PHISHING SCAMEmilia Sarah binti Abd Rahman

1114806Nur Shafinaz binti Md Sharil

0939856Zafirah binti Esa 1122688

WHAT IS PHISHING?

• Also known as “brand spoofing” or “carding”, is a term used to describe various scams that use (primarily) fraudulent e-mail messages, sent by criminals, to trick victim into exposing personal information.

• The act of attempting to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.

WHAT IS PHISHING?

How to recognize phishing email messages, links, or phone calls?

• Criminals can do this by installing malicious software on your computer or stealing personal information off of your computer.

• Criminals also use social engineering to convince you to install malicious software or hand over your personal information under false deception/trick.

WHAT IS PHISHING?

Phishing email message

WHAT IS PHISHING?

Phishing phone calls

• Criminals might call you on the phone and offer to help solve your computer problems or sell you a software license.

• Criminals might ask for your user name and password or ask you to go to a website to install software that will let them access your computer to fix it.

ISSUE: Wire Fraud – A New Twist to an Old Scam

April 23, 2012• Wire Fraud is a financial fraud involving the use of

1. Telecommunications - phone or fax2. Information Technology - email

• Credit Unions recently reported losses to CUNA (Credit Union National Association) Mutual Group from unauthorized wire transfers requested by email.

• Subsequent investigation by the Credit Unions disclosed the Members’ email accounts were hacked. The fraudsters sent the email requests from the hacked accounts making it appear the emails were sent by the Members.

• The Previous - requests by phone or fax.

ISSUE: Wire Fraud – A New Twist to an Old Scam

How do they do it?1. After hacking into the victim’s email account, fraudsters look for financial account

information by searching through the contact list and “sent” email folder. 2. The fraudster then sends an email to the financial institution or brokerage firm

employee using the victim’s email account requesting the balance of the victim’s account.

3. If the request for balance information is successful, the fraudster sends another email using the victim’s email account with instructions to wire funds to an account at another financial institution, foreign and domestic.(The emails received by financial institutions and brokerage firms typically contain a reason why the account holder can only communicate via email, generally due to illness or death in the family.)

ISSUE: Wire Fraud – A New Twist to an Old Scam

Be alert for signs indicating a possible compromise of your email accounts, including the following:

– Complaints of spam received from individuals on your contact list– Emails contained in the “Sent” folder that you did not send– Email inbox contains “MAILER DAEMON” rejection notices indicating

sent emails were rejected– Contents of email folders have been deleted (e.g., Sent, Spam,

Deleted, etc.)– Failure to receive new email– Unable to login to your email account due to an invalid password

PREVENTION

• Many experts contend that phishing is less of a “technology problem” and more of a “user problem”; that the responsibility ultimately lies with:

the user must be aware of where they are browsing, what information they are giving over the Internet and to whom they are giving the information.

PREVENTION

• Do not reply to e-mails asking to confirm account information. Call or logon to the company’s web site to confirm that the e-mail is legitimate.

• Do not e-mail personal information. When submitting information via a web site, make sure the security lock is displayed in the browser.

• Review credit card and bank account statements for suspicious activity.

• Report suspicious activity.

PREVENTION

• Two-factor Authentication– Validate a user’s credentials by using two separate methods to verify a user.– Uses one time passwords that expire after a single use.– Password are generated using shared electronic key.

• Firewalls– There are email firewall products that implement rules to block spam and

phishing scams.– Offer “heuristic” rules that are updated as new phishing schemes are found– They also verify the IP numbers and web addresses of the email source and

compare them to known phishing sites.– Can be effective defense against span and phishing for larger organizations.

PREVENTION

• Anti-virus Technology– If a user id infected with worm that, in turn, installs a Trojan horse that can

capture personal data, then antivirus technologies are effective.– All users should implement an anti-virus product regardless of whether they

are concerned about phishing or online fraud.

• Communications– Companies need to communicate with their customers to keep them

apprised of scams or other threats.– They should make policies clear and make sure the customers are aware of

how information will be gathered and disseminated.

PREVENTION

• Defense-in-Depth– To be secure, a defense-in-depth approach must be put in place. – Users and companies need to be educated about :

• the scams and risks• authentication methods need to be employed• firewalls should be in use• anti-virus technologies should always be installed• browser-based anti-phishing technologies should be considered• companies should communicate with their customers• digital certificates and other encryption schemes should be implemented.• When these layers of protection are utilized, the chance of a phishing attacks

being successful is greatly reduced.

CONCLUSION

• Phishing scams can pose a significant threat to consumers and the companies they deal with.

• Phishers would keep coming up with new ways of attacking the users.

• Banks or financial institutions should undertake periodic vulnerability analysis to identify and plug weaknesses that can lead to a successful Phishing attack.

• The solution lies in a combination of controls setup by the organization and user awareness.