to phishing due to the same problems.
Part two can be found here.