Embed Size (px)
Citation preview
1
Phishing: Don’t Phall Phor It
Part 2Software Training Services
Welcome to the online course: Phishing: Don’t Fall for it!
2
Objectives• Definition of Phishing• State of Phishing Today• Recognizing Phishing/Phishing Tricks• Examples• Best Practices• What to do if you get “hooked”• Summary
This is the second part of a two-part course on Phishing. In this portion of the course we will:•Continue to provide some examples of phishing and point out how to identify these as phishing scams•Expose some advanced phishing tricks•Provide best practices to help you avoid phishing scams and help alert you to phishing•Identify the appropriate course of action should you become a victim of phishing
You will want to make sure you have watched Part 1 of the Phishing Course prior to watching this segment. Each part takes approximately 15 minutes to watch.
3
Take Notice:• Logo will likely be included• It will employ a method to establish trust• Often some genuine-looking fine print at
the bottom• Logos and fine print can EASILY be stolen
from the real web site
Take not of the following items:
Most likely a company logo will appear on the web page and email. Many people think just because they see a corporate logo the message (or web page) is legitimate – WRONG. It’s extremely easy to go out and capture a logo and re-use it. The phisher will try to establish trust with you. The bottom of the email might claim they are doing everything in their power to stop identity theft and they have high security standards. The message itself may state that they are doing this to protect your information – Don’t believe them!
They may have some genuine-looking fine print at the bottom of the message or web page. We have all seen the “fine print” that companies place on their correspondence – just because it has fine print does NOT mean it’s the real thing!
It is important to keep in mind that logos and fine print can very easily be stolen from the real web site. Therefore, the presence of these items does NOT make a message legitimate.
4
Examples of Phishing
Here’s a good example of a phishing email. Notice the web address in the center of the page. The web address appears to be ebay.com/login which looks legitimate. However, if we place the mouse over the link and look at the status bar at the bottom of the page, we discover the real web address which is 203.193.92.138/signon.ebay.com/ etc. This has no affiliation with ebay – they tried to fool us by making it look like we are going one place, when in fact, we are going someplace quite different.
5
Actual link: http://211.250.204.133/docs/zens/Citizens%20Bank%20Online%20
-%20$%205,00%20Giveaway%20Survey.htm
Here’s another example, the visible link appears to be going to citizensbankonline.com – but if we place our cursor over the link and look at the status bar, we see once again that we are going someplace quite different.We’ll click on the link anyway and see where that takes us
6
Address Bar:
Fradulent lock symbol
There are more clues that this isn’t the real Citizens Bank. First, if we look at the address bar at the top of the page we can see this isn’t citizensbankonlineSecond, they are asking us for our account number and pin information – if this were really our bank they would have this information already.Finally, remember when I said earlier if you are ever asked to enter confidential information on a web page you should see a lock in the lower right corner and the web address should begin with https - Neither of these security indicators are present on this page. They have included a lock icon in an attempt to fool us into believing this is a secure site. All of these facts should lead us to the conclusion that this is a phishing site.
7
Looks persuasive…
Here’s another example, supposedly from Lasalle bank and appearing to be legitimate. We’ll click on the continue button.
8
No Lock icon in status bar
Once again, we are being asked to enter confidential information with no lock icon in the lower right status bar and the web address does not begin with https. In addition to that, the web address shows us we clearly are not at Lasalle bank.
9
Advanced Tricks - Address Bar Forgery
• Float a second “address” bar over the real one
• Only the fake address is visible
Now that you know the basic tricks, let’s move on to an advanced trick that the phisher uses to try to hook you!
In this trick a forged address bar is floated over the actual one. The forged address bar will then appear to display a legitimate web address – masking the fact that it is actually a phishing site.
10
Let’s take a look at this example: This message appears to be from Charter One –they have copied the Charter One logo to help fool you into believing this is legitimate. However, we do have some good indications this one is false. Look at the line “Thank you for using ebay account” – and the signature from “the Ebay Team”Actually, they didn’t do a very good job of composing this message – they probably copied this message from another scam and forgot to change some of the text.Some people might overlook this and still click on the “Click Here” link. Remember – we could also hover our mouse over the click here link and see what address appears in the status bar – that might give us a good clue as to whether or not this is real.We’ll go ahead and click the link.
