SlideShare a Scribd company logo
1 of 43
Email Phishing and
Countermeasures
Email Security
jorge.sebastiao@its.ws
May 2006 – Veterans Administration
laptop with personal information on
26.5M veterans is stolen. “Total
losses could top $500M.” – VA
Secretary Nicholson
Jan 2007- Hackers stole data from at
least 45.7 million credit and debit cards
at retailer T.J.Maxx – total costs could
exceed $1.0B
May 2006 – CIO, CSO fired Ohio
University 137,000 student
accounts compromised
Why Does This Happen?
Firewall IDS Anti-Virus
Attack
ATM is also a type of Phishing
Can you spot a “Social Engineer”?
Phishing is Social Engineering
Social Engineering
What is Social Engineering?
“An attempt to influence a person into granting
unauthorized access, unauthorized use or
unauthorized disclosure of an information system,
network or data. Modifying system configuration.”
“How to blunt the socially engineered hack” by Michael Casper
(http://www.computerworld.com/cwi/community/story/0,3201,NAV6
5-663_STO65473,00.html)
Social Engineering
… 70 percent of those asked said they would
reveal their computer passwords for a …
Schrage, Michael. 2005. Retrieved from
http://www.technologyreview.com/articles/05/03/issue/review_password.asp?p=1
Bar of chocolate
Social Engineering
Methods of Social Engineering
Information Gathering
Information Planting
Email Scams
Masquerading
Dumpster-diving
Help desk/Support areas
Receptionist/Administrative areas
Launching attack
Vulnerability in People
Cause: A large growing population of internet
illiterate users are using internet email and
other user friendly applications.
Threat: Illiteracy in how the internet works and
its threats allows miscreants to attack a
network or person through social engineering.
This is the fastest growing method of hacking
we have seen.
Human nature is that people are trusting, even
those things which may be false.
Social Engineering – Information
Gathering
Scenario #1 – YOU: How many of you have
provided personal information online or over the
phone to a vendor or service?
Personal Information May Include
Social Security Number (or just the last 4 digits)
First, Middle, Last names – Maiden Name
Mothers Maiden Name
Address, Phone Number
Email Address?
Credit Card Number – CVV2 Code
ATM PIN Code
Passwords you may use elsewhere
Social Engineering – Information
Gathering
Scenario #1 - YOU: Was that information sent
securely? Will it be shared with someone else?
Was it compromised?
Scenario #2 – SOMEONE ELSE: Have you
ever asked for personal information and been
offered that information freely or without much
effort?
Social Engineering – Information
Gathering
Example: How many of you would provide
personal information to someone who called you
on the phone? Over the Internet?
Social Engineering is an art, basically the art of
listening and lying at the same time, while
seemingly having a typical conversation.
Read More: The Art of Deception – Kevin Mitnick
Social Engineering – Information
Planting
Scenario: You come back from lunch to find a
Post-it note on your desk asking you to change a
user password to something written on the Post-
it Note.
ID Theft– New Way
Phishing / Pharming
Hijack/Skimming
On 7 October 2001. “Singer Britney Spears Killed in Car Accident”.
Due to a bug in CNN’s software, when people at the spoofed site clicked on
the “E-mail This” link, the real CNN system distributed a real CNN e-mail to
recipients with a link to the spoofed page.
With each click at the bogus site, the real site’s tally of most popular stories
was incremented for the bogus story.
Allegedly this hoax was started by a researcher who sent the spoofed story to
three users of AOL’s Instant Messenger chat software.
Within 12 hours more than 150,000 people had viewed the spoofed page.
Social Engineering Example
Social Engineering Phishing
What is Phishing?
“Fishing for personal information”
Use “spoofed” e-mails and fraudulent
websites designed to fool recipients into
divulging personal financial data such as
credit card numbers, account usernames and
passwords, social security numbers, etc.
Anti-Phishing Working Group
http://www.antiphishing.org/
Surge in phishing
Based on the survey, 57 million Americans have
been, or think they have been, the victim of a
phishing attack.
30 million were positive, Out of that pool, 11
million fell for the scams or about 19% of those
attacked.
Almost 2 million, or about 3% of those attacked,
reported that they'd actually divulged sensitive
information eg. credit-card numbers, bank
accounts, passwords, etc.
Phishers have a one in 700 chance of getting
caught.
*Gartner Group
Social Engineering
Phishing New Threat
This is a Very
Common Tactic used
to Social Engineer
personal information.
Lets walk through a
specific case
Email
Scams
Click on the Link and
you get sent to the
EBay Security
Update Page…
Or do you…
Click Here and it takes
you to Official EBay
Help
Not a Secure Website
LETS SCROLL DOWN
Email
Scams
As we Scroll Down
the Page we find out
that it needs a lot of
personal information
to verify who you are.
NEVER Give this Out to Anyone
Online
Just in case you mistyped your
password above
OK.. I can see how Ebay
Might need this info… right
???
LETS SCROLL DOWN
Just in case you thought this
might be a scam…
Email
Scams
CVV2 Code and PIN
Number to your bank
account.
Can’t Use the CreditCard
Online without this!!
If we clone your card, we
might need this as well.
Email
Scams
Lets take a look at
the email again…
How many of you
receive emails like
this on a regular
basis?
Does it look Legit?
Would it have
fooled you?
In this case, the whole message was actually an Image with the Image linked to
the malicious site, while the link in the image shows up as something legitimate.
Email
Scams
What Companies are Doing
AMERICAN EXPRESS - How to Contact American Express
about Fraudulent E-Mails
If you receive an e-mail that you believe could be fraudulent,
immediately forward it to
emailhoax@service.americanexpress.com. Please do not
forward the e-mail as an attachment. Please note that any
submissions to this email address will result in an auto-
generated reply to notify you that we have received your e-mail.
If we find it to be fraudulent, we will immediately take
appropriate action. For consumers requiring additional
assistance, please contact us at Contact American Express
http://www10.americanexpress.com/sif/cda/page/0,1641,21372,00.
asp
Email phishing and countermeasures
Email phishing and countermeasures
How to Detect Deception
Publish your mail server addresses (to thwart spoofing)
Educate customers (and employees)
Establish online communication protocols
Create a response plan now
Proactively monitor for phishers and fraud
Make yourself a difficult target
http://www.cio.com/archive/090104/phish.html
Prevent Phishing from Fraud Watch
Never click on hyperlinks
Use Anti-SPAM filters
Use Anti-Virus Software
Use personal firewalls
Keep all software updated
Always look for https and
sites that ask for “personal
information”
Keep computer clean from
Spyware
Know Fraudulent activity on
the Internet
Check your credit report
immediately for free!
If unsure, ask!
Email phishing and countermeasures
First Phishing –
Now Ransomware
 New generation of attack use of the internet
attack for extortion "Ransomware".
 Follow-up to: phishing, pharming attacks
 It starts with hijacking or stealing user files, encrypting them (so
the user loses access to vital information), then demanding
payment in exchange for the decryption key.
 So far theses attacks are quite rare but it brings a new
dimension to the usage of the internet and a new generation of
attacks.
Phishing – Variations
 “Phishing”= social engineering
– Who: Online scammers, posing as legitimate companies or your
new best friend
– Why: They want your sensitive information (credit-card, billing-
routing, and Social Security numbers, among others)
 “Pharming”= being diverted to a fake/spoofed
website
 “Spear phishing”= spoofed email that targets
emails stolen from a company or organization
Phishing and Business Risks
Privacy
Legislative
violations
Financial
loss
Intellectual
capital
Litigation
Public
Image/Trust
Business
Risks
Credit Cards for Sale
36
Vendor Solutions abound
Anti-spam
Antivirus/
Anti-worm
Anti-phishing
Policy-based
controls
37
1st Gen:
“Look for stuff…”
Subject contains
“Viagra”
2nd Gen:
“Look smarter”
Text has “Viagra”
& “Unsubscribe”
3rd Gen:
“Go for Buzzwords”
Bayesian Filter
and Neural Nets
4th Gen:
“Mix a Cocktail”
You can’t fool all
of the filters all
of the time
But threats get more sophisticated
38
Tradeoffs false positives vs false negatives
Catch more
emails, more
false positives
Catch less
emails, fewer
false positives
FP
FN
39
User Awareness to Avoid Phishing
Caution: African shares $10 million…
Banks never ask for account info, in an e-mail
Don’t click on links suspicious e-mails
Report suspicious e-mails
D-E-L-E-T-E
Banking Technical Solutions
Anti-Phishing Laws
-Identity Theft Penalty Enhancement Act
-Aggregated Identity Theft - Defined as using a
stolen identity to commit other crimes.
-Mandatory sentencing of 2 years.
Anti-Phishing Act of 2005
-Prohibits the use of a website/email to coerce
others to divulge their personal information.
-Penalties: 5 years, $250,000 fine.
Effectiveness: Professionals vs. Amateurs
• FTC Identity Theft Website
www.consumer.gov/idtheft
• Anti-Phishing Working Group
www.antiphishing.org
• End ID Theft
www.endidtheft.com
Resources
Questions

