Texas Christian University Technology Resources
EMAIL SECURITY
TCU Information Security Services
OverviewPhishingSpamSpoofingAttachmentsBest PracticesData Protection
TCU Information Security Services
PhishingPhishing is an illegal
activity that uses social engineering techniques to trick people into giving out personal information.
Typically you will receive an email that appears to be from a legitimate business or organization asking for verification of personal or financial information.
TCU Information Security Services
Phishing EmailInformation asked for in a phishing email
may include:Username, userid, email id, email identityPasswordSocial security numberBirthdate
Or there may just be a link to click on that takes you to an official looking web site to enter information.
TCU Information Security Services
Phishing techniquesLink manipulation
Technical deception designed to make a link in an email and the spoofed website it leads to, appear to belong to the spoofed organization.
Spoofed website Looks almost exactly like the real thing
Website forgery A spoofed website that uses JavaScript to alter the
address bar to appear legitimate.Filter evasion
Misspelled words and images instead of text are used to evade anti-phishing filters.
TCU Information Security Services
Spear PhishingA highly targeted version of a phishing
scam is “spear phishing.” A spear phishing message may look like it is
coming from your employer or computer help desk.
TCU Information Security Services
VishingVoice Over Internet Protocol (VoIP) enables
phone calls over the web.For criminals this makes it easy to fake real
numbers and create phony automated customer service lines. They can’t be traced.
Vishing Scheme 1: You get phishing email with phone number to
call where you are asked for information.Vishing Scheme 2:
You get phone call directing you to take action to protect an account.
TCU Information Security Services
SmishingPhishing fraud sent via SMS (Short
Message Service) text messaging.Emerging as new threat to cell phone users.
ExamplesText message received contains web site
hyperlink which if clicked will download Trojan horse to phone.
Text message informing you that your bank account has been frozen. Call a phone number to unlock – automated (bogus) phone system asks for account number, ssn and pin.
Recent Phishing Email at TCU
Link manipulation
Spoofed email
TCU Technology Resources will NEVER send a link in an email which takes you to a website requesting that you login or enter your username and password.
http://ip-mediation.net/TCU/
Fake WebsiteLo
ok b
etw
een
first
dou
ble
//
and
first
sing
le /
- tha
t’s
NO
T TC
UNotice no https
https://my.is.tcu.edu/psp/pa9prd/?cmd=login
Real Website
That is TCU
Secure
Another TCU Phishing Email
Link manipulation
http://www.1025.ru/js/mail.tcu.edu
Fake WebsiteLo
ok b
etw
een
first
dou
ble
//
and
first
sing
le /
- tha
t’s
NO
T TC
UNo https
https://mobile.tcu.edu/owa/auth/logon.aspx
Real
That is TCU
Secure
TCU Information Security Services
And Another TCU Email
False urgency
Don’t give out your username or password!
TCU Technology Resources, including the Help Desk, will NEVER ask for your password –
in an email, over the phone or in person!
Misspellings of simple words
TCU Information Security Services
Phishing Example – Financial Institution
False urgency defined to get you to act without thinking.False
credibility
Untraceable phone
numberMore false urgency
Spoofed web address
Lack of personal greeting
TCU Information Security Services
Phishing Eample – Lottery ScamForeign lottery
scams are common
You won – but did you play?
If it sounds too good to be true, it
usually is.
TCU Information Security Services
Phishing Example – IRS ScamIRS web site clearly states that it will
not initiate taxpayer communications through email.False
credibility
False urgency
Links to spoofed web site.
Links in EmailsApproach links in an email with caution.They might look genuine, but they could be
forged.
Copy and paste the link to your web browser. Type in the address yourself.Or even Google the company and go to their
website from the search results.
Avoid being Phished!
TCU Information Security Services
Avoid being Phished (continued)Learn to spot non-legitimate web sites
Look at the address between the // and the first / - it should end with the company you expectFake: http://www.1025.ru/js/mail.tcu.eduReal:
https://mobile.tcu.edu/owa/auth/logon.aspx…Is it secure?
https in the addressYellow lock icon
TCU Information Security Services
Avoid being Phished (continued)Greet email or phone calls seeking
personal information with skepticism.If you think it may be legitimate, call
customer service number provided when account was opened.
Be leery of alarming statements that urge you to respond immediately.
