email security awareness
DESCRIPTION
Security awareness class I teach with tips to protect yourself from some common email dangers & scams.TRANSCRIPT
{
Email Security Awareness
Tips to protect yourself from some common email dangers & scams
The driving force is MONEY! Drive you to a site to sell you something Scams, advanced fee, lottery Collect personal information Fake AV, Scareware! Ransomware! Stealing login credentials
Key loggers Attackers are finding ways to compromise
computer, passwords, data, accounts Easier to hack people then find way into
company network through perimeter defenses
Protect Yourself
Password may be only line of defense for email account
Don’t reuse passwords for all online accounts Compromised password could give access to multiple
accounts or sites Avoid common words, names, birthdays Use passphrase, mix upper and lower case letters,
numbers, and special characters Minimum 14 characters Never keep passwords on sticky note on monitor Login page using HTTPS required when using
unsecure network (public Hot Spot) https://
www.microsoft.com/security/pc-security/password-checker.aspx
Strong Passwords
Sense of urgency! Act now, respond now, need help Don’t think, just click! NOW, NOW, NOW!
Alarmist messages and threats of account closures Any email requesting personal information, bank
account, credit card number, access codes, etc… (Phishing)
Spelling errors, grammatical errors Promises of money for little or no effort
Work from home (money mule scams) Generic greeting, Dear Customer Request for help, related to urgency scams, emotional
pull Sender in foreign county needs help and money
Tips to Avoid Scams
Send money up front to receive prize Deals that sound too good to be true Free may have a price tag!
Electronics, iPads, gift cards, lottery scams, inheritance scams etc…
Downloads and attachments Fake software updates
Holiday scams, ecards (zip file attachment or links) May lead to unwanted software being loaded on
computer, Trojan horse program with key logger, fake AV, bot, rootkit, etc…
Senders email address Email may claim to be from BOA, but sender address
is not related to company, EX [email protected]
Tips to Avoid Scams
Requests to donate to a charitable organization after a disaster that has been in the news
Shortened links, or confusing links Redirect to bad guys site Go directly to company web site if in doubt
Chain letters May be collecting addresses for spammers
Unsubscribe links, may confirm live email account Junk Mail in GroupWise Report as spam or set up filter to block future emails
(Gmail, Hotmail, Yahoo, etc…) Similar scams may arrive as instant messages,
Skype, Facebook posts, Twitter DMs Social networking is a huge target for scams
Tips to Avoid Scams
No! I don’t need cheap meds! Not malicious Similar to postal junk mail Usually selling merchandise or advertisements Link to ecommerce website
Drive customer to website selling products or offering services
Spam
The number “419” refers to the article of the Nigerian Criminal Code dealing with fraud
Started before email as Spanish prisoner scam Many variations,
Iraqi gold, blood diamonds, inheritance or investment scams, etc…
Advanced fee scams Usually involve millions of dollars Assistance is needed, transfer money to you and
you earn percentage, catch is paying fees or taxes up front
Made to believe paying fees or taxes will lead to “bigger” prize!Nigerian 419 Email
Scams
There is no big prize or reward! Do not respond Delete message Junkmail, report as spam
Don’t Respond
URGENCY! Dire need of help! Receive email from friend or relative that is in
foreign county and has been robbed Needs money to settle bills
Robbed in London
Call person, try to speak to person to verify their location
Never in country that email claims! Senders email account has been hacked or
accessed by unauthorized person Bad guy sending email to all contacts in address
book Person is unaware account was hacked and
“fake” emails are being sent Person should change password to account
immediately Check for forwarding rules Contact ISP or email provider for assistance
Never Respond
To obtain information for the purpose of fraud or identity theft
Account may be locked or suspended Have short time frame to verify
Problem with payment or credit card Verify login credentials Email account storage limits URGRNCY pull is involved
Phishing
Can use company logos Copy from web site
Look and feel authentic Links do not go to actual company website Shortened links, bit.ly
Redirect to bad guy site May sign name of actual employee with
company Senders email address is not related to
company
Phishing
Phishing Video http://
onguardonline.gov/media/video-0007-phishy-office
Phishing
More specific Targeted audience Directed at specific company, people at certain
levels in company or in certain departments
Spear Phishing
The name is derived from SMS Phishing, SMS (Short Message Service) is the technology used for text messages on cell phones
URGENCY! (Voice phISHING) it is the voice counterpart
to phishing. The caller can ask for personal information or direct user to malicious website.
Support call to download “fake” software update.
Caller ID numbers and names can be spoofed.
Smishing
Smishing Example
Never reply to an email to verify personal information, bank account numbers, credit card numbers, passwords, etc…
Call bank or credit card company directly Verify if they sent email
Some companies have ways to report suspected fraud emails
Don’t Respond
Microsoft and Adobe never send updates through email
Attachments will not update programs, but load unwanted software
Links will not take to you to company web site or download attachment
Go directly to company website Microsoft Updates through IE Check for updates in Adobe Reader Run PSI or Qualys Browser Check to verify
updates are available
Software Updates
Work from home scams Make money part time, spare time
Have computer you can make thousands of dollars
Open bank account, bad guy deposits money, you transfer, or with draw money and wire it to someone, and keep percentage
No legitimate company works like this!
Money Mule Scams
Zeus Trojan bust reveals sophisticated 'money mules' operation in U.S. (September 2010)
https://www.computerworld.com/s/article/9189038/Zeus_Trojan_bust_reveals_sophisticated_money_mules_operation_in_U.S
In the News
Phishing Game http://
onguardonline.gov/media/game-0011-phishing-scams
Scam and Spam Game http://
onguardonline.gov/media/game-0012-spam-scam-slam
For Fun
http://ilookbothways.com/spot-the-spam/ http://
www.microsoft.com/security/online-privacy/phishing-symptoms.aspx
http://onguardonline.gov/topics/avoid-scams
Additional Resources