More Related Content

What's hot

Anti phishing presentation
Anti phishing presentationAnti phishing presentation
Anti phishing presentationBokangMalunga
 
Phishing Attack : A big Threat
Phishing Attack : A big ThreatPhishing Attack : A big Threat
Phishing Attack : A big Threatsourav newatia
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks pptAryan Ragu
 
Phising a Threat to Network Security
Phising a Threat to Network SecurityPhising a Threat to Network Security
Phising a Threat to Network Securityanjuselina
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Programdavidcurriecia
 
Phishing Attack Awareness and Prevention
Phishing Attack Awareness and PreventionPhishing Attack Awareness and Prevention
Phishing Attack Awareness and Preventionsonalikharade3
 
Email Security Awareness
Email Security AwarenessEmail Security Awareness
Email Security AwarenessDale Rapp
 
Phishing Attacks
Phishing AttacksPhishing Attacks
Phishing AttacksJagan Mohan
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training OpenFred Beck MBA, CPA
 
Phishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingPhishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingSachin Saini
 
Phishing attack seminar presentation
Phishing attack seminar presentation Phishing attack seminar presentation
Phishing attack seminar presentation AniketPandit18
 

What's hot (20)

Phishing
PhishingPhishing
Phishing
 
Phishing
PhishingPhishing
Phishing
 
PPT on Phishing
PPT on PhishingPPT on Phishing
PPT on Phishing
 
Anti phishing presentation
Anti phishing presentationAnti phishing presentation
Anti phishing presentation
 
Phishing attack
Phishing attackPhishing attack
Phishing attack
 
Phishing
PhishingPhishing
Phishing
 
Phishing Attack : A big Threat
Phishing Attack : A big ThreatPhishing Attack : A big Threat
Phishing Attack : A big Threat
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
 
Phishing Presentation
Phishing Presentation Phishing Presentation
Phishing Presentation
 