Do NOT reply to phishing emails.
TCU Information Security Services
Avoid being Phished (continued)TCU Technology Resources, including the
computer help desk and information security services will NEVER ask you for your password via email, the phone or in person.
When TCU upgrades its computer or email systems we will NEVER send a link inside an email which will go to a website requesting that you login or enter your username and password.
Phishing Scams GamePlay the Phishing Scam Gamehttp://www.onguardonline.gov/games/
phishing-scams.aspx
TCU Information Security Services
TCU Information Security Services
SpamSpam is anonymous, unsolicited junk email
sent indiscriminately to huge numbers of recipients.
What for?Advertising goods and services (often of a
dubious nature)Quasi-charity appealsFinancial scamsChain lettersPhishing attemptsSpread malware and viruses
TCU Information Security Services
Origins of the term "Spam" WWII England Spam was only meat not rationed. 1970 Monty Python skit:
http://www.youtube.com/watch?v=anwy2MPT5RE Every item on the menu includes Spam Vikings drown out dialogue by repeating SPAM, SPAM,
SPAM, SPAM 1980’s – in early internet Chat rooms quotes from the skit
were used repeatedly to drive out newcomers or invade “rival” chat rooms (Star Wars/Star Trek)
In 1993 the term Spam was used on Usenet to mean excessive multiple postings of the same message.
In 1998 the new meaning was included in the New Oxford Dictionary of English.
TCU Information Security Services
What to do with SpamDo not open email that is obviously Spam.If you do open junk mail, do not click on any
links.Including a link that claims it will remove you from
the list. Spammers use this to verify that you have a “live” email address.
Use “disposable email address” – setup a yahoo or gmail account to use on the web.
Send spam to [email protected] as an attachment.End User Quarantine reduces amount of Spam
received.
TCU Information Security Services
How to send email as attachmentIn Outlook 2007
From the Inbox, click to select the email message
From the menu choose Actions, Forward as Attachment.
In Entourage 2004 for Mac OSX From the Inbox, click to
select the email messageFrom the menu choose
Message, Forward as Attachment.
SpoofingEmail appears to be from a friend,
colleague or yourself but subject and text obviously not something you or they would send
Spoofing is a way of sending counterfeit email using stolen addresses
TCU Information Security Services
Spoofing continuedFavorite technique of spammers and
phishersHow do they steal email addresses
Write programs that gather email addresses from websites, discussion boards, blogs.
Also worms and viruses collect addresses from address books they infect
What can you doNothing to prevent spoofingJust be aware and never fully trust the
“From” field of an email.TCU Information Security Services
TCU Information Security Services
AttachmentsComputer viruses and other malicious
software are often spread through email attachments.
If a file attached to an email contains a virus, it is often launched when you open (or double-click) the attachment.
Don’t open email attachments unless you know whom it is from and you were expecting it.
TCU Information Security Services
Should You Open that Attachment?
If it is suspicious, do not open it!What is suspicious?
Not work-related.The email containing the attachment was not
addressed to you, specifically, by name.Incorrect or suspicious filename.Unexpected attachments.Attachments with suspicious or unknown file
extensions (e.g., .exe, .vbs, .bin, .com, .pif, or .zzx)
Unusual topic lines: “Your car?”; “Oh!”; “Nice Pic!”; “Family Update!”; “Very Funny!”
TCU Information Security Services
Email Best PracticesUse the BCC field when
sending to large distribution lists.Protects recipients email addressesPrevents Reply to All issues
Avoid use of large distribution lists unless legitimate business purpose.E.g., All Faculty/Staff listUse TCU Announce instead
Beware of Reply to All buttonDon’t forward chain email letters.
TCU Information Security Services
Data ProtectionDo Not Email Unencrypted Sensitive Personal
Information (SPI) On-campus email – encrypt or use shared drive
instead.Digital ID
Allows you to digitally sign and encrypt email.Required for sender and recipient.Email [email protected] to request.
WinZip version 10 and above – create encrypted archive to send in email.
Office 2007 - allows AES encryption .
Email password separately
!
TCU Information Security Services
ResourcesTCU Computer Help Desk
[email protected]://Help.tcu.edu Location: Mary Couts Burnett Library, first
floorInformation Security Services
https://Security.tcu.edu [email protected]