bsharah presentation threats to information security protecting your personal information from...

Bsharah Presentation

Threats to Information Security

Protecting Your Personal Information from

Phishing Scams


Learning Objectives

• Define a phishing scam.

• Describe how a phishing scam is carried out.

• Explain methods for detecting phish email.

• Provide guidelines for how to avoid being phished.

2


5

Risk

There is always

risk when you use

the internet.


And then there is RISK

6


Phishing Defined

• Phishing scams or attacks use deception to acquire sensitive personal information by masquerading as official-looking e-mails or instant messages.

• The term "phishing" comes from the analogy that Internet scammers are using email lures to "fish" for passwords and financial data from the sea of Internet users.

• The name was coined in the 1996 timeframe by hackers who were stealing America On-Line accounts[1].

7


Phishing Facts

3.2 Million Number of people who fell victims to phishing scams in a 1 year period[2]

$3.6 Billion Total dollar loss of all phishing victims over the same 1 year period[2]

$1125 Average dollar loss per phishing victim

over the same 1 year period[2]

8.5 Billion Number of phishing emails sent world-wide each month[3]

32,414 Number of phishing web sites that were operational in May 2008[4]

9


How Phishing Works

• First, a fake web site is designed to look and act exactly like a real site ("spoofed" organization).

• A fraudulent email is then crafted to look like it originated from the legitimate organization.

Real Site Fake Site

10


How Phishing Works

• The email is sent out to countless potential victims, either directly or through automated networks like botnets.

• The email contains links to the bogus web site operated by a criminal.

11


How Phishing Works

• The victim follows the link in the email to the fake site and fills in the requested information, thinking it is the genuine site.

Link

12


How Phishing Works

• The information is collected by the fraudulent site and sent back to the criminal.

Account ID

Social Security Number

Credit Card Number

PIN

Date of Birth

13


14

How to Detect a Phish E-mail

• As Scammers get better, their emails look more genuine.

• How do you tell if it’s a scam and phishing for personal information?


Four Tests to Help Detect Phish E-mail

• First, look for spelling and grammatical errors in the email.

• Second, check the email header and look for anomalies. – Even if the e-mail message appears to come from a

sender that you know and trust, use the same precautions that you would use with any other e-mail message. Fraudsters can easily spoof the identity information in an e-mail message.

15


16

Real or Fake ?


17


• Third, analyze the links in e-mail messages to determine the real target address or URL. – Most e-mail programs (e.g., Outlook 2007) show you

the actual target address of a link when you hover the mouse over the link. Or you can view the email source and/or link properties.

– If the target address contains an IP address, such as 192.168.100.1, do not click the link.

– Make sure that the spelling of words in the link matches what you expect. Scams often use URLs with typos in them that are easy to overlook, such as “www.micosoft.com” or “http://online.wellfargo.com”.


Example: Determine the Real Target Address or URL

18

Visible link: https://online.wellsfargo.com/?customersupport=CONFIRMATION

≠Called link: http://202.67.159.110:5180/login1.html


19


• Fourth, verify the security and identity of the Web site.– Click the lock icon to display the security certificate for

the site. The name following “Issued to” should match the name of the site. If the name differs, you may be on a fake site.

– Some sites feature verified identity and security information. When you visit a verified site using Internet Explorer 7, the browser address bar turns green and the identity information appears on the right-hand side of the address bar.

– This makes it easy to check the identity information and ensure that it matches the site that you expected to see.


Example: Verify the Security

20


21

Guidelines to avoid being phished

• If you are requested to update your account information or change your password, connect to the Web site by using your personal bookmark or by typing the URL directly into your browser.

• Don't trust offers that seem too good to be true. – If a deal or offer in an e-mail message looks too good

to be true, it probably is.


22

Guidelines to avoid being phished

• Never enter personal or financial information into a pop-up window. – Even if the pop-up window looks official or claims to be secure,

avoid entering sensitive information, because there is no way to check the security certificate.

– Close pop-up windows by clicking the red X in the top right corner (a "Cancel"button may not work as you'd expect).

• Regularly Update your computer protection software and browser.

• Report suspicious e-mail. – Report the e-mail to the faked or "spoofed" organization. Contact

the organization directly-not through the e-mail you received. – Report the e-mail to the proper authorities, including the FBI, the

Federal Trade Commission (FTC), and the Anti-Phishing Working Group.


Homework for next class

• Phishing scams– Phishing example– Phishing example– Phishing quiz

• Distributed denial-of-service attacks– See botnet demonstration

23

http://www.identitytheftsecrets.com/videos/wellsfargo.html

http://www.identitytheftsecrets.com/videos/wamu.html

http://www.sonicwall.com/phishing/

http://images.businessweek.com/ss/05/05/hacker_botnet/index_01.htm


Another Example – Amazon

View Source

24


Risk Optimization

25


How Public Key Encryption Works

26


How Digital Certificates Work

27

bsharah presentation threats to information security protecting your personal information from...

Documents

phishing victims

phishing scams

phishing works

term phishing

bsharah presentation

bsharah presentation

bsharah presentation

number of phishing web