Phising a Threat to Network Security
Phising a Threat to Network SecurityPhising a Threat to Network Security
Phising a Threat to Network Security
 
Spear Phishing Attacks
Spear Phishing AttacksSpear Phishing Attacks
Spear Phishing Attacks
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
 
PHISHING attack
PHISHING attack PHISHING attack
PHISHING attack
 
Phishing Attack Awareness and Prevention
Phishing Attack Awareness and PreventionPhishing Attack Awareness and Prevention
Phishing Attack Awareness and Prevention
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Email Security Awareness
Email Security AwarenessEmail Security Awareness
Email Security Awareness
 
Phishing Attacks
Phishing AttacksPhishing Attacks
Phishing Attacks
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training Open
 
Phishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingPhishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS Working
 
Phishing attack seminar presentation
Phishing attack seminar presentation Phishing attack seminar presentation
Phishing attack seminar presentation
 

Viewers also liked

Oracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesOracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesBrian Huff
 
Patent Risk and Countermeasures Related to Open Management in Interaction Design
Patent Risk and Countermeasures Related to Open Management in Interaction DesignPatent Risk and Countermeasures Related to Open Management in Interaction Design
Patent Risk and Countermeasures Related to Open Management in Interaction DesignYosuke Sakai
 
Antivirus Evasion Techniques and Countermeasures
Antivirus  Evasion Techniques and CountermeasuresAntivirus  Evasion Techniques and Countermeasures
Antivirus Evasion Techniques and Countermeasuressecurityxploded
 
Skyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And CountermeasuresSkyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And CountermeasuresAirTight Networks
 
Dstl Medical Countermeasures for Dangerous Pathogens
Dstl   Medical Countermeasures for Dangerous PathogensDstl   Medical Countermeasures for Dangerous Pathogens
Dstl Medical Countermeasures for Dangerous Pathogenswarwick_amr
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
Table 4: Unit 4 Reactor: Fukushima Daiichi Nuclear Power Plant - 18 May 2011
Table 4: Unit 4 Reactor: Fukushima Daiichi Nuclear Power Plant - 18 May 2011Table 4: Unit 4 Reactor: Fukushima Daiichi Nuclear Power Plant - 18 May 2011
Table 4: Unit 4 Reactor: Fukushima Daiichi Nuclear Power Plant - 18 May 2011International Atomic Energy Agency
 
Cehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingCehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingpolichen
 
VoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate WorldVoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate WorldJason Edelstein
 
Bone Loss in Long-Duration Spaceflight: Measurements and Countermeasures
Bone Loss in Long-Duration Spaceflight: Measurements and CountermeasuresBone Loss in Long-Duration Spaceflight: Measurements and Countermeasures
Bone Loss in Long-Duration Spaceflight: Measurements and CountermeasuresAmerican Astronautical Society
 
Iis Security Programming Countermeasures
Iis Security Programming CountermeasuresIis Security Programming Countermeasures
Iis Security Programming Countermeasuresguestc27cd9
 
Digital Astroturfing: Definition, typology, and countermeasures.
Digital Astroturfing: Definition, typology, and countermeasures.Digital Astroturfing: Definition, typology, and countermeasures.
Digital Astroturfing: Definition, typology, and countermeasures.Marko Kovic
 
Return oriented programming
Return oriented programmingReturn oriented programming
Return oriented programminghybr1s
 
Designing Countermeasures For Tomorrows Threats
Designing Countermeasures For Tomorrows ThreatsDesigning Countermeasures For Tomorrows Threats
Designing Countermeasures For Tomorrows ThreatsDarwish Ahmad
 
Webinar Gratuito: "Herramientas Graficas en Kali Linux 2.0"
Webinar Gratuito: "Herramientas Graficas en Kali Linux 2.0"Webinar Gratuito: "Herramientas Graficas en Kali Linux 2.0"
Webinar Gratuito: "Herramientas Graficas en Kali Linux 2.0"Alonso Caballero
 
Google Hacking for Cryptographic Secrets
Google Hacking for Cryptographic SecretsGoogle Hacking for Cryptographic Secrets
Google Hacking for Cryptographic SecretsDr. Emin İslam Tatlı
 
Irregularity Countermeasures in Massively Parallel BigData Processors
Irregularity Countermeasures in Massively Parallel BigData ProcessorsIrregularity Countermeasures in Massively Parallel BigData Processors
Irregularity Countermeasures in Massively Parallel BigData ProcessorsTokyo University of Science
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...CODE BLUE
 

Viewers also liked (20)

Oracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best PracticesOracle UCM Security: Challenges and Best Practices
Oracle UCM Security: Challenges and Best Practices
 
Patent Risk and Countermeasures Related to Open Management in Interaction Design
Patent Risk and Countermeasures Related to Open Management in Interaction DesignPatent Risk and Countermeasures Related to Open Management in Interaction Design
Patent Risk and Countermeasures Related to Open Management in Interaction Design
 
Antivirus Evasion Techniques and Countermeasures
Antivirus  Evasion Techniques and CountermeasuresAntivirus  Evasion Techniques and Countermeasures
Antivirus Evasion Techniques and Countermeasures
 
Skyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And CountermeasuresSkyjacking A Cisco Wlan Attack Analysis And Countermeasures
Skyjacking A Cisco Wlan Attack Analysis And Countermeasures
 
