CYBER SECURITY-PHISHING: DON’T BECOME A VICTIM OF EMAIL FRAUD

SPEARPHISHING Did You Know...

91% Of Targeted Attacks Start With Spear-phishing Email

The word phishing comes from the analogy that Internet scammers are using e-mail lures to fish for passwords and financial data from the sea of Internet users.

The term was coined in 1996 by hackers who were stealing AOL Internet accounts by scamming passwords from unsuspecting users. Since hackers have a tendency to replacing "f" with "ph" the term phishing was derived.

SPEAR PHISHING•The Phish appears to be legitimately addressed from someone within that company in a position of trust and request information such as login ID’s and passwords.

•Spear phishing scams will often appear to be from a company’s own human resources or technical support division and may ask employees to update their username and passwords. Once hackers get this data, they can gain entry into secured networks.

•Another type of spear phishing attack will ask users to click on a link, which deploys spyware that can steal data.

WHAT IS PHISHING?

(fish’ing) (n) The act of sending an email to a userfalsely claiming to be an established legitimateenterprise in an attempt to scam the user intosurrendering private information that will be used foridentity theft. • directs the user to visit a web site • update personal information

(passwords, credit card, social security and bank account numbers)

PHISHING TECHNIQUES

• Official looking and sounding emails

• Copies legitimate corporate emails with minor URL changes

• Standard virus/worm attachments to emails

• IP addresses instead of domain names in hyperlinks

• Setting up fake web sites that closely mimic the domain name of the target website.

3 THINGS TO REMEMBER

• YOU have to do something to be attacked!

• NEVER click on “Click Here” or embedded

links!

• NEVER give personal information over

internet!

TIPS TO HELP YOU RECOGNIZE PHISHING SCAMS AND FRAUDULENT EMAIL

• Generic greeting• From and return path don’t match• Insecure site-look for https://• Requests personal information• Sense of urgency• Spelling errors• Poor grammar• Forged link-beware of the @ symbol in the URL• Warns that you’ve been a victim of fraud• Rule of thumb: Anytime you are asked for

personal information, it is a scam

Source: http://www.sonicwall.com/furl/phishing/phishing-quiz-question.php

Other Phishing Scams

• The "Nigerian" Scam: Costly Compassion

1997-Secret Service confirmed losses just in the US of over 100 million dollars in 15 months

• Help! I'm Stuck in London and I've Been Robbed!

• Fake FBI E-mails Seeking Personal Information

• Work-From-Home Scams

• Dormant African Account

“HELP, IT’S ME” -----Original Message-----

From: C. McGarrett; cmcgarrettfiveo@yahoo.com to: undisclosed recipients: ;

Sent: Fri, Sep 2, 2011 7:25 amSubject: It's urgent, please respond

It’s me, I really don't mean to inconvenience you right now. I made a little trip to Scotland, and misplaced my wallet that contains my passport and credit cards. Just hearing from me like this, sounds a little odd, but it all happened very fast. I've just been issued a temporary passport and also my ticket, but I'm short of funds to pay for the bills here. I've also been trying to reach my credit card company, but from the message I just received, I'll need some verifications like answering my home phone, and that will only happen when I'm home. Please, can you lend me some funds to secure the bills? I'll be willing to pay back as soon as I return.

Please respond as soon as you get this message, so I can forward my details to send the money via western union or money gram, you can also contact me via the hotel's desk phone. The numbers are, 011448717947613, +448717947613

Looking forward to your response. In HIS Service and Yours, Christian McGarrett Police Detective Sergeant and State Criminal Investigator http://www.identitytheftsecrets.com/identity-theft-secrets-readers-true-crime-story-traveling-email-scam

Phishing Facts

6.1 Billion - Number of phishing e-mails sent world-wide each month

$1,200 - Average loss to each person successfully phished (Federal Trade

Commission)

15,451 - Number of unique phishing attacks in January 2006 (Anti-

Phishing Working Group)

7,484 - Number of phishing Web sites found in January 2006 (Anti-

Phishing Working Group)

27,221 - Number of phishing Web sites found in January 2007 (Anti-

Phishing Working Group)

Source: http://www.sonicwall.com/furl/phishing/

USE COMMON SENSE – YOU need to do something to be attacked

Why would a perfect stranger pick YOU-also a perfect stranger-to share a fortune with and why would you share your personal or business information, including your bank account numbers , with someone you don’t know?

If it sounds too good to be true….IT IS!

WHAT CAN I DO TO PREVENT PHISHING?

• Keep all software updated , especially anti-virus • Stay away from shady websites• Do not respond to suspicious email and do not click on any links within the email• Only open email attachments if you're expecting them• If you get ERROR when making purchase-DO NOT CONTINUE• LOG OFF – Don’t just close browser• If doing private transaction, CLOSE TABS – Every open tab allows access to others.• YOU initiate connection /communication – Don’t click on link to get there• Call company by phone if you get a suspicious email but DO NOT call the phone

number in the email• Remove programs you don’t need• Reboot occasionally

E-mail client configurationYOU control what you download

•Do NOT auto execute anything

•Do NOT automatically download HTML graphics or content

•Do NOT display graphics in message

•Do NOT allow executable html content

•Turn OFF Attachment Preview

•If NOT sure configure to “WARN ME BEFORE”

•You can control drive-by scripts running across the screen

DISABLE PASSWORD OPTIONS

WHAT TO DO IF YOU RECEIVE A SUSPICIOUS EMAIL

• DO NOT respond to the email• DO NOT CLICK ON A LINK IN AN EMAIL unless you are sure of the real target address. (Hover mouse over link and compare to email header—veryclose but does not match.)•NEVER reveal personal or financial information in a response to an email request, no matter who appears tohave sent it.• D-E-L-E-T-E the email

WHAT TO DO IF YOU’VE RESPONDED TO A PHISHING SCAM:

• Report the incident -FTC, FBI, Secret Service, UNM IT Services

• Change the passwords on all your online accounts

• Routinely review your credit card and bank statements• Use the latest products and services to help

warn and protect you from online scams (Antivirus softwarecan only protect you from known viruses.)protect you from known viruses.)

If you think you have been a victim of a phishing scam or want further information, please contact Deb Kuidis at 277-

0732 or dkuidis@unm.edu.

http://research.unm.edu/industrialsecurity/