Texas Christian University Technology Resources Email Security Texas Christian University Technology Resources In this online training video I will talk about Email Security.

Overview Phishing Spam Spoofing Attachments Best Practices Data Protection First I will discuss Phishing, what it is and how to avoid it. Next I will talk about Spam – why we get spam and what we can do about it. Then I will look at why we should be wary of attachments and links in email. Best Practices to protect yourself and others when using email will be discussed. Finally we will talk about why we shouldn’t email unencrypted sensitive personal information and how we can go about safely transmitting SPI via email. TCU Information Security Services

Phishing Phishing is an illegal activity that uses social engineering techniques to trick people into giving out personal information. Typically you will receive an email that appears to be from a legitimate business or organization asking for verification of personal or financial information. Phishing is an illegal activity that uses social engineering techniques to trick people into giving out personal information. What is social engineering….. A phishing email usually appears to be from a legitimate business or organization asking for verification of personal or financial information. Often there will be urgent and alarming statements of consequences if you don’t respond immediately. TCU Information Security Services

Wikiopedia: “Social engineering is the art of manipulating people into performing actions or divulging information.” CERT: “…an attacker uses human interaction (social skills) to obtain or compromise information.” Wikopedia defines it as “the art of manipulating people into performing actions or divulging information.” CERT – which is the United States Computer Emergency Readiness Team (part of Homeland Security) – says that social engineers use human interaction or social skills to obtain or compromise information. Some say that the Human Element is the weakest link in information security. (Return to previous page) TCU Information Security Services

Phishing Email Information asked for in a phishing email may include: Username, userid, email id, email identity Password Social security number Birthdate Or there may just be a link to click on that takes you to an official looking web site to enter information. A phishing email may ask for information such as your username, password, social security number, bank or credit card account number, your birthday, even your mother’s maiden name. Or, the email may just simply have a link to click on that will take you to an official looking web site where you will be asked to enter in personal or financial information. TCU Information Security Services

Phishing techniques Link manipulation Spoofed website Website forgery Technical deception designed to make a link in an email and the spoofed website it leads to, appear to belong to the spoofed organization. Spoofed website Looks almost exactly like the real thing Website forgery A spoofed website that uses JavaScript to alter the address bar to appear legitimate. Filter evasion Misspelled words and images instead of text are used to evade anti- phishing filters. A little bit more about the techniques used by phishers. Link manipulation is one method that uses technical deception to make a link look real. When you click on the link, it will take you to a spoofed website. A spoofed website is setup to look exactly like the real web site – so if you are used to logging into your bank, and you feel like you know what the bank web site looks like, if you click on a link in an email supposedly from your bank that takes you to a website that looks identical, you may enter in your username and password and then the phishers have access to your bank account. Your only clue might be that the URL is different, although with new techniques such as Website Forgery – that may also appear the same. With Website Forgery they use JavaScript to disguise the address bar to appear secure. Many organizations have begun using email filters to reduce phishing emails and spam. Here at TCU we have the End User Quarantine. So, phishers use Filter evasion techniques such as misspelled words and using images instead of text to evade the filters. TCU Information Security Services

Spear Phishing A highly targeted version of a phishing scam is “spear phishing.” A spear phishing message may look like it is coming from your employer or computer help desk. Spear Phishing is a highly targeted version of phishing. A spear phishing message may appear to come from a trusted source such as your employer or the computer help desk and it may seem that the information requested is not out of the realm of possibilities. The relative success of spear phishing relies upon the details used: The apparent source is a known and trusted, information within the message supports its validity, and the request seems to have a logical basis. TCU Information Security Services

