260 likes | 518 Views
Threats to Information Security. Protecting Your Personal Information from Phishing Scams. Learning Objectives. Define a phishing scam. Describe how a phishing scam is carried out. Explain methods for detecting phish email. Provide guidelines for how to avoid being phished. Risk.
E N D
Threats to Information Security Protecting Your Personal Information from Phishing Scams
Learning Objectives • Define a phishing scam. • Describe how a phishing scam is carried out. • Explain methods for detecting phish email. • Provide guidelines for how to avoid being phished.
Risk There is always risk when you use the internet.
Phishing Defined • Phishing scams or attacks use deception to acquire sensitive personal information by masquerading as official-looking e-mails or instant messages. • The term "phishing" comes from the analogy that Internet scammers are using email lures to "fish" for passwords and financial data from the sea of Internet users. • The name was coined in the 1996 timeframe by hackers who were stealing America On-Line accounts[1].
How Phishing Works • First, a fake web site is designed to look and act exactly like a real site ("spoofed" organization). • A fraudulent email is then crafted to look like it originated from the legitimate organization. Real Site Fake Site
How Phishing Works The email is sent out to countless potential victims, either directly or through automated networks like botnets. The email contains links to the bogus web site operated by a criminal.
How Phishing Works • The victim follows the link in the email to the fake site and fills in the requested information, thinking it is the genuine site. Link
How Phishing Works • The information is collected by the fraudulent site and sent back to the criminal. Date of Birth Account ID PIN Social Security Number Credit Card Number
How to Detect a Phish E-mail • As Scammers get better, their emails look more genuine. • How do you tell if it’s a scam and phishing for personal information?
Four Tests to Help Detect Phish E-mail • First, look for spelling and grammatical errors in the email. • Second, check the email header and look for anomalies. • Even if the e-mail message appears to come from a sender that you know and trust, use the same precautions that you would use with any other e-mail message. Fraudsters can easily spoof the identity information in an e-mail message.
Four Tests to Help Detect Phish E-mail • Third, analyze the links in e-mail messages to determine the real target address or URL. • Most e-mail programs (e.g., Outlook 2007) show you the actual target address of a link when you hover the mouse over the link. Or you can view the email source and/or link properties. • If the target address contains an IP address, such as 192.168.100.1, do not click the link. • Make sure that the spelling of words in the link matches what you expect. Scams often use URLs with typos in them that are easy to overlook, such as “www.micosoft.com” or “http://online.wellfargo.com”.
Example: Determine the Real Target Address or URL Visible link: https://online.wellsfargo.com/?customersupport=CONFIRMATION ≠ Called link: http://202.67.159.110:5180/login1.html
Four Tests to Help Detect Phish E-mail • Fourth, verify the security and identity of the Web site. • Click the lock icon to display the security certificate for the site. The name following “Issued to” should match the name of the site. If the name differs, you may be on a fake site. • Some sites feature verified identity and security information. When you visit a verified site using Internet Explorer 7, the browser address bar turns green and the identity information appears on the right-hand side of the address bar. • This makes it easy to check the identity information and ensure that it matches the site that you expected to see.
Guidelines to avoid being phished • If you are requested to update your account information or change your password, connect to the Web site by using your personal bookmark or by typing the URL directly into your browser. • Don't trust offers that seem too good to be true. • If a deal or offer in an e-mail message looks too good to be true, it probably is.
Guidelines to avoid being phished • Never enter personal or financial information into a pop-up window. • Even if the pop-up window looks official or claims to be secure, avoid entering sensitive information, because there is no way to check the security certificate. • Close pop-up windows by clicking the red X in the top right corner (a "Cancel"button may not work as you'd expect). • Regularly Update your computer protection software and browser. • Report suspicious e-mail. • Report the e-mail to the faked or "spoofed" organization. Contact the organization directly-not through the e-mail you received. • Report the e-mail to the proper authorities, including the FBI, the Federal Trade Commission (FTC), and the Anti-Phishing Working Group.
Homework for next class • Phishing scams • Phishing example • Phishing example • Phishing quiz • Distributed denial-of-service attacks • See botnetdemonstration
View Source Another Example – Amazon