Posted on April 26, 2019 by Louise Howland
In Episode 6 of Cyber Chat, Rob May explains the difference between Phishing and Whaling and what you can do to protect yourself and your organisation from it.
Managing the ongoing cybersecurity of your IT infrastructure should be a primary concern – whatever the shape or size of your organisation. Cybersecurity breaches are the number one threat in today’s business landscape. Incidents come in many forms: cyber attacks; laptops left on trains; malicious staff; or, even more simply, accidental data loss caused by human error. The human firewall is vital as a line of defence for any organisation and in this video Rob, author of The Human Firewall (available on Amazon) explains what the Human Firewall is.
Cyber Chat – Episode 6 – transcript
Hi, I’m Rob May, MD of ramsac and welcome to Cyber Chat. Today, I want to talk to you about Phishing and Whaling.
So, Phishing is an email that comes in pretending to be someone that their not. We’ve all received Phishing emails at some point, you probably had the infamous email from a long lost family member who lives in Nairobi and is trying to get money out of the country and into your bank account that’s a crude form of Phishing. And frankly that’s been around since way before email, we used to get those as letters or faxes into the office long before email. But that’s Phishing.
I think a bigger problem is Whaling. So, Whaling is a Phishing attack aimed at the big fish in an organisation. Directors, it’s sometimes called CEO crime and there’s a successful Whaling attack every 15 minutes of every working day in the UK. And by success I mean, that money is transferred out of a bank account of a business into a criminals bank account. So it’s a huge problem and the message just isn’t getting through. And unfortunately, I’ve seen far too many successful whaling attacks.
One that springs to mind. We had a client and the lady in accounts received an email from her MD, and the MD said. I’m at a trade show, which he was and the world knew he was because he’d been tweeting about it. “I’m at a trade show. I met a guy last night and he’s got a service which is going to help us with Project Kylie. Now, the thing that was clever about this was Project Kylie was a top secret project that supposedly only 3 people knew about in the business. I’ve agreed to work with him. Here are his bank details. I need you to pay £7,500 If you could do that when convenient today. I’d really appreciate it. Actually, I’m meeting him for a coffee at 11 o’clock if there’s any chance you could do it before then give me a call and let me know because that would be a nice thing to do and be able to tell him. The thing is that was all written in a way that this particular MD spoke, and the way that he would talk to his Accounts lady, so she read it and just was convinced that it was from him. So, she transferred the £7,500. She phoned him up and said I’ve done it and he said You’ve done what? And I think one of the problems is, the person who presses the button, and remember this is happening every 15 minutes of every working day, The person who presses the button, When they find out their gutted that absolutely gutted that they’ve that they’ve been tricked. But what they will always say is something along the lines of it was definitely from my MD or my CEO or whomever, and it’s more than my jobs worth not to do what my MD tells me to do. And we have to change that culture.
What you need to be sure of, is within your business it’s more than their jobs worth to make a payment based on an email instruction. No one should ever do that. What they should be doing is picking up the phone, saying is this really you? Is this really what you want me to do? So, beware of whaling attacks, there absolutely rife. And you need to be aware of them, you need to tell your staff, and you need to educate your staff not to make any payments on the back of an email instruction. I hope that’s been useful and I look forward to speaking to you again. Thank you.