Detecting Phishing Attacks: Theory, Cues, and Practice CSU PDI Steve Lovaas January 8, 2010.

Slides:

Advertisements

Similar presentations

How to protect yourself, your computer, and others on the internet

Advertisements

1 Online Self-Defense: Avoiding Scams Chau Mai December 5, 2013.

What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via

National Service Trust Automation Project Training Materials: Members and Alumni Corporation for National & Community Service (CNCS) National Service Trust.

What is identity theft, and how can you protect yourself from it?

Internet Phishing Not the kind of Fishing you are used to.

Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”

Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.

{ Etiquette Handbook. Feature Creating an Font, colour and sizes etc Sending an Sending using Cc Sending using Bcc Creating a signature.

BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 

DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?

Evidence By Jordan Shurety. This I where you write who you are going to send the to. Cc in an means carbon copy or courtesy copy. You.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

1 Begin the E Signature Process Here. 2 OPTION 1: Send a secure to the Insured to E-Sign and Pay Online This is a copy of the your Insured.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,

Cyber crime on the rise. Recent cyber attacks How it happens? Distributed denial of service Whaling Rootkits Keyloggers Trojan horses Botnets Worms Viruses.

9/8/20151 Voice Mail Training for State Employees Presented by: Stacy Knickerbocker Telecommunications Specialist DOA/ITSD/NTSB

This presentation will be all about s, etiquette and software. I will be going through each one of these individually and thoroughly step.

Reliability & Desirability of Data

Scams & Schemes Common Sense Media.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.

Identity Theft What is Identity Theft?  Identity theft is a serious crime. Identity theft happens when someone uses information about you without your.

BTT12OI.  Do you know someone who has been scammed online? What happened?  Been tricked into sending someone else money (not who they thought they were)

CCT355H5 F Presentation: Phishing November Jennifer Li.

Phishing Internet scams. Phishing phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and.

To:Employee From: impersonated official company Message: Give us personal information here.

Scarlett Gibb NIH Office of Extramural Research Office of Electronic Research and Reports Management Interim Chief, eRA User Support, Training & Documentation.

PAYONEER PROCESS STEP BY STEP INSTRUCTIONS. You will receive an from Syntek Global with your Personal Payoneer link. CLICK on the LINK If you cannot.

SCAMS & SCHEMES PROTECTING YOUR IDENTITY. SCAMS WHAT IS A SCAM? ATTEMPT TO TRICK SOMEONE, USUALLY WITH THE INTENTION OF STEALING MONEY OR PRIVATE INFORMATION.

A Matter of Your Personal Security Phishing. Beware of Phishing s Several employees received an that looked legitimate, as if it was being.

Mtivity Client Support System Quick start guide. Mtivity Client Support System We are very pleased to announce the launch of a new Client Support System.

A Matter of Your Personal Security Phishing Revised 11/30/15.

Activity 4 Catching Phish. Fishing If I went fishing what would I be doing? On the Internet fishing (phishing) is similar!

Creating and Using Your FSA ID: An Overview

Computer Information Technology. I need you to submit your project electronically to the Hancock website. Before you can submit your project you will.

Password Reset Instructions PART 1 The following set-up tasks must be performed first in order to use the Automated Password Reset feature. 1.Log into.

Testing External Survey Automatic Credit Granting Shepherd University Department of Psychology.

Do Now: Describe the steps used to access the comments tool in MS Word. ( review your notes for the answer) Ex: Step 1. Select the text or item you want.

Basics What is ? is short for electronic mail. is a method for sending messages electronically from one computer.

Phishing and online fraud What parents need to know.

PHISHING PRESENTED BY: ARQAM PASHA. AGENDA What is Phishing? Phishing Statistics Phishing Techniques Recent Examples Damages Caused by Phishing How to.

Do you know who you’re dealing with? Social Engineering: Minimise the risk of becoming a victim.

Client Website Online Account Access & Electronic Delivery.

Security By Meenal Mandalia. What is ? stands for Electronic Mail. much the same as a letter, only that it is exchanged in a different.

ONLINE DETECTION AND PREVENTION PHISHING ATTACKS

Catching Phish. If I went fishing what would I be doing? On the Internet fishing (phishing) is similar! On the internet people might want to get your.

Phishing and Internet Scams. Definitions and recent statistics Why is it dangerous? Phishing techniques and identifiers Examples of phishing and scam.

JANELL LAYSER Training Manual. AWARENESS! Social Engineers are out there, and everyone should be prepared to deal with them! They can contact you by phone,

Guide to Using MYIBS Online Course Repository System using Claroline For IBS Students Only.

Cyber security. Malicious Code Social Engineering Detect and prevent.

Fall Phishing - attempt to acquire sensitive information, like bank account information or an account password, by posing as a legitimate entity.

Take the Quiz and find out more!

Important Information Provided by Information Technology Center

The Login Page is the first page your customers

Social Engineering Charniece Craven COSC