2005 Security Awareness Day

1
Phishing

• 2005 Security Awareness Day
• Kelley Bogart
• University Information Security Coordinator

2
Have you received an email that says something
like this?

• We suspect an unauthorized transaction on your
  account. To ensure that your account is not
  compromised, please click the link below and
  confirm your identity.
• OR
• During our regular verification of accounts, we
  couldnt verify your information.Please click
  here to update and verify your information.

3
This is a typical phishing attempt
4
Phishing

• Basically it involves Internet fraudsters who
  send spam or pop-up messages to lure personal
  information (credit card numbers, bank account
  information, Social Security number, passwords,
  or other sensitive information) from unsuspecting
  victims.

5
Stats from Anti-Phishing Working Group

• phishing scams grew by 33 percent in Oct. 2005
• 1518 active phishing sites during Oct. 2005
• phishing Web sites have grown by an average rate
  of 28 percent monthly since July 2005
• 51 online brands were targeted by phishing scams
  in Oct. 2005

6
EBAY
7
EBAY
8
EBAY
9
EBAY
10
PayPal
11
PayPal
12
PayPal
13
Visa
14
Visa
15
Microsoft
16
Recognizing Phishing

• False Sense Of Urgency - Threatens to
  "close/suspend your account," or charge a fee.
• Indirect invitation - "Dear valued customer",
  "Dear reader", "In attention to service name
  here customers.
• Misspelled or Poorly Written - Helps fraudulent
  e-mails avoid spam filters.

17
Recognizing Phishing

• Suspicious-Looking Links Pop-Ups Links
  containing all or part of a real company's name
  asking you to submit personal information.
• Hyperlinks spoofing You see the
  "http//www.yourbank/Login" link in the message,
  but if you hover the mouse cursor over the link,
  you will see that it points to "http//www.spoofed
  banksite.com/Login"

18
Arizona State Credit Union
19
Phishing?
20
Phishing mixed with Spyware

• With this type of scam, you would be invited to
  click on an image--to get a low-priced item or
  sweepstakes entry, for instance. With that click,
  you'll unknowingly download spyware onto your PC.

21
Discover Card Awareness
22
Citibank
23
New Form of Phishing

• Unlike a scam which tries to trick you into
  providing personal information.
• This
• Executes code
• Changes your host file
• Redirects legitimate webpage to spoofed site
• .and all you did was open an email or view it in
  a preview pane in programs like Microsoft Outlook

24
FTC suggests these tips to help avoid getting
hooked by a phishing scam

• If you get an email or pop-up message that asks
  for personal or financial information, do not
  reply. And dont click on the link in the
  message, either.
• Use anti-virus software and a firewall, and keep
  them up to date.
• Dont email personal or financial information.

25
FTC suggestions (contd)

• Review credit card and bank account statements as
  soon as you receive them
• Be cautious about opening any attachment or
  downloading any files from emails
• Forward spam that is phishing for information to
  spam_at_uce.gov and to the company, bank, or
  organization impersonated in the phishing email.

26
Additional Protection Tips

• Treat all email with suspicion
• Never use a link in an email to get to any web
  page
• Ensure that all of your software is up to date
• Use anti-spyware detection software on a regular
  basis

27
Additional Protection Tips

• If you must use your financial information
  online, ensure that you have adequate insurance
  against fraud
• Be aware or beware.

28
Questions

• Thanks for joining us
• Stay for the drawing and be sure to enter into
  the drawing for the 500 American Express Gift
  Card and also the IPOD

More examples available at http//www.antiphishin
g.org