Bsharah Presentation
Threats to Information Security
Protecting Your Personal Information from
Phishing Scams
Bsharah Presentation
Learning Objectives
• Define a phishing scam.
• Describe how a phishing scam is carried out.
• Explain methods for detecting phish email.
• Provide guidelines for how to avoid being phished.
2
Bsharah Presentation
5
Risk
There is always
risk when you use
the internet.
Bsharah Presentation
And then there is RISK
6
Bsharah Presentation
Phishing Defined
• Phishing scams or attacks use deception to acquire sensitive personal information by masquerading as official-looking e-mails or instant messages.
• The term "phishing" comes from the analogy that Internet scammers are using email lures to "fish" for passwords and financial data from the sea of Internet users.
• The name was coined in the 1996 timeframe by hackers who were stealing America On-Line accounts[1].
7
Bsharah Presentation
Phishing Facts
3.2 Million Number of people who fell victims to phishing scams in a 1 year period[2]
$3.6 Billion Total dollar loss of all phishing victims over the same 1 year period[2]
$1125 Average dollar loss per phishing victim
over the same 1 year period[2]
8.5 Billion Number of phishing emails sent world-wide each month[3]
32,414 Number of phishing web sites that were operational in May 2008[4]
9
Bsharah Presentation
How Phishing Works
• First, a fake web site is designed to look and act exactly like a real site ("spoofed" organization).
• A fraudulent email is then crafted to look like it originated from the legitimate organization.
Real Site Fake Site
10
Bsharah Presentation
How Phishing Works
• The email is sent out to countless potential victims, either directly or through automated networks like botnets.
• The email contains links to the bogus web site operated by a criminal.
11
Bsharah Presentation
How Phishing Works
• The victim follows the link in the email to the fake site and fills in the requested information, thinking it is the genuine site.
Link
12
Bsharah Presentation
How Phishing Works
• The information is collected by the fraudulent site and sent back to the criminal.
Account ID
Social Security Number
Credit Card Number
PIN
Date of Birth
13
Bsharah Presentation
14
How to Detect a Phish E-mail
• As Scammers get better, their emails look more genuine.
• How do you tell if it’s a scam and phishing for personal information?
Bsharah Presentation
Four Tests to Help Detect Phish E-mail
• First, look for spelling and grammatical errors in the email.
• Second, check the email header and look for anomalies. – Even if the e-mail message appears to come from a
sender that you know and trust, use the same precautions that you would use with any other e-mail message. Fraudsters can easily spoof the identity information in an e-mail message.
15
Bsharah Presentation
16
Real or Fake ?
Bsharah Presentation
17
Four Tests to Help Detect Phish E-mail
• Third, analyze the links in e-mail messages to determine the real target address or URL. – Most e-mail programs (e.g., Outlook 2007) show you
the actual target address of a link when you hover the mouse over the link. Or you can view the email source and/or link properties.
– If the target address contains an IP address, such as 192.168.100.1, do not click the link.
– Make sure that the spelling of words in the link matches what you expect. Scams often use URLs with typos in them that are easy to overlook, such as “www.micosoft.com” or “http://online.wellfargo.com”.
Bsharah Presentation
Example: Determine the Real Target Address or URL
18
Visible link: https://online.wellsfargo.com/?customersupport=CONFIRMATION
≠Called link: http://202.67.159.110:5180/login1.html
Bsharah Presentation
19
Four Tests to Help Detect Phish E-mail
• Fourth, verify the security and identity of the Web site.– Click the lock icon to display the security certificate for
the site. The name following “Issued to” should match the name of the site. If the name differs, you may be on a fake site.
– Some sites feature verified identity and security information. When you visit a verified site using Internet Explorer 7, the browser address bar turns green and the identity information appears on the right-hand side of the address bar.
– This makes it easy to check the identity information and ensure that it matches the site that you expected to see.
Bsharah Presentation
Example: Verify the Security
20
Bsharah Presentation
21
Guidelines to avoid being phished
• If you are requested to update your account information or change your password, connect to the Web site by using your personal bookmark or by typing the URL directly into your browser.
• Don't trust offers that seem too good to be true. – If a deal or offer in an e-mail message looks too good
to be true, it probably is.
Bsharah Presentation
22
Guidelines to avoid being phished
• Never enter personal or financial information into a pop-up window. – Even if the pop-up window looks official or claims to be secure,
avoid entering sensitive information, because there is no way to check the security certificate.
– Close pop-up windows by clicking the red X in the top right corner (a "Cancel"button may not work as you'd expect).
• Regularly Update your computer protection software and browser.
• Report suspicious e-mail. – Report the e-mail to the faked or "spoofed" organization. Contact
the organization directly-not through the e-mail you received. – Report the e-mail to the proper authorities, including the FBI, the
Federal Trade Commission (FTC), and the Anti-Phishing Working Group.
Bsharah Presentation
Homework for next class
• Phishing scams– Phishing example– Phishing example– Phishing quiz
• Distributed denial-of-service attacks– See botnet demonstration
23
Bsharah Presentation
Another Example – Amazon
View Source
24
Bsharah Presentation
Risk Optimization
25
Bsharah Presentation
How Public Key Encryption Works
26
Bsharah Presentation
How Digital Certificates Work
27