Copyright NoticeCopyright Notice

• Copyright STEP 2007. This work is the Copyright STEP 2007. This work is the intellectual property of the author. Permission is intellectual property of the author. Permission is granted for this material to be shared for non-granted for this material to be shared for non-commercial, educational purposes, provided that commercial, educational purposes, provided that this copyright statement appears on the this copyright statement appears on the reproduced materials and notice is given that the reproduced materials and notice is given that the copying is by permission of the author. To copying is by permission of the author. To disseminate otherwise or to republish requires disseminate otherwise or to republish requires written permission from the author.written permission from the author.

PHISHINGPHISHING

What is Phishing?What is Phishing?

• DefinitionDefinition - (fish´ing) - (fish´ing) (n.)(n.) “ “The act of sending an e-maile-mail to a user falsely claiming to be an established legitimate enterpriseenterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-maile-mail directs the user to visit a Web siteWeb site where they are asked to update personal information, such as passwords, credit card, social security numberssecurity numbers, and bank account numbers that the legitimate organization already has.”

Why Phish In A Sea Of People?Why Phish In A Sea Of People?

• Phishers want your personal information to use it for their Phishers want your personal information to use it for their own personal gain.own personal gain.

• It is simple to create a Web site that looks legitimate by It is simple to create a Web site that looks legitimate by mimicking another site’s HTML code.mimicking another site’s HTML code.

• It is cheap and easy. It is cheap and easy.

Who Is Behind Phishing??Who Is Behind Phishing??• Scam artists who are “phishing” for some bait.Scam artists who are “phishing” for some bait.

• If you have an email, you are at risk.If you have an email, you are at risk.

* * If you have made your email public, then you will be more susceptible.If you have made your email public, then you will be more susceptible.

Don’t Let An Email Reel You InDon’t Let An Email Reel You In

• Phishers are not looking for every user to respond, Phishers are not looking for every user to respond, but they are hoping for a “bite” or two.but they are hoping for a “bite” or two.

• Many emails state that specific information is Many emails state that specific information is needed to update an account and others state your needed to update an account and others state your account may even be terminated. account may even be terminated.

• Email addresses are easily accessible on the Email addresses are easily accessible on the internet.internet.

What To Look ForWhat To Look For1.1. The “from” field may look like a The “from” field may look like a

familiar company, but it is a simple familiar company, but it is a simple task to change the “from” task to change the “from” information.information.

2.2. Although the logos are from the Although the logos are from the company, they were likely to have company, they were likely to have been copied into the email from the been copied into the email from the actual company. actual company.

3.3. The email also has a clickable link The email also has a clickable link within the content, if you mouse over within the content, if you mouse over the link at the bottom left of the the link at the bottom left of the screen the actual Web address is screen the actual Web address is shown. shown.

* These are just a few examples of * These are just a few examples of fraudulent emails.fraudulent emails.

Also you may look for, misspellings, @ signs within the hyperlink, random names, misleading email headers…

A Single Tip Is Not Good EnoughA Single Tip Is Not Good Enough

• Although all of these tips are things to look Although all of these tips are things to look for, it is important to understand that each for, it is important to understand that each phisher is different. phisher is different.

• You should always look at two or more You should always look at two or more clues before you get reeled in and cannot clues before you get reeled in and cannot get out. get out.

How To Keep Swimming Up StreamHow To Keep Swimming Up Stream• Always read your credit card statements in the mail to look Always read your credit card statements in the mail to look

for unauthorized charges. for unauthorized charges. • If you are uncertain about the information, contact the If you are uncertain about the information, contact the

company through an address or telephone number you company through an address or telephone number you know to be genuine. know to be genuine.

• Be cautious when opening an attachment or downloading Be cautious when opening an attachment or downloading email files. email files.

• Use anti-virus software or a firewall (keep them updated). Use anti-virus software or a firewall (keep them updated). • If you unknowingly supplied personal or financial If you unknowingly supplied personal or financial

information, contact your bank and credit card company information, contact your bank and credit card company immediately. immediately.

• Suspicious e-mail can be forwarded to Suspicious e-mail can be forwarded to uce@ftc.govuce@ftc.gov. . Complaints should be filed with the state Attorney Complaints should be filed with the state Attorney General's office or through the Federal Trade Commission General's office or through the Federal Trade Commission at at www.ftc.govwww.ftc.gov or 1-800-FTC-HELP. or 1-800-FTC-HELP.

Spear PhishingSpear Phishing

• This is the newest addition to the phishing scam that is This is the newest addition to the phishing scam that is highly targeted.highly targeted.

