CYBER SECURITY-PHISHING: DON’T BECOME A VICTIM OF EMAIL FRAUD

91% Of Targeted Attacks Start With Spear-phishing Email Did You Know... 91% Of Targeted Attacks Start With Spear-phishing Email The word phishing comes from the analogy that Internet scammers are using e-mail lures to fish for passwords and financial data from the sea of Internet users. The term was coined in 1996 by hackers who were stealing AOL Internet accounts by scamming passwords from unsuspecting users. Since hackers have a tendency to replacing "f" with "ph" the term phishing was derived.

SPEAR PHISHING The Phish appears to be legitimately addressed from someone within that company in a position of trust and request information such as login ID’s and passwords. Spear phishing scams will often appear to be from a company’s own human resources or technical support division and may ask employees to update their username and passwords. Once hackers get this data, they can gain entry into secured networks. Another type of spear phishing attack will ask users to click on a link, which deploys spyware that can steal data.

WHAT IS PHISHING? (fish’ing) (n) The act of sending an email to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. directs the user to visit a web site update personal information (passwords, credit card, social security and bank account numbers)

PHISHING TECHNIQUES Official looking and sounding emails Copies legitimate corporate emails with minor URL changes Standard virus/worm attachments to emails IP addresses instead of domain names in hyperlinks Setting up fake web sites that closely mimic the domain name of the target website.

3 THINGS TO REMEMBER YOU have to do something to be attacked! NEVER click on “Click Here” or embedded links! NEVER give personal information over internet!

TIPS TO HELP YOU RECOGNIZE PHISHING SCAMS AND FRAUDULENT EMAIL Generic greeting From and return path don’t match Insecure site-look for https:// Requests personal information Sense of urgency Spelling errors Poor grammar Forged link-beware of the @ symbol in the URL Warns that you’ve been a victim of fraud Rule of thumb: Anytime you are asked for personal information, it is a scam

Source: http://www.sonicwall.com/furl/phishing/phishing-quiz-question.php

Other Phishing Scams The "Nigerian" Scam: Costly Compassion 1997-Secret Service confirmed losses just in the US of over 100 million dollars in 15 months Help! I'm Stuck in London and I've Been Robbed! Fake FBI E-mails Seeking Personal Information Work-From-Home Scams Dormant African Account

“HELP, IT’S ME” -----Original Message----- From: C. McGarrett; cmcgarrettfiveo@yahoo.com to: undisclosed recipients: ; Sent: Fri, Sep 2, 2011 7:25 am Subject: It's urgent, please respond It’s me, I really don't mean to inconvenience you right now. I made a little trip to Scotland, and misplaced my wallet that contains my passport and credit cards. Just hearing from me like this, sounds a little odd, but it all happened very fast. I've just been issued a temporary passport and also my ticket, but I'm short of funds to pay for the bills here. I've also been trying to reach my credit card company, but from the message I just received, I'll need some verifications like answering my home phone, and that will only happen when I'm home. Please, can you lend me some funds to secure the bills? I'll be willing to pay back as soon as I return. Please respond as soon as you get this message, so I can forward my details to send the money via western union or money gram, you can also contact me via the hotel's desk phone. The numbers are, 011448717947613, +448717947613 Looking forward to your response.   In HIS Service and Yours, Christian McGarrett Police Detective Sergeant and State Criminal Investigator http://www.identitytheftsecrets.com/identity-theft-secrets-readers-true-crime-story-traveling-email-scam

Phishing Facts 6.1 Billion - Number of phishing e-mails sent world-wide each month $1,200 - Average loss to each person successfully phished (Federal Trade Commission) 15,451 - Number of unique phishing attacks in January 2006 (Anti-Phishing Working Group) 7,484 - Number of phishing Web sites found in January 2006 (Anti-Phishing Working Group) 27,221 - Number of phishing Web sites found in January 2007 (Anti-Phishing Working Group) Source: http://www.sonicwall.com/furl/phishing/

USE COMMON SENSE – YOU need to do something to be attacked Why would a perfect stranger pick YOU-also a perfect stranger-to share a fortune with and why would you share your personal or business information, including your bank account numbers , with someone you don’t know? If it sounds too good to be true….IT IS!

WHAT CAN I DO TO PREVENT PHISHING? Keep all software updated , especially anti-virus Stay away from shady websites Do not respond to suspicious email and do not click on any links within the email Only open email attachments if you're expecting them If you get ERROR when making purchase-DO NOT CONTINUE LOG OFF – Don’t just close browser If doing private transaction, CLOSE TABS – Every open tab allows access to others. YOU initiate connection /communication – Don’t click on link to get there Call company by phone if you get a suspicious email but DO NOT call the phone number in the email Remove programs you don’t need Reboot occasionally

E-mail client configuration YOU control what you download Do NOT auto execute anything Do NOT automatically download HTML graphics or content Do NOT display graphics in message Do NOT allow executable html content Turn OFF Attachment Preview If NOT sure configure to “WARN ME BEFORE” You can control drive-by scripts running across the screen

DISABLE PASSWORD OPTIONS

WHAT TO DO IF YOU RECEIVE A SUSPICIOUS EMAIL DO NOT respond to the email DO NOT CLICK ON A LINK IN AN EMAIL unless you are sure of the real target address. (Hover mouse over link and compare to email header—very close but does not match.) NEVER reveal personal or financial information in a response to an email request, no matter who appears to have sent it. D-E-L-E-T-E the email

WHAT TO DO IF YOU’VE RESPONDED TO A PHISHING SCAM: Report the incident -FTC, FBI, Secret Service, UNM IT Services Change the passwords on all your online accounts Routinely review your credit card and bank statements Use the latest products and services to help warn and protect you from online scams (Antivirus software can only protect you from known viruses.) protect you from known viruses.)

If you think you have been a victim of a phishing scam or want further information, please contact Deb Kuidis at 277-0732 or dkuidis@unm.edu. http://research.unm.edu/industrialsecurity/