The latest addition to the well-loved heist series had audiences flocking to theaters to watch Sandra Bullock and her all female crew take on their biggest job yet. Debbie Ocean (Sandra Bullock), the sister of the deceased Danny Ocean, is released from the big house at the very start of the film. Quickly upon her release — wearing the same clothes as the night she was arrested — Debbie contacts her old partner Lou (Cate Blanchett), a spit-fire rock n roll beauty. Ocean discusses the details of her plan that she dreamt up while in solitary confinement for five years: stealing jewels from the Met Gala. Curiosity got the best of Lou and she signs on to Ocean’s team immediately. Lou and Debbie go hunting to assemble the rest of their team: speed jeweler and diamond expert (Mindy Kaling), a suburban mom, wife, and retired criminal (Sarah Paulson), a genius hacker (Rihanna), a famous fashion designer (Helena Bonham Carter), and a skateboarding sleight-of-hand mastermind (Awkwafina). Anne Hathaway plays Daphne Kluger, Hollywood’s biggest star, who later becomes a pawn in the team’s jewel heist. From there, Ocean and team pull of the largest jewel heist of the century, stealing over 105 million dollars’ worth of jewels.
While this movie was hilarious, action packed, and empowering in all the right ways, it also highlighted the importance of cybersecurity education and awareness. As it turned out, a plot surrounding the largest jewel heist of the century was the perfect time to film Ocean’s mastermind hacker crack through a few accounts and access a few private systems, ultimately showing audiences just how easy it is to have your information compromised no matter how safe you think you are.
Rihanna’s character NineBall has many shining moments throughout the film, where I could hear audience members sitting next to me gasp at how genius her hacking skills were. The scene that truly highlights, however, the importance of knowing cybersecurity best practices is when NineBall is asked to build a blind spot by the women’s restroom at the Met. In order to build this blind spot, NineBall needed access to the security cameras within the Met. While most people would think that’s impossible, NineBall proved to us that it was just a simple walk in the park. All she had to do was phish.
Being the mastermind she was, NineBall researched the CEO of the security company that operated in the Met. After one search of his name, she came upon the CEO’s public facebook page and quickly discovered everything she needed to know: 1) that the CEO was obsessed with Wheaten Terriers, 2) he had a Wheaton Terrier himself, and 3) he often took his “wheatie” to dog shows and typically returned home winning the grand prize from each competition. The scene cuts back to NineBall who cracks her fingers, smirks, and gets to work. She creates a phishing advertisement for a Wheaten Terrier dog show and posts it on the CEO’s timeline.
The camera cuts back to the CEO sitting at his desk about to leave for the day when his email dings. He swivels around in his chair and opens up Nineball’s advertisement. Beyond his better judgment, he clicks on the link and is redirected to a page full of cute dog photos, distracting his attention while NineBall gains access to all of the security cameras in the Met. After the CEO leaves his desk, NineBall freezes his screen and she downloads all the files she needs to build the blind spot by the women’s bathroom, and thus help steal 105 million dollars’ worth of jewels.
You would think that the CEO of a security company would know better than to click on a suspicious link sent to his inbox and posted on his timeline. But phishing hooks everyone, no matter who you are. With the right kind of information, any email scam can look legit. And more often than not, your average person does not always know how to identify a phishing email from a regular email. Especially if the email contains information that interests you.
Let’s revisit this scene and give our CEO a bit more help. Just before the CEO leaves, his inbox dings with a new email. He opens the email to see an advertisement about a Wheaten Terrier dog show. Pausing here for a moment, notice how the advertisement looks quickly made. There are no signs of legitimacy and the link to click is dancing around on the screen in large blue text. Those should be our CEO’s first signs that the email advertisement is fake.
If the CEO was still not convinced, he should scan the email address. What is the username of the person who sent the email? Does it really look like an official email of someone who is running a Wheaten Terrier dog show? Has he ever received an email from this person about Wheaten Terrier dog shows? The CEO has been to so many that by pulling on this knowledge he can begin to assess whether or not this email is a scam. The conclusion he should come to is that this is a phishing email and should be reported or deleted from his inbox.
It’s important to recognize that these same phishing attacks that cost this CEO 105 million dollars in Ocean’s 8 can also happen to us. We need to remember our best practices when dealing with phishing emails and make sure to use them on a daily basis. Let’s be better than the security team in Ocean’s 8.