11
The link takes us to this page. Notice the web address appears to be Charter One- most people would think they were on Charter One Bank’s siteThe phisher actually overlaid the address bar with their fake one. Therefore, this is NOT Charter One’s web page.
12
Select File-Properties from the menu to view the actual URL:
If you select File-properties from the menu you will see a dialog box similar to this one which shows the real web address which is clearly NOT charter one bank
13
Forged Address Bar and Forged ToolTip
This example uses a fake address bar and a fake tool tip. A tool tip can be created to pop-up a tip whenever the mouse is placed over a specific line of text. In this case, it works similar to the status bar in that the tool tip displays the web address for the link. In this example, the tool tip matches the link so it would be only natural to believe that the link is legitimate. Actually, the tool tip can be created to display any text – and has no relation to the real address. The phisher is just using the fake tool tip into luring the unsuspecting user into clicking the link. The phisher did the same thing with the actual web address you see –https://onlinebanking.hunington.com -You might be inclined to believe this is the real web address since the address looks secure with https and the appears to be legitimate. In reality, the phisher just forged the address line so it looks real – when the link is selected it will take you to a completely different site.So, we’ll click the link and see where it takes us..
14
Clue: No lock icon
Once again, the phisher did a good job because we see the forged Address bar which they laid over top of the real one.The only clue here that this is a fake site is the lack of the lock icon in the lower right corner.
15
File-Properties displays the real web address:
We can select File-Properties from the menu to discover the real web address.
16
Best Practices: What You Can Do
• Be suspicious by default• Scrutinize web addresses: verify link targets• Don’t visit sites via links – use bookmarks and
keywords or type in the web address• Disclose email address only when necessary• Check to make sure the Web site is using
encryption (secure site https)• Lock icon appears in the lower right-hand
corner of the status bar
Now that we’ve shown you some examples of phishing sites and some of the tricks used by Phishers, lets go over some basic “Best Practices” that everyone should be aware of: To start with, Be suspicious by default. Don’t believe everything that comes into your email box. You should scrutinize web addresses contained in email messages. Remember, you can verify the link targets by holding your mouse over the link and looking for the address in the status bar at the bottom of the screen. However, keep in mind that the phisher does have some tricks in his pocket for making the web address in the status bar look real - Make it a general rule NOT to visit sites by clicking on a link in email. Type the url in yourself and create bookmarks to return to the site. This is much safer than trusting that the address contained in an email message is legitimate. The next thing you should do is only disclose your email address when necessary. The more you enter your Email address into web sites- the better chance that a phisher will get a hold of your address and target you. That means you need to resist the temptation to sign up for those free coupons or to get those cute smiley face emoticons to send to your friends, etc. Remember, providing your email address to every web site that asks for it also increases the likelihood that you will get more spam – and who wants that?The other tip you learned today was to verify that the web site uses encryption anytime they ask you to enter confidential information. Encryption means the site is secure and you learned the 2 ways to test for that are to look for https in the address and the lock icon in the lower right corner. A word of caution, though –remember, the phisher may know how to place a fake address bar over the real one – so you can’t always trust that! However, you did learn to select File-Properties from the menu to discover the real web address.
17
Best Practices: What You Can Do
• Don’t be put at ease by language that suggests a concern for your security
• Know common formats of fraudulent links• Never respond to requests for personal
information via e-mail or in a pop-up window
• You can forward phishing messages to [email protected]
Some additional best practices include not being put at ease by language that suggests a concern for your safety. The phishers are very skilled in phrasing the messages in the most convincing manner – don’t let them fool you.
You also want to be aware of common formats for fraudulent links. After completing this presentation you should be very good at evaluating the legitimacy of links. In addition, NEVER respond to requests for personal information via email or a pop-up window. If a request really seems legitimate contact the business over the phone first and verify that they really did send the information. It just takes a few minutes, and those few minutes could save you thousands of dollars. If you do receive a phishing message you can forward it to [email protected] By providing the appropriate organization with the information they can go after the phisher and shut down their web site.