Vishing Voice Over Internet Protocol (VoIP) enables phone calls over the web. For criminals this makes it easy to fake real numbers and create phony automated customer service lines. They can’t be traced. Vishing Scheme 1: You get phishing email with phone number to call where you are asked for information. Vishing Scheme 2: You get phone call directing you to take action to protect an account. Another form of phishing is Vishing. Voice Over Internet Protocol technology enables phone calls over the web. Criminals use this to setup phone numbers and phony automated customer service lines. These numbers cannot be traced. So – you may be a phishing email that contains a phone number to call. When you call, you are asked for personal or financial information. Or – you may get a phone call – maybe in the middle of the night – indicating that suspicious activity has taken place on an account. You are then asked to verify your identity with account information. TCU Information Security Services

Smishing Phishing fraud sent via SMS (Short Message Service) text messaging. Emerging as new threat to cell phone users. Examples Text message received contains web site hyperlink which if clicked will download Trojan horse to phone. Text message informing you that your bank account has been frozen. Call a phone number to unlock – automated (bogus) phone system asks for account number, ssn and pin. TCU Information Security Services

Recent Phishing Email at TCU Spoofed email Link manipulation TCU Technology Resources will NEVER send a link in an email which takes you to a website requesting that you login or enter your username and password.

Look between first double // and first single / - that’s NOT TCU Fake Website http://ip-mediation.net/TCU/ Notice no https Look between first double // and first single / - that’s NOT TCU

Real Website https://my.is.tcu.edu/psp/pa9prd/?cmd=login That is TCU Secure That is TCU

Another TCU Phishing Email Link manipulation

Look between first double // and first single / - that’s NOT TCU Fake Website http://www.1025.ru/js/mail.tcu.edu No https Look between first double // and first single / - that’s NOT TCU

Real https://mobile.tcu.edu/owa/auth/logon.aspx Secure That is TCU

And Another TCU Email False urgency TCU Technology Resources, including the Help Desk, will NEVER ask for your password – in an email, over the phone or in person! False urgency Misspellings of simple words Don’t give out your username or password! This is a spear phishing email received recently at TCU. It looks like it comes from Technology Resources and it sounds like your email account will be closed if you don’t respond. There is once again, a false sense of urgency. Notice the misspelling of words – this is frequently seen in phishing emails . This email asks for Username and password. TCU Technology Resources, including the Help Desk or Information Security Services, will NEVER ask for your password – in an email, over the phone or in person. TCU Information Security Services

Phishing Example – Financial Institution False urgency defined to get you to act without thinking. False credibility Lack of personal greeting Untraceable phone number More false urgency So lets look at some examples of phishing emails and then we’ll discuss other ways that you can protect yourself. This first example is supposedly from Wachovia Bank. The first thing to note is that the phishers have established a false sense of urgency in the subject line – Account Update Alert!!! – they are trying to get you to act without thinking. Notice that they have used the Wachovia bank’s banner that was probably copied and pasted from their website. This gives a false sense of credibility. A lack of personal greeting is a good clue (although not a guarantee) that this is a phishing email. Most likely the phone number is untraceable and if you called it would be greeted by a phony customer service representative. In the text we again see an alarming message meant to give us a sense of urgency to respond. And finally, the web addressed is forged and takes us to a spoofed web site. Spoofed web address TCU Information Security Services

Phishing Eample – Lottery Scam Foreign lottery scams are common You won – but did you play? If it sounds too good to be true, it usually is. This example is a foreign lottery scam, which are relatively common. If you get an email like this you need to ask yourself – why did I win – I don’t remember even playing? And remember – if it sounds too good to be true, it probably is! TCU Information Security Services

Phishing Example – IRS Scam IRS web site clearly states that it will not initiate taxpayer communications through email. False credibility This past spring many people got this IRS phishing email. Notice the official looking letterhead giving us a false sense of credibility. Also notice the False urgency in the paragraph stating that your refund may be delayed if you don’t respond quickly. The link leads to a spoofed web site that looks like an IRS web site asking for information including social security number. Please note – the real IRS web site clearly states that it will not initiate taxpayer communications through email. False urgency Links to spoofed web site. TCU Information Security Services

Avoid being Phished! Links in Emails Approach links in an email with caution. They might look genuine, but they could be forged. Copy and paste the link to your web browser. Type in the address yourself. Or even Google the company and go to their website from the search results.