Dstl Medical Countermeasures for Dangerous Pathogens
Dstl   Medical Countermeasures for Dangerous PathogensDstl   Medical Countermeasures for Dangerous Pathogens
Dstl Medical Countermeasures for Dangerous Pathogens
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
Table 4: Unit 4 Reactor: Fukushima Daiichi Nuclear Power Plant - 18 May 2011
Table 4: Unit 4 Reactor: Fukushima Daiichi Nuclear Power Plant - 18 May 2011Table 4: Unit 4 Reactor: Fukushima Daiichi Nuclear Power Plant - 18 May 2011
Table 4: Unit 4 Reactor: Fukushima Daiichi Nuclear Power Plant - 18 May 2011
 
Cehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingCehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hacking
 
VoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate WorldVoIP: Attacks & Countermeasures in the Corporate World
VoIP: Attacks & Countermeasures in the Corporate World
 
Seminar Presentation
Seminar PresentationSeminar Presentation
Seminar Presentation
 
Bone Loss in Long-Duration Spaceflight: Measurements and Countermeasures
Bone Loss in Long-Duration Spaceflight: Measurements and CountermeasuresBone Loss in Long-Duration Spaceflight: Measurements and Countermeasures
Bone Loss in Long-Duration Spaceflight: Measurements and Countermeasures
 
Iis Security Programming Countermeasures
Iis Security Programming CountermeasuresIis Security Programming Countermeasures
Iis Security Programming Countermeasures
 
Digital Astroturfing: Definition, typology, and countermeasures.
Digital Astroturfing: Definition, typology, and countermeasures.Digital Astroturfing: Definition, typology, and countermeasures.
Digital Astroturfing: Definition, typology, and countermeasures.
 
Return oriented programming
Return oriented programmingReturn oriented programming
Return oriented programming
 
Designing Countermeasures For Tomorrows Threats
Designing Countermeasures For Tomorrows ThreatsDesigning Countermeasures For Tomorrows Threats
Designing Countermeasures For Tomorrows Threats
 
Webinar Gratuito: "Herramientas Graficas en Kali Linux 2.0"
Webinar Gratuito: "Herramientas Graficas en Kali Linux 2.0"Webinar Gratuito: "Herramientas Graficas en Kali Linux 2.0"
Webinar Gratuito: "Herramientas Graficas en Kali Linux 2.0"
 
Google Hacking for Cryptographic Secrets
Google Hacking for Cryptographic SecretsGoogle Hacking for Cryptographic Secrets
Google Hacking for Cryptographic Secrets
 
Irregularity Countermeasures in Massively Parallel BigData Processors
Irregularity Countermeasures in Massively Parallel BigData ProcessorsIrregularity Countermeasures in Massively Parallel BigData Processors
Irregularity Countermeasures in Massively Parallel BigData Processors
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
 

Similar to Email phishing and countermeasures

Security Breach Research Paper
Security Breach Research PaperSecurity Breach Research Paper
Security Breach Research PaperSharon Lee
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and SecurityMd Nishad
 
Spam as social engineering presentation.
Spam as social engineering presentation.Spam as social engineering presentation.
Spam as social engineering presentation.fificoco
 
White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
White Paper: Social Engineering and Cyber Attacks: The Psychology of DeceptionWhite Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
White Paper: Social Engineering and Cyber Attacks: The Psychology of DeceptionEMC
 
ccs12-18022310494mghmgmyy3 (1).pdf
ccs12-18022310494mghmgmyy3 (1).pdfccs12-18022310494mghmgmyy3 (1).pdf
ccs12-18022310494mghmgmyy3 (1).pdfKALPITKALPIT1
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentationpooja_doshi
 
Cognitive hacking
Cognitive hackingCognitive hacking
Cognitive hackingvishnu1236
 
WCCC Faculty Presentation
WCCC Faculty PresentationWCCC Faculty Presentation
WCCC Faculty PresentationRay Brannon
 
Identity Theft: Evolving with Technology
Identity Theft: Evolving with TechnologyIdentity Theft: Evolving with Technology
Identity Theft: Evolving with Technology- Mark - Fullbright
 
Five cyber threats to be careful in 2018
Five cyber threats to be careful in 2018Five cyber threats to be careful in 2018
Five cyber threats to be careful in 2018Ronak Jain
 

Similar to Email phishing and countermeasures (20)

Social Engineering CSO Survival Guide
Social Engineering CSO Survival GuideSocial Engineering CSO Survival Guide
Social Engineering CSO Survival Guide
 
Security Breach Research Paper
Security Breach Research PaperSecurity Breach Research Paper
Security Breach Research Paper
 
Essay On Identity Theft
Essay On Identity TheftEssay On Identity Theft
Essay On Identity Theft
 
Cyber crime
Cyber crime Cyber crime
Cyber crime
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and Security
 
Spam as social engineering presentation.
Spam as social engineering presentation.Spam as social engineering presentation.
Spam as social engineering presentation.
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
 
White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
White Paper: Social Engineering and Cyber Attacks: The Psychology of DeceptionWhite Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
White Paper: Social Engineering and Cyber Attacks: The Psychology of Deception
 
ccs12-18022310494mghmgmyy3 (1).pdf
ccs12-18022310494mghmgmyy3 (1).pdfccs12-18022310494mghmgmyy3 (1).pdf
ccs12-18022310494mghmgmyy3 (1).pdf
 
Essay Identity Theft
Essay Identity TheftEssay Identity Theft
Essay Identity Theft
 
Social Engineering : To Err is Human...
Social Engineering : To Err is Human...Social Engineering : To Err is Human...
Social Engineering : To Err is Human...
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
 
