340 likes | 619 Views
Email Security. Texas Christian University Technology Resources. Overview. Phishing Spam Spoofing Attachments Best Practices Data Protection. Phishing. Phishing is an illegal activity that uses social engineering techniques to trick people into giving out personal information.
E N D
Email Security Texas Christian University Technology Resources
Overview • Phishing • Spam • Spoofing • Attachments • Best Practices • Data Protection TCU Information Security Services
Phishing • Phishing is an illegal activity that uses social engineering techniques to trick people into giving out personal information. • Typically you will receive an email that appears to be from a legitimate business or organization asking for verification of personal or financial information. TCU Information Security Services
Phishing Email • Information asked for in a phishing email may include: • Username, userid, email id, email identity • Password • Social security number • Birthdate • Or there may just be a link to click on that takes you to an official looking web site to enter information. TCU Information Security Services
Phishing techniques • Link manipulation • Technical deception designed to make a link in an email and the spoofed website it leads to, appear to belong to the spoofed organization. • Spoofed website • Looks almost exactly like the real thing • Website forgery • A spoofed website that uses JavaScript to alter the address bar to appear legitimate. • Filter evasion • Misspelled words and images instead of text are used to evade anti-phishing filters. TCU Information Security Services
Spear Phishing • A highly targeted version of a phishing scam is “spear phishing.” • A spear phishing message may look like it is coming from your employer or computer help desk. TCU Information Security Services
Vishing • Voice Over Internet Protocol (VoIP) enables phone calls over the web. • For criminals this makes it easy to fake real numbers and create phony automated customer service lines. They can’t be traced. • Vishing Scheme 1: • You get phishing email with phone number to call where you are asked for information. • Vishing Scheme 2: • You get phone call directing you to take action to protect an account. TCU Information Security Services
Smishing • Phishing fraud sent via SMS (Short Message Service) text messaging. • Emerging as new threat to cell phone users. • Examples • Text message received contains web site hyperlink which if clicked will download Trojan horse to phone. • Text message informing you that your bank account has been frozen. Call a phone number to unlock – automated (bogus) phone system asks for account number, ssn and pin. TCU Information Security Services
Recent Phishing Email at TCU Spoofed email Link manipulation TCU Technology Resources will NEVER send a link in an email which takes you to a website requesting that you login or enter your username and password.
Fake Website • http://ip-mediation.net/TCU/ Notice no https Look between first double // and first single / - that’s NOT TCU
Real Website • https://my.is.tcu.edu/psp/pa9prd/?cmd=login Secure That is TCU
Another TCU Phishing Email Link manipulation
Fake Website • http://www.1025.ru/js/mail.tcu.edu No https Look between first double // and first single / - that’s NOT TCU
Real • https://mobile.tcu.edu/owa/auth/logon.aspx Secure That is TCU
And Another TCU Email TCU Technology Resources, including the Help Desk, will NEVER ask for your password – in an email, over the phone or in person! False urgency Misspellings of simple words Don’t give out your username or password! TCU Information Security Services
Phishing Example – Financial Institution False urgency defined to get you to act without thinking. False credibility Lack of personal greeting Untraceable phone number More false urgency Spoofed web address TCU Information Security Services
Phishing Eample – Lottery Scam Foreign lottery scams are common You won – but did you play? If it sounds too good to be true, it usually is. TCU Information Security Services
Phishing Example – IRS Scam IRS web site clearly states that it will not initiate taxpayer communications through email. False credibility False urgency Links to spoofed web site. TCU Information Security Services
Avoid being Phished! • Links in Emails • Approach links in an email with caution. • They might look genuine, but they could be forged. • Copy and paste the link to your web browser. • Type in the address yourself. • Or even Google the company and go to their website from the search results.