Avoid being Phished (continued) Learn to spot non-legitimate web sites Look at the address between the // and the first / - it should end with the company you expect Fake: http://www.1025.ru/js/mail.tcu.edu Real: https://mobile.tcu.edu/owa/auth/logon.aspx… Is it secure? https in the address Yellow lock icon In addition to Attachments – you should be very cautious about Links in Emails. As mentioned previously, they may look real but could be easily forged. Make a habit of NOT clicking on links in emails – whether you know they are legitimate or not. You can copy and paste the link from the email to the address bar of your web browser. You can also type in the address yourself. Or you can even google the company or organization and go to their website from the search results. TCU Information Security Services

Avoid being Phished (continued) Greet email or phone calls seeking personal information with skepticism. If you think it may be legitimate, call customer service number provided when account was opened. Be leery of alarming statements that urge you to respond immediately. Do NOT reply to phishing emails. So how can we protect ourselves from Phishing? First, be skeptical when you are asked from personal information in emails or over the phone. If there is a possibility that it might be legitimate, locate the customer service number provided when you setup the account and call them. Be wary of alarming statements that urge you to respond immediately. If you think you have received a phishing email, do not reply to it. If there is a link in an email that might be legitimate, do not click on the link. Copy and paste it into your web browser. TCU Information Security Services

Avoid being Phished (continued) TCU Technology Resources, including the computer help desk and information security services will NEVER ask you for your password via email, the phone or in person. When TCU upgrades its computer or email systems we will NEVER send a link inside an email which will go to a website requesting that you login or enter your username and password. If you do respond to a phishing email with TCU account information, you will compromise your network and email account as well as all of TCU’s email system. The TCU spear phishing email received recently was responded to by a couple of people. Their accounts were immediately hacked into and from their email accounts the phishers sent thousands of phishing emails out across the country and the world. This caused other organizations to adjust their anti-phishing filters to exclude our emails (phishing emails and the legitimate emails). Our emails are back off the anti-phishing filters now, but we want to avoid this in the future. So, it is important to remember -- Technology Resources will never, ever ask you for your password, in email, over the phone or in person. TCU Information Security Services

Phishing Scams Game Play the Phishing Scam Game http://www.onguardonline.gov/games/phishing- scams.aspx TCU Information Security Services

Spam Spam is anonymous, unsolicited junk email sent indiscriminately to huge numbers of recipients. What for? Advertising goods and services (often of a dubious nature) Quasi-charity appeals Financial scams Chain letters Phishing attempts Spread malware and viruses Spam is junk email. It is sent indiscriminately and anonymously sent to huge numbers of recipients. Why do we get spam – it is economically viable. The costs are low to the advertisers so the volume of unsolicited mail has become very high. One estimate I heard recently is that 1 in 28 email messages sent over the internet is legitimate. That means the other 27 are not! What are we getting in spam? They are advertising goods and services – often of a dubious nature – We get charity appeals - again, of dubious nature. There are Financial Scams and Chain Letters. Spam may be phishing attempts and may also spread malware and viruses. Research shows that there is an extremely low response rate to spam, but the volume is so high that it is still very profitable for the spammers. However – the overall spam related corporate costs are estimated to be $200 billion in 2007! TCU Information Security Services