Phishing.pdf
Phishing.pdfPhishing.pdf
Phishing.pdf
 
Cognitive hacking
Cognitive hackingCognitive hacking
Cognitive hacking
 
Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015Social Engineering | #ARMSec2015
Social Engineering | #ARMSec2015
 
WCCC Faculty Presentation
WCCC Faculty PresentationWCCC Faculty Presentation
WCCC Faculty Presentation
 
Social Engineering
Social EngineeringSocial Engineering
Social Engineering
 
THE CYBER WORLD.pptx
THE CYBER WORLD.pptxTHE CYBER WORLD.pptx
THE CYBER WORLD.pptx
 
Identity Theft: Evolving with Technology
Identity Theft: Evolving with TechnologyIdentity Theft: Evolving with Technology
Identity Theft: Evolving with Technology
 
Five cyber threats to be careful in 2018
Five cyber threats to be careful in 2018Five cyber threats to be careful in 2018
Five cyber threats to be careful in 2018
 

More from Jorge Sebastiao

Real estate tokenization and blockchain
Real estate tokenization and blockchainReal estate tokenization and blockchain
Real estate tokenization and blockchainJorge Sebastiao
 
Blockchain and covid19 v3
Blockchain and covid19 v3Blockchain and covid19 v3
Blockchain and covid19 v3Jorge Sebastiao
 
Top tech shapping startups
Top tech shapping startupsTop tech shapping startups
Top tech shapping startupsJorge Sebastiao
 
Blockchain and security v3
Blockchain and security v3Blockchain and security v3
Blockchain and security v3Jorge Sebastiao
 
The road to blockchain 5.0
The road to blockchain 5.0The road to blockchain 5.0
The road to blockchain 5.0Jorge Sebastiao
 
Cyber Warfare 4TH edition
Cyber Warfare 4TH editionCyber Warfare 4TH edition
Cyber Warfare 4TH editionJorge Sebastiao
 
How AI is Disrupting Traffic Management in Smart City
How AI is DisruptingTraffic Management in Smart CityHow AI is DisruptingTraffic Management in Smart City
How AI is Disrupting Traffic Management in Smart CityJorge Sebastiao
 
Ai and traffic management application v1.0
Ai and traffic management application v1.0Ai and traffic management application v1.0
Ai and traffic management application v1.0Jorge Sebastiao
 
Practical analytics hands-on to cloud & IoT cyber threats
Practical analytics hands-on to cloud & IoT cyber threatsPractical analytics hands-on to cloud & IoT cyber threats
Practical analytics hands-on to cloud & IoT cyber threatsJorge Sebastiao
 
Dz hackevent 2019 Middle East Cyberwars V3
Dz hackevent 2019 Middle East Cyberwars V3Dz hackevent 2019 Middle East Cyberwars V3
Dz hackevent 2019 Middle East Cyberwars V3Jorge Sebastiao
 
AI HR and Future Jobs Version 2.1
AI HR and Future Jobs Version 2.1AI HR and Future Jobs Version 2.1
AI HR and Future Jobs Version 2.1Jorge Sebastiao
 
Cyber fear obstacles to info sharing-Version 2
Cyber fear obstacles to info sharing-Version 2Cyber fear obstacles to info sharing-Version 2
Cyber fear obstacles to info sharing-Version 2Jorge Sebastiao
 
Blockchain & cyber security Algeria Version 1.1
Blockchain & cyber security Algeria Version 1.1Blockchain & cyber security Algeria Version 1.1
Blockchain & cyber security Algeria Version 1.1Jorge Sebastiao
 
Datamatix GCC HR future jobs Version 1.3
Datamatix GCC HR future jobs Version 1.3Datamatix GCC HR future jobs Version 1.3
Datamatix GCC HR future jobs Version 1.3Jorge Sebastiao
 
Cyber security crypto blockchain Version 3.2
Cyber security crypto blockchain Version 3.2Cyber security crypto blockchain Version 3.2
Cyber security crypto blockchain Version 3.2Jorge Sebastiao
 
RTA AI for traffic management version 1.4
RTA AI for traffic management version 1.4RTA AI for traffic management version 1.4
RTA AI for traffic management version 1.4Jorge Sebastiao
 
IGF2017 Data is new oil - UN Internet Governance Forum
IGF2017 Data is new oil - UN Internet Governance ForumIGF2017 Data is new oil - UN Internet Governance Forum
IGF2017 Data is new oil - UN Internet Governance ForumJorge Sebastiao
 
ADIPEC physical and Infosec for Oil and Gas
ADIPEC physical and Infosec for Oil and GasADIPEC physical and Infosec for Oil and Gas
ADIPEC physical and Infosec for Oil and GasJorge Sebastiao
 
AVSEC are you flying cybersafe?
AVSEC are you flying cybersafe?AVSEC are you flying cybersafe?
AVSEC are you flying cybersafe?Jorge Sebastiao
 
Are we ready for IoT? VU Version 7
Are we ready for IoT? VU Version 7Are we ready for IoT? VU Version 7
Are we ready for IoT? VU Version 7Jorge Sebastiao
 

More from Jorge Sebastiao (20)

Real estate tokenization and blockchain
Real estate tokenization and blockchainReal estate tokenization and blockchain
Real estate tokenization and blockchain
 
Blockchain and covid19 v3
Blockchain and covid19 v3Blockchain and covid19 v3
Blockchain and covid19 v3
 
Top tech shapping startups
Top tech shapping startupsTop tech shapping startups
Top tech shapping startups
 
Blockchain and security v3
Blockchain and security v3Blockchain and security v3
Blockchain and security v3
 