• DefinitionDefinition- “A type of phishing that focuses on a single - “A type of phishing that focuses on a single user or department within a single organization. The Phish user or department within a single organization. The Phish appears to be legitimately addressed from someone within appears to be legitimately addressed from someone within that company, in a position of trust, and request that company, in a position of trust, and request information such as login IDs and passwords.”information such as login IDs and passwords.”

Spear Phishing Spear Phishing (continued)(continued)

• The email will appear to be from a trusted person within a The email will appear to be from a trusted person within a company, usually the human resources or technical company, usually the human resources or technical support.support.

• Passwords, usernames and other personal information are Passwords, usernames and other personal information are usually asked for. usually asked for.

• When the hackers receive this information, they can log When the hackers receive this information, they can log into the entire company’s system. into the entire company’s system.

• If you click the link within the email, spyware could If you click the link within the email, spyware could spread across the entire network. spread across the entire network.

How To Avoid Getting HookedHow To Avoid Getting Hooked1.1. NEVER in any circumstances give out personal NEVER in any circumstances give out personal

information over email. information over email.

2.2. At the first sign of a suspicious email, personally get in At the first sign of a suspicious email, personally get in touch with the person or organization the email is touch with the person or organization the email is supposedly from. supposedly from.

3.3. NEVER click on links from an email that is asking for NEVER click on links from an email that is asking for personal information. personal information.

4.4. Do not be hesitant to report a suspicious email to the Do not be hesitant to report a suspicious email to the company that the email appears to be from. company that the email appears to be from.

5.5. Microsoft has a Phishing Filter; for more information Microsoft has a Phishing Filter; for more information visit the Microsoft Web site.visit the Microsoft Web site.

Companies That Have Been AffectedCompanies That Have Been Affected

• Banks Banks – Wells Fargo, Citi BankWells Fargo, Citi Bank

• Online AccountsOnline Accounts– PayPalPayPal

• Personal Accounts Personal Accounts – People in other countries People in other countries

asking for money to helpasking for money to help

Damage CausedDamage Caused

• Identity theft could lead to:Identity theft could lead to: 1.1. Unauthorized bank transfers.Unauthorized bank transfers.

2.2. Fake accounts and bad credit. Fake accounts and bad credit.

3.3. Not being able to access your own account.Not being able to access your own account.

4.4. Obtaining personal information by accessing public Obtaining personal information by accessing public records.records.

5.5. Financial loss.Financial loss.

Tall TailsTall Tails • Myth- A secure, encrypted web page is a valid page.Myth- A secure, encrypted web page is a valid page.

– Truth- Never rely solely on the web address. It is Truth- Never rely solely on the web address. It is possible for any site to be a phishing site.possible for any site to be a phishing site.

• Myth- The address bar always shows the correct address.Myth- The address bar always shows the correct address.

– Truth- Vulnerabilities in the browser may allow Truth- Vulnerabilities in the browser may allow phishers to spoof information in the address bar.phishers to spoof information in the address bar.

• Myth- It is safe to log in to a site once you know it is Myth- It is safe to log in to a site once you know it is legitimate.legitimate.

– Truth- An intelligent scam artist could use the original Truth- An intelligent scam artist could use the original company’s forms to redirect you to an illegitimate site company’s forms to redirect you to an illegitimate site as soon as you “login”.as soon as you “login”.

ReferencesReferences

• http://www.microsoft.com/athome/security/email/spear_phishing.http://www.microsoft.com/athome/security/email/spear_phishing.mspxmspx

• http://www.webopedia.com/TERM/p/phishing.htmlhttp://www.webopedia.com/TERM/p/phishing.html

• http://www.webopedia.com/DidYouKnow/Internet/2005/http://www.webopedia.com/DidYouKnow/Internet/2005/phishing.aspphishing.asp

• http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htmhttp://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm

• http://en.wikipedia.org/wiki/Phishinghttp://en.wikipedia.org/wiki/Phishing

• http://www.hexview.com/sdp/node/24http://www.hexview.com/sdp/node/24

• http://www.pcworld.com/article/id,118489-page,1/article.htmlhttp://www.pcworld.com/article/id,118489-page,1/article.html

Thank You For Coming!Thank You For Coming!

Instructional Support ServicesInstructional Support ServicesTexas Woman’s UniversityTexas Woman’s University

Contact Information:Contact Information:Phone: (940)898-3288Phone: (940)898-3288

E-mail Address: E-mail Address: step@twu.edustep@twu.edu