Avoid being Phished (continued) • Learn to spot non-legitimate web sites • Look at the address between the // and the first / - it should end with the company you expect • Fake: http://www.1025.ru/js/mail.tcu.edu • Real: https://mobile.tcu.edu/owa/auth/logon.aspx… • Is it secure? • https in the address • Yellow lock icon TCU Information Security Services
Avoid being Phished (continued) • Greet email or phone calls seeking personal information with skepticism. • If you think it may be legitimate, call customer service number provided when account was opened. • Be leery of alarming statements that urge you to respond immediately. • Do NOT reply to phishing emails. TCU Information Security Services
Avoid being Phished (continued) • TCU Technology Resources, including the computer help desk and information security services will NEVER ask you for your password via email, the phone or in person. • When TCU upgrades its computer or email systems we will NEVER send a link inside an email which will go to a website requesting that you login or enter your username and password. TCU Information Security Services
Phishing Scams Game • Play the Phishing Scam Game http://www.onguardonline.gov/games/phishing-scams.aspx TCU Information Security Services
Spam • Spam is anonymous, unsolicited junk email sent indiscriminately to huge numbers of recipients. • What for? • Advertising goods and services (often of a dubious nature) • Quasi-charity appeals • Financial scams • Chain letters • Phishing attempts • Spread malware and viruses TCU Information Security Services
Origins of the term "Spam" • WWII England Spam was only meat not rationed. • 1970 Monty Python skit: http://www.youtube.com/watch?v=anwy2MPT5RE • Every item on the menu includes Spam • Vikings drown out dialogue by repeating SPAM, SPAM, SPAM, SPAM • 1980’s – in early internet Chat rooms quotes from the skit were used repeatedly to drive out newcomers or invade “rival” chat rooms (Star Wars/Star Trek) • In 1993 the term Spam was used on Usenet to mean excessive multiple postings of the same message. • In 1998 the new meaning was included in the New Oxford Dictionary of English. TCU Information Security Services
What to do with Spam • Do not open email that is obviously Spam. • If you do open junk mail, do not click on any links. • Including a link that claims it will remove you from the list. Spammers use this to verify that you have a “live” email address. • Use “disposable email address” – setup a yahoo or gmail account to use on the web. • Send spam to spamfeedback@tcu.edu. • Send as an attachment. • End User Quarantine reduces amount of Spam received. TCU Information Security Services
How to send email as attachment • In Outlook 2007 • From the Inbox, click to select the email message • From the menu choose Actions, Forward as Attachment. • In Entourage 2004 for Mac OSX • From the Inbox, click to select the email message • From the menu choose Message, Forward as Attachment. TCU Information Security Services
Spoofing • Email appears to be from a friend, colleague or yourself but subject and text obviously not something you or they would send • Spoofing is a way of sending counterfeit email using stolen addresses TCU Information Security Services
Spoofing continued • Favorite technique of spammers and phishers • How do they steal email addresses • Write programs that gather email addresses from websites, discussion boards, blogs. • Also worms and viruses collect addresses from address books they infect • What can you do • Nothing to prevent spoofing • Just be aware and never fully trust the “From” field of an email. TCU Information Security Services
Attachments • Computer viruses and other malicious software are often spread through email attachments. • If a file attached to an email contains a virus, it is often launched when you open (or double-click) the attachment. • Don’t open email attachments unless you know whom it is from and you were expecting it. TCU Information Security Services
Should You Open that Attachment? If it is suspicious, do not open it! • What is suspicious? • Not work-related. • The email containing the attachment was not addressed to you, specifically, by name. • Incorrect or suspicious filename. • Unexpected attachments. • Attachments with suspicious or unknown file extensions (e.g., .exe, .vbs, .bin, .com, .pif, or .zzx) • Unusual topic lines: “Your car?”; “Oh!”; “Nice Pic!”; “Family Update!”; “Very Funny!” TCU Information Security Services
Email Best Practices • Use the BCC field when sending to large distribution lists. • Protects recipients email addresses • Prevents Reply to All issues • Avoid use of large distribution lists unless legitimate business purpose. • E.g., All Faculty/Staff list • Use TCU Announce instead • Beware of Reply to All button • Don’t forward chain email letters. TCU Information Security Services
Data Protection • Do Not Email Unencrypted Sensitive Personal Information (SPI) • On-campus email – encrypt or use shared drive instead. • Digital ID • Allows you to digitally sign and encrypt email. • Required for sender and recipient. • Email security@tcu.edu to request. • WinZip version 10 and above – create encrypted archive to send in email. • Office 2007 - allows AES encryption . Email password separately! TCU Information Security Services
Resources • TCU Computer Help Desk • 817-257-6855 • Help@tcu.edu • http://Help.tcu.edu • Location: Mary Couts Burnett Library, first floor • Information Security Services • https://Security.tcu.edu • Security@tcu.edu TCU Information Security Services