The road to blockchain 5.0
The road to blockchain 5.0The road to blockchain 5.0
The road to blockchain 5.0
 
Cyber Warfare 4TH edition
Cyber Warfare 4TH editionCyber Warfare 4TH edition
Cyber Warfare 4TH edition
 
How AI is Disrupting Traffic Management in Smart City
How AI is DisruptingTraffic Management in Smart CityHow AI is DisruptingTraffic Management in Smart City
How AI is Disrupting Traffic Management in Smart City
 
Ai and traffic management application v1.0
Ai and traffic management application v1.0Ai and traffic management application v1.0
Ai and traffic management application v1.0
 
Practical analytics hands-on to cloud & IoT cyber threats
Practical analytics hands-on to cloud & IoT cyber threatsPractical analytics hands-on to cloud & IoT cyber threats
Practical analytics hands-on to cloud & IoT cyber threats
 
Dz hackevent 2019 Middle East Cyberwars V3
Dz hackevent 2019 Middle East Cyberwars V3Dz hackevent 2019 Middle East Cyberwars V3
Dz hackevent 2019 Middle East Cyberwars V3
 
AI HR and Future Jobs Version 2.1
AI HR and Future Jobs Version 2.1AI HR and Future Jobs Version 2.1
AI HR and Future Jobs Version 2.1
 
Cyber fear obstacles to info sharing-Version 2
Cyber fear obstacles to info sharing-Version 2Cyber fear obstacles to info sharing-Version 2
Cyber fear obstacles to info sharing-Version 2
 
Blockchain & cyber security Algeria Version 1.1
Blockchain & cyber security Algeria Version 1.1Blockchain & cyber security Algeria Version 1.1
Blockchain & cyber security Algeria Version 1.1
 
Datamatix GCC HR future jobs Version 1.3
Datamatix GCC HR future jobs Version 1.3Datamatix GCC HR future jobs Version 1.3
Datamatix GCC HR future jobs Version 1.3
 
Cyber security crypto blockchain Version 3.2
Cyber security crypto blockchain Version 3.2Cyber security crypto blockchain Version 3.2
Cyber security crypto blockchain Version 3.2
 
RTA AI for traffic management version 1.4
RTA AI for traffic management version 1.4RTA AI for traffic management version 1.4
RTA AI for traffic management version 1.4
 
IGF2017 Data is new oil - UN Internet Governance Forum
IGF2017 Data is new oil - UN Internet Governance ForumIGF2017 Data is new oil - UN Internet Governance Forum
IGF2017 Data is new oil - UN Internet Governance Forum
 
ADIPEC physical and Infosec for Oil and Gas
ADIPEC physical and Infosec for Oil and GasADIPEC physical and Infosec for Oil and Gas
ADIPEC physical and Infosec for Oil and Gas
 
AVSEC are you flying cybersafe?
AVSEC are you flying cybersafe?AVSEC are you flying cybersafe?
AVSEC are you flying cybersafe?
 
Are we ready for IoT? VU Version 7
Are we ready for IoT? VU Version 7Are we ready for IoT? VU Version 7
Are we ready for IoT? VU Version 7
 

Recently uploaded

AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfAMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfJohnCarloValencia4
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...AustraliaChapterIIBA
 
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...ISONIKELtd
 
Building Your Personal Brand on LinkedIn - Expert Planet- 2024
 Building Your Personal Brand on LinkedIn - Expert Planet-  2024 Building Your Personal Brand on LinkedIn - Expert Planet-  2024
Building Your Personal Brand on LinkedIn - Expert Planet- 2024Stephan Koning
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsIntellect Design Arena Ltd
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access
 
7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.ukaroemirsr
 
Amazon ppt.pptx Amazon about the company
Amazon ppt.pptx Amazon about the companyAmazon ppt.pptx Amazon about the company
Amazon ppt.pptx Amazon about the companyfashionfound007
 
NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023Steve Rader
 
Plano de marketing- inglês em formato ppt
Plano de marketing- inglês  em formato pptPlano de marketing- inglês  em formato ppt
Plano de marketing- inglês em formato pptElizangelaSoaresdaCo
 
Project Brief & Information Architecture Report
Project Brief & Information Architecture ReportProject Brief & Information Architecture Report
Project Brief & Information Architecture Reportamberjiles31
 
PDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfPDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfHajeJanKamps
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access
 
To Create Your Own Wig Online To Create Your Own Wig Online
To Create Your Own Wig Online  To Create Your Own Wig OnlineTo Create Your Own Wig Online  To Create Your Own Wig Online
To Create Your Own Wig Online To Create Your Own Wig Onlinelng ths
 
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHelene Heckrotte
 
Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..dlewis191
 
Entrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsEntrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsP&CO
 
Chapter_Five_The_Rural_Development_Policies_and_Strategy_of_Ethiopia.pptx
Chapter_Five_The_Rural_Development_Policies_and_Strategy_of_Ethiopia.pptxChapter_Five_The_Rural_Development_Policies_and_Strategy_of_Ethiopia.pptx
Chapter_Five_The_Rural_Development_Policies_and_Strategy_of_Ethiopia.pptxesiyasmengesha
 
Intellectual Property Licensing Examples
Intellectual Property Licensing ExamplesIntellectual Property Licensing Examples
Intellectual Property Licensing Examplesamberjiles31
 

Recently uploaded (20)

AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdfAMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
AMAZON SELLER VIRTUAL ASSISTANT PRODUCT RESEARCH .pdf
 
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
IIBA® Melbourne - Navigating Business Analysis - Excellence for Career Growth...
 