18
Best Practices: Know what to look for
• Impersonal or generic greetings• Time limited offers or urgent requests for
personal information• Fake links• Spelling mistakes and poor grammar• Attachments – DON’T open them• NEVER log into any account from a link in
an email
You should also know what to look for to help alert you to phishing: One of the easiest to spot is impersonal or generic greetings. For example, emails will be addressed to PayPal Customer rather than your full name.Normally the messages will have a sense of urgency to them – they notify you of a limited time offer, or inform you that you must take action immediately or risk having your account suspended. You should always be on the lookout for fake links – this presentation gave you a lot of methods for verifying links make sure you put this information to use! Also be on the look out for spelling mistakes and poor grammar – these are very easy clues to look forAs for attachments – don’t open them! Only open attachments that you are expecting and that are from someone you know. However, just knowing the sender of the attachment doesn’t make it ok to open it – Always check with the sender if you receive an attachment you weren’t expecting. Do this BEFORE you open the attachment.Never log into an account from a link in an email. You have learned how easy it is for the Phisher to fool you into thinking that you are going to a legitimate web site.
19
What to do if you get “hooked”
• Alert the Credit Bureaus– Will put an ‘alert’ on your file for 90 days
• Request a copy of your credit report– www.annualcreditreport.com– Entitled to one free report per year
• Require written notice to extend credit
Even with all this advice, you may still become a victim of a phishing scam. If so, there are a number of actions you should take to minimize your loss and protect yourself:First, alert the credit bureaus that you have been a phishing victim. They can put an alert on your file for 90 days. Second, request a copy of your credit report from www.annualcreditreport.com You are entitled to 1 free credit report per year. Third, require written notice to extend credit. Don’t let the credit companies allow your credit line to be extended automatically - Require that they have your written notice to extend credit.
20
What to do if you get “hooked”
• Inform the impersonated company or person
• Close the account, reopen new one• Report fraud to www.fraud.org• Notify the credit bureaus• Optionally, file a police report
– Can be useful if evidence is needed for creditors
Some additional tips in case you become the victim of a phishing scam include informing the impersonated company or person. By notifying them you might be able to prevent others from being scammed. You should also close your account and reopen a new one. Make sure you report the fraud to www.fraud.org and that you notify the credit bureaus that you have become a victim Optionally, you should file a police report. This can be useful evidence for the creditor
21
What to do if you get “hooked”
• File a complaint with the FTC• File a complaint at http://ftc.gov/ or call the
FTC at 1-800-FTC-HELP (1-877-382-4357)• Helps to coordinate efforts to combat fraud
You should also file a complaint with the FTC, or Federal Trade Commission. You can file a complaint on their website at ftc.gov or call them directly at 1-800-FTC-HELP The FTC helps to coordinate efforts to combat fraud. They also have a great deal of useful information on their website that you may want to take a look at.
22
Summary• Education is the best defense against
phishing. Now that you know – educate others!
• Don’t become one of the victims!!
In summary, education is the best defense against phishing. Successfully completing this course on Phishing has provided you with a wealth of information to help you avoid becoming the victim of a phishing scam. Now that you know about phishing – educate others! You might even want to share the address of this presentation with them so they can become better educated on the subject of phishing.
23
Resources• Office of General Counsel Identify Theft:
– http://www.uakron.edu/ogc/PreventiveLaw/identitytheft.php
• Anti-Phishing Working Group:– http://www.antiphishing.org/index.html
• Identity theft website:– http://www.consumer.gov/idtheft/
• Consumer Fraud Reporting:– www.consumerfraudreporting.org
• Internet and Telemarketing Fraud:– http://www.fraud.org/
We’ve compiled a listing of valuable resources for you. If you haven’t already done so, you may want to print out a copy of the presentation so you have the complete list of resources. On this page we have The University of Akron Office of General Counsel web site on Identity Theft. This page provides a comprehensive overview of everything you need to know related to identity theft.The Anti-phishing working group page contains updates on latest phishing scams, current statistics, and many examples of phishing. The identity theft website is a one-stop national resource to learn about identity theft.The internet and Telemarketing Fraud web site provides information on both internet and telemarketing fraud and how to report fraud.
24
Resources
• The full Phishing IQ test:– http://survey.mailfrontier.com/survey/quiztest.html
• Identity theft affidavit to dispute unauthorized accounts:– http://www.ftc.gov/bcp/conline/pubs/credit/affidavit.p
df• Complaint to FTC:
– https://rn.ftc.gov/pls/dod/widtpubl$.startup?Z_ORG_CODE=PU03
If you are interested in taking the complete Phishing IQ test we have provided a linkThere is also a link to an identity theft affidavit to dispute unauthorized accounts.Finally, there is a link to the FTC for the purpose of filing a fraud complaint.