Origins of the term "Spam" WWII England Spam was only meat not rationed. 1970 Monty Python skit: http://www.youtube.com/watch?v=anwy2MPT5RE Every item on the menu includes Spam Vikings drown out dialogue by repeating SPAM, SPAM, SPAM, SPAM 1980’s – in early internet Chat rooms quotes from the skit were used repeatedly to drive out newcomers or invade “rival” chat rooms (Star Wars/Star Trek) In 1993 the term Spam was used on Usenet to mean excessive multiple postings of the same message. In 1998 the new meaning was included in the New Oxford Dictionary of English. A little bit about the origins of the term Spam As you know, spam is a canned lunch meat. During WWII in England, it was the only meat not rationed. Thus there was lots of spam on the menu. You may have heard about the famous 1970 Monty Python Spam skit . If you’ve never seen it be sure to check it out – a link to it on YouTube is displayed. During the skit, every item on the menu includes Spam and as the waiter recites the spam filled menu a chorus of Vikings drown out the dialogue with a song repeating SPAM over and over. In early internet chat rooms in the 1980’s quotes from the Monty Python skit were used repeatedly to scroll unwanted newcomers text off the screen and were used t6o prevent members of rival groups (such as the Star Wars and Star Trek groups) from chatting. The actual term “Spam” was used in 1993 on Usenet to mean excessive multiple postings of the same message in several if not all newsgroups. Finally, in 1998 the term Spam was added to the New Oxford Dictionary. TCU Information Security Services

What to do with Spam Do not open email that is obviously Spam. If you do open junk mail, do not click on any links. Including a link that claims it will remove you from the list. Spammers use this to verify that you have a “live” email address. Use “disposable email address” – setup a yahoo or gmail account to use on the web. Send spam to spamfeedback@tcu.edu. Send as an attachment. End User Quarantine reduces amount of Spam received. So what do we do with all this Spam? First, if you get an email that is obviously spam, do not open it. If you do open junk mail, do not click on any of the links. Often you will find a link at the bottom of the email that you are supposed to click on to remove yourself from the mailing list. If you click on it, you are just simply verifying to the Spammers that you have a good live email address and you will get even more spam. You may want to setup a “disposable” email address in yahoo or gmail to use on the web. That will cut down on exposure of your TCU email address. When you get spam you can send it as an attachment to spamfeedback@tcu.edu. When it is sent as an attachment, Technology Resources can view header information that can be used to adjust the filters for the End User Quarantine. This will help us reduce the amount of Spam and phishing emails received. TCU Information Security Services

How to send email as attachment In Outlook 2007 From the Inbox, click to select the email message From the menu choose Actions, Forward as Attachment. In Entourage 2004 for Mac OSX From the menu choose Message, Forward as Attachment. For your reference here is how you can send email as an attachment. In Office 2007, in the Inbox, click on the spam email – do not open it. From the menu, choose Actions, then Forward as Attachment. In Entourage for the Mac – click on the email and from the menu select Message and then Forward as Attachment. TCU Information Security Services

Spoofing Email appears to be from a friend, colleague or yourself but subject and text obviously not something you or they would send Spoofing is a way of sending counterfeit email using stolen addresses TCU Information Security Services

Spoofing continued Favorite technique of spammers and phishers How do they steal email addresses Write programs that gather email addresses from websites, discussion boards, blogs. Also worms and viruses collect addresses from address books they infect What can you do Nothing to prevent spoofing Just be aware and never fully trust the “From” field of an email. TCU Information Security Services

Attachments Computer viruses and other malicious software are often spread through email attachments. If a file attached to an email contains a virus, it is often launched when you open (or double-click) the attachment. Don’t open email attachments unless you know whom it is from and you were expecting it. When you receive emails with Attachments or Links – even if you don’t think the email may be spam or phishing – they should be approached with a great deal of caution. Computer viruses, malware and spyware can be easily spread through email attachments. When you open or double-click the attachment, if the file contains a virus it will be launched and infect your computer. So be very cautious – do not open email attachments unless you know who sent it and you were expecting it. TCU Information Security Services

Should You Open that Attachment? If it is suspicious, do not open it! What is suspicious? Not work-related. The email containing the attachment was not addressed to you, specifically, by name. Incorrect or suspicious filename. Unexpected attachments. Attachments with suspicious or unknown file extensions (e.g., .exe, .vbs, .bin, .com, .pif, or .zzx) Unusual topic lines: “Your car?”; “Oh!”; “Nice Pic!”; “Family Update!”; “Very Funny!” If you are at all suspicious, do not open the attachment. What is suspicious? If it is not work related If the email does not address you specifically by name If the file name is misspelled, incorrect or odd I would be suspicious of unexpected attachments. Even if you recognize the sender’s email address – their email may have been spoofed or hijacked. Beware of attachments with suspicious or unknown file extensions And watch out for unusual email subject lines especially if you were not expecting a file and do not know who sent it. TCU Information Security Services