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...
ISONIKE Ltd Accreditation for the Conformity Assessment and Certification of ...
 
Building Your Personal Brand on LinkedIn - Expert Planet- 2024
 Building Your Personal Brand on LinkedIn - Expert Planet-  2024 Building Your Personal Brand on LinkedIn - Expert Planet-  2024
Building Your Personal Brand on LinkedIn - Expert Planet- 2024
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking Applications
 
Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024Borderless Access - Global Panel book-unlock 2024
Borderless Access - Global Panel book-unlock 2024
 
7movierulz.uk
7movierulz.uk7movierulz.uk
7movierulz.uk
 
Amazon ppt.pptx Amazon about the company
Amazon ppt.pptx Amazon about the companyAmazon ppt.pptx Amazon about the company
Amazon ppt.pptx Amazon about the company
 
NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023NASA CoCEI Scaling Strategy - November 2023
NASA CoCEI Scaling Strategy - November 2023
 
Plano de marketing- inglês em formato ppt
Plano de marketing- inglês  em formato pptPlano de marketing- inglês  em formato ppt
Plano de marketing- inglês em formato ppt
 
Project Brief & Information Architecture Report
Project Brief & Information Architecture ReportProject Brief & Information Architecture Report
Project Brief & Information Architecture Report
 
PDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfPDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdf
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024
 
To Create Your Own Wig Online To Create Your Own Wig Online
To Create Your Own Wig Online  To Create Your Own Wig OnlineTo Create Your Own Wig Online  To Create Your Own Wig Online
To Create Your Own Wig Online To Create Your Own Wig Online
 
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
 
Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..Team B Mind Map for Organizational Chg..
Team B Mind Map for Organizational Chg..
 
Entrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizationsEntrepreneurship & organisations: influences and organizations
Entrepreneurship & organisations: influences and organizations
 
Investment Opportunity for Thailand's Automotive & EV Industries
Investment Opportunity for Thailand's Automotive & EV IndustriesInvestment Opportunity for Thailand's Automotive & EV Industries
Investment Opportunity for Thailand's Automotive & EV Industries
 
Chapter_Five_The_Rural_Development_Policies_and_Strategy_of_Ethiopia.pptx
Chapter_Five_The_Rural_Development_Policies_and_Strategy_of_Ethiopia.pptxChapter_Five_The_Rural_Development_Policies_and_Strategy_of_Ethiopia.pptx
Chapter_Five_The_Rural_Development_Policies_and_Strategy_of_Ethiopia.pptx
 
Intellectual Property Licensing Examples
Intellectual Property Licensing ExamplesIntellectual Property Licensing Examples
Intellectual Property Licensing Examples
 

