Presentation on theme: "Texas Christian UniversityTechnology Resources EMAIL SECURITY."— Presentation transcript:
Texas Christian UniversityTechnology Resources SECURITY
TCU Information Security Services Overview Phishing Spam Spoofing Attachments Best Practices Data Protection
TCU Information Security Services Phishing Phishing is an illegal activity that uses social engineering techniques to trick people into giving out personal information.social engineering Typically you will receive an that appears to be from a legitimate business or organization asking for verification of personal or financial information.
TCU Information Security Services Wikiopedia: Social engineering is the art of manipulating people into performing actions or divulging information. CERT: …an attacker uses human interaction (social skills) to obtain or compromise information.
TCU Information Security Services Phishing Information asked for in a phishing may include: Username, userid, id, identity Password Social security number Birthdate Or there may just be a link to click on that takes you to an official looking web site to enter information.
TCU Information Security Services Spear Phishing A highly targeted version of a phishing scam is spear phishing. A spear phishing message may look like it is coming from your employer or computer help desk.
TCU Information Security Services Vishing Voice Over Internet Protocol (VoIP) enables phone calls over the web. For criminals this makes it easy to fake real numbers and create phony automated customer service lines. They cant be traced. Vishing Scheme 1: You get phishing with phone number to call where you are asked for information. Vishing Scheme 2: You get phone call directing you to take action to protect an account.
TCU Information Security Services Smishing Phishing fraud sent via SMS (Short Message Service) text messaging. Emerging as new threat to cell phone users. Examples Text message received contains web site hyperlink which if clicked will download Trojan horse to phone. Text message informing you that your bank account has been frozen. Call a phone number to unlock – automated (bogus) phone system asks for account number, ssn and pin.
Recent Phishing at TCU Link manipulation Spoofed TCU Technology Resources will NEVER send a link in an which takes you to a website requesting that you login or enter your username and password.
Fake Website Look between first double // and first single / - thats NOT TCU Notice no https
https:// my.is.tcu.edu /psp/pa9prd/?cmd=login Real Website That is TCU Secure
Another TCU Phishing Link manipulation
Fake Website Look between first double // and first single / - thats NOT TCU No https
https://mobile.tcu.edu/owa/auth/logon.aspx Real That is TCU Secure
TCU Information Security Services And Another TCU False urgency Dont give out your username or password! TCU Technology Resources, including the Help Desk, will NEVER ask for your password – in an , over the phone or in person! Misspellings of simple words
TCU Information Security Services Phishing Example – Financial Institution False urgency defined to get you to act without thinking. False credibility Untraceable phone number More false urgency Spoofed web address Lack of personal greeting
TCU Information Security Services Phishing Eample – Lottery Scam Foreign lottery scams are common You won – but did you play? If it sounds too good to be true, it usually is.
TCU Information Security Services Phishing Example – IRS Scam IRS web site clearly states that it will not initiate taxpayer communications through . False credibility False urgency Links to spoofed web site.
Links in s Approach links in an with caution. They might look genuine, but they could be forged. Copy and paste the link to your web browser. Type in the address yourself. Or even Google the company and go to their website from the search results. Avoid being Phished!
TCU Information Security Services Avoid being Phished (continued) Learn to spot non-legitimate web sites Look at the address between the // and the first / - it should end with the company you expect Fake: Real: https://mobile.tcu.edu/owa/auth/logon.aspx… Is it secure? https in the address Yellow lock icon
TCU Information Security Services Avoid being Phished (continued) Greet or phone calls seeking personal information with skepticism. If you think it may be legitimate, call customer service number provided when account was opened. Be leery of alarming statements that urge you to respond immediately. Do NOT reply to phishing s.
TCU Information Security Services Avoid being Phished (continued) TCU Technology Resources, including the computer help desk and information security services will NEVER ask you for your password via , the phone or in person. When TCU upgrades its computer or systems we will NEVER send a link inside an which will go to a website requesting that you login or enter your username and password.