Email Best Practices Use the BCC field when sending to large distribution lists. Protects recipients email addresses Prevents Reply to All issues Avoid use of large distribution lists unless legitimate business purpose. E.g., All Faculty/Staff list Use TCU Announce instead Beware of Reply to All button Don’t forward chain email letters. Some email best practices to use to protect yourself and others Use the BCC field when sending to large distribution lists. (click BCC Field to see how to view the field in Outlook or Entourage) The BCC field is the blind carbon copy field – the email addresses of the recipients are hidden from each other. The advantage of this is that is protect their email addresses if the email should fall into the hands of a spammer or phisher. It also prevents accidental “reply to all” issues. Unless you have a legitimate business purpose, avoid using large distribution lists such as the All TCU Faculty Staff list – use TCU Announce from the portal instead. When you receive an email beware of responding with the Reply to All button. Verify who you are sending the email to before hitting the send button. And, finally, please do not forward chain email letters. TCU Information Security Services

BCC Field In Office 2007 In Entourage 2004 for OSX In a new mail message select Options, Show BCC In Entourage 2004 for OSX The Bcc field is visible when you start a new message. To view the BCC field in Outlook, in a new mail message select Options, Show BCC And in Entourage on the Mac the BCC field is visible when you start a new message. back TCU Information Security Services

Email password separately! Data Protection Do Not Email Unencrypted Sensitive Personal Information (SPI) On-campus email – encrypt or use shared drive instead. Digital ID Allows you to digitally sign and encrypt email. Required for sender and recipient. Email security@tcu.edu to request. WinZip version 10 and above – create encrypted archive to send in email. Office 2007 - allows AES encryption . It is very important to not email unencrypted sensitive personal information. (Go to SPI slide) If you need to transport a file containing SPI to someone else on campus – either encrypt the email or use a shared network drive instead. There are different ways you can encrypt emails. One is a Digital ID This allows you to digitally sign and encrypt an email. However it is required that both you the sender and the recipient have a digital ID. If you are interested in this method, email security@tcu.edu to make a request for one. Both WinZip and Office 2007 offer AES encryption, which is the industry standard. Documentation on how to encrypt files using WinZip and in Office is located on the Digital Self Defense page of the security.tcu.edu website. When you send an encrypted file in an email, be sure to email the password separately. Email password separately! TCU Information Security Services

What is SPI? Sensitive Personal Information (SPI):  Defined as an individual's name, address, or telephone number combined with any of the following: Social security number or taxpayer ID number Credit or debit card number Financial/salary data Driver's license number Date of birth Medical or health information protected under HIPAA Student related data protected under FERPA SPI is an individual's name, address, or telephone number combined with: Social security number Credit or debit card number Financial/salary data Driver's license number Date of birth Medical or health information protected under HIPAA Student related data protected under FERPA back TCU Information Security Services

Resources TCU Computer Help Desk Information Security Services 817-257-6855 Help@tcu.edu http://Help.tcu.edu Location: Mary Couts Burnett Library, first floor Information Security Services https://Security.tcu.edu Security@tcu.edu In this presentation we have reviewed email security threats that you should be aware of and discussed ways in which you can protect yourself and others. For computer problems please contact the TCU Computer help desk at ext 6855 or help@tcu.edu. For questions about security, send an email to security@tcu.edu and please refer to the security.tcu.edu web site for further information on current alerts and advisories, Digital Self Defense, policies and procedures, etc. To completely ensure that you understand email security please take a few minutes to complete the following quiz. The results will be emailed to the Technology Resources security team and will help us develop further training materials to better meet your needs. Thank you very much! TCU Information Security Services