Email phishing and countermeasures

  • 1. Email Phishing and Countermeasures Email Security jorge.sebastiao@its.ws
  • 2. May 2006 – Veterans Administration laptop with personal information on 26.5M veterans is stolen. “Total losses could top $500M.” – VA Secretary Nicholson Jan 2007- Hackers stole data from at least 45.7 million credit and debit cards at retailer T.J.Maxx – total costs could exceed $1.0B May 2006 – CIO, CSO fired Ohio University 137,000 student accounts compromised
  • 3. Why Does This Happen? Firewall IDS Anti-Virus Attack
  • 4. ATM is also a type of Phishing
  • 5. Can you spot a “Social Engineer”? Phishing is Social Engineering
  • 6. Social Engineering What is Social Engineering? “An attempt to influence a person into granting unauthorized access, unauthorized use or unauthorized disclosure of an information system, network or data. Modifying system configuration.” “How to blunt the socially engineered hack” by Michael Casper (http://www.computerworld.com/cwi/community/story/0,3201,NAV6 5-663_STO65473,00.html)
  • 7. Social Engineering … 70 percent of those asked said they would reveal their computer passwords for a … Schrage, Michael. 2005. Retrieved from http://www.technologyreview.com/articles/05/03/issue/review_password.asp?p=1 Bar of chocolate
  • 8. Social Engineering Methods of Social Engineering Information Gathering Information Planting Email Scams Masquerading Dumpster-diving Help desk/Support areas Receptionist/Administrative areas Launching attack
  • 9. Vulnerability in People Cause: A large growing population of internet illiterate users are using internet email and other user friendly applications. Threat: Illiteracy in how the internet works and its threats allows miscreants to attack a network or person through social engineering. This is the fastest growing method of hacking we have seen. Human nature is that people are trusting, even those things which may be false.
  • 10. Social Engineering – Information Gathering Scenario #1 – YOU: How many of you have provided personal information online or over the phone to a vendor or service? Personal Information May Include Social Security Number (or just the last 4 digits) First, Middle, Last names – Maiden Name Mothers Maiden Name Address, Phone Number Email Address? Credit Card Number – CVV2 Code ATM PIN Code Passwords you may use elsewhere
  • 11. Social Engineering – Information Gathering Scenario #1 - YOU: Was that information sent securely? Will it be shared with someone else? Was it compromised? Scenario #2 – SOMEONE ELSE: Have you ever asked for personal information and been offered that information freely or without much effort?
  • 12. Social Engineering – Information Gathering Example: How many of you would provide personal information to someone who called you on the phone? Over the Internet? Social Engineering is an art, basically the art of listening and lying at the same time, while seemingly having a typical conversation. Read More: The Art of Deception – Kevin Mitnick
  • 13. Social Engineering – Information Planting Scenario: You come back from lunch to find a Post-it note on your desk asking you to change a user password to something written on the Post- it Note.
  • 14. ID Theft– New Way Phishing / Pharming Hijack/Skimming
  • 15. On 7 October 2001. “Singer Britney Spears Killed in Car Accident”. Due to a bug in CNN’s software, when people at the spoofed site clicked on the “E-mail This” link, the real CNN system distributed a real CNN e-mail to recipients with a link to the spoofed page. With each click at the bogus site, the real site’s tally of most popular stories was incremented for the bogus story. Allegedly this hoax was started by a researcher who sent the spoofed story to three users of AOL’s Instant Messenger chat software. Within 12 hours more than 150,000 people had viewed the spoofed page. Social Engineering Example
  • 17. What is Phishing? “Fishing for personal information” Use “spoofed” e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc. Anti-Phishing Working Group http://www.antiphishing.org/
  • 18. Surge in phishing Based on the survey, 57 million Americans have been, or think they have been, the victim of a phishing attack. 30 million were positive, Out of that pool, 11 million fell for the scams or about 19% of those attacked. Almost 2 million, or about 3% of those attacked, reported that they'd actually divulged sensitive information eg. credit-card numbers, bank accounts, passwords, etc. Phishers have a one in 700 chance of getting caught. *Gartner Group
  • 21. This is a Very Common Tactic used to Social Engineer personal information. Lets walk through a specific case Email Scams
  • 22. Click on the Link and you get sent to the EBay Security Update Page… Or do you… Click Here and it takes you to Official EBay Help Not a Secure Website LETS SCROLL DOWN Email Scams
  • 23. As we Scroll Down the Page we find out that it needs a lot of personal information to verify who you are. NEVER Give this Out to Anyone Online Just in case you mistyped your password above OK.. I can see how Ebay Might need this info… right ??? LETS SCROLL DOWN Just in case you thought this might be a scam… Email Scams
  • 24. CVV2 Code and PIN Number to your bank account. Can’t Use the CreditCard Online without this!! If we clone your card, we might need this as well. Email Scams
  • 25. Lets take a look at the email again… How many of you receive emails like this on a regular basis? Does it look Legit? Would it have fooled you? In this case, the whole message was actually an Image with the Image linked to the malicious site, while the link in the image shows up as something legitimate. Email Scams
  • 26. What Companies are Doing AMERICAN EXPRESS - How to Contact American Express about Fraudulent E-Mails If you receive an e-mail that you believe could be fraudulent, immediately forward it to emailhoax@service.americanexpress.com. Please do not forward the e-mail as an attachment. Please note that any submissions to this email address will result in an auto- generated reply to notify you that we have received your e-mail. If we find it to be fraudulent, we will immediately take appropriate action. For consumers requiring additional assistance, please contact us at Contact American Express http://www10.americanexpress.com/sif/cda/page/0,1641,21372,00. asp
  • 29. How to Detect Deception Publish your mail server addresses (to thwart spoofing) Educate customers (and employees) Establish online communication protocols Create a response plan now Proactively monitor for phishers and fraud Make yourself a difficult target http://www.cio.com/archive/090104/phish.html
  • 30. Prevent Phishing from Fraud Watch Never click on hyperlinks Use Anti-SPAM filters Use Anti-Virus Software Use personal firewalls Keep all software updated Always look for https and sites that ask for “personal information” Keep computer clean from Spyware Know Fraudulent activity on the Internet Check your credit report immediately for free! If unsure, ask!
  • 32. First Phishing – Now Ransomware  New generation of attack use of the internet attack for extortion "Ransomware".  Follow-up to: phishing, pharming attacks  It starts with hijacking or stealing user files, encrypting them (so the user loses access to vital information), then demanding payment in exchange for the decryption key.  So far theses attacks are quite rare but it brings a new dimension to the usage of the internet and a new generation of attacks.
  • 33. Phishing – Variations  “Phishing”= social engineering – Who: Online scammers, posing as legitimate companies or your new best friend – Why: They want your sensitive information (credit-card, billing- routing, and Social Security numbers, among others)  “Pharming”= being diverted to a fake/spoofed website  “Spear phishing”= spoofed email that targets emails stolen from a company or organization
  • 34. Phishing and Business Risks Privacy Legislative violations Financial loss Intellectual capital Litigation Public Image/Trust Business Risks
  • 37. 37 1st Gen: “Look for stuff…” Subject contains “Viagra” 2nd Gen: “Look smarter” Text has “Viagra” & “Unsubscribe” 3rd Gen: “Go for Buzzwords” Bayesian Filter and Neural Nets 4th Gen: “Mix a Cocktail” You can’t fool all of the filters all of the time But threats get more sophisticated
  • 38. 38 Tradeoffs false positives vs false negatives Catch more emails, more false positives Catch less emails, fewer false positives FP FN
  • 39. 39 User Awareness to Avoid Phishing Caution: African shares $10 million… Banks never ask for account info, in an e-mail Don’t click on links suspicious e-mails Report suspicious e-mails D-E-L-E-T-E
  • 41. Anti-Phishing Laws -Identity Theft Penalty Enhancement Act -Aggregated Identity Theft - Defined as using a stolen identity to commit other crimes. -Mandatory sentencing of 2 years. Anti-Phishing Act of 2005 -Prohibits the use of a website/email to coerce others to divulge their personal information. -Penalties: 5 years, $250,000 fine. Effectiveness: Professionals vs. Amateurs
  • 42. • FTC Identity Theft Website www.consumer.gov/idtheft • Anti-Phishing Working Group www.antiphishing.org • End ID Theft www.endidtheft.com Resources