Phishing Scams Game Play the Phishing Scam Game scams.aspx TCU Information Security Services
Spam Spam is anonymous, unsolicited junk sent indiscriminately to huge numbers of recipients. What for? Advertising goods and services (often of a dubious nature) Quasi-charity appeals Financial scams Chain letters Phishing attempts Spread malware and viruses
TCU Information Security Services Origins of the term "Spam" WWII England Spam was only meat not rationed Monty Python skit: Every item on the menu includes Spam Vikings drown out dialogue by repeating SPAM, SPAM, SPAM, SPAM 1980s – in early internet Chat rooms quotes from the skit were used repeatedly to drive out newcomers or invade rival chat rooms (Star Wars/Star Trek) In 1993 the term Spam was used on Usenet to mean excessive multiple postings of the same message. In 1998 the new meaning was included in the New Oxford Dictionary of English.
TCU Information Security Services What to do with Spam Do not open that is obviously Spam. If you do open junk mail, do not click on any links. Including a link that claims it will remove you from the list. Spammers use this to verify that you have a live address. Use disposable address – setup a yahoo or gmail account to use on the web. Send spam to Send as an attachment. End User Quarantine reduces amount of Spam received.
TCU Information Security Services How to send as attachment In Outlook 2007 From the Inbox, click to select the message From the menu choose Actions, Forward as Attachment. In Entourage 2004 for Mac OSX From the Inbox, click to select the message From the menu choose Message, Forward as Attachment.
Spoofing appears to be from a friend, colleague or yourself but subject and text obviously not something you or they would send Spoofing is a way of sending counterfeit using stolen addresses TCU Information Security Services
Spoofing continued Favorite technique of spammers and phishers How do they steal addresses Write programs that gather addresses from websites, discussion boards, blogs. Also worms and viruses collect addresses from address books they infect What can you do Nothing to prevent spoofing Just be aware and never fully trust the From field of an . TCU Information Security Services
Attachments Computer viruses and other malicious software are often spread through attachments. If a file attached to an contains a virus, it is often launched when you open (or double-click) the attachment. Dont open attachments unless you know whom it is from and you were expecting it.
TCU Information Security Services Should You Open that Attachment? If it is suspicious, do not open it! What is suspicious? Not work-related. The containing the attachment was not addressed to you, specifically, by name. Incorrect or suspicious filename. Unexpected attachments. Attachments with suspicious or unknown file extensions (e.g.,.exe,.vbs,.bin,.com,.pif, or.zzx) Unusual topic lines: Your car?; Oh!; Nice Pic!; Family Update!; Very Funny!
TCU Information Security Services Best Practices Use the BCC field when sending to large distribution lists.BCC field Protects recipients addresses Prevents Reply to All issues Avoid use of large distribution lists unless legitimate business purpose. E.g., All Faculty/Staff list Use TCU Announce instead Beware of Reply to All button Dont forward chain letters.
TCU Information Security Services BCC Field In Office 2007 In a new mail message select Options, Show BCC In Entourage 2004 for OSX The Bcc field is visible when you start a new message.
TCU Information Security Services Data Protection Do Not Unencrypted Sensitive Personal Information (SPI)SPI On-campus – encrypt or use shared drive instead. Digital ID Allows you to digitally sign and encrypt . Required for sender and recipient. to WinZip version 10 and above – create encrypted archive to send in . Office allows AES encryption. password separately!
TCU Information Security Services What is SPI? Sensitive Personal Information (SPI): Defined as an individual's name, address, or telephone number combined with any of the following: Social security number or taxpayer ID number Credit or debit card number Financial/salary data Driver's license number Date of birth Medical or health information protected under HIPAA Student related data protected under FERPA
TCU Information Security Services Resources TCU Computer Help Desk Location: Mary Couts Burnett Library, first floor Information Security Services https://Security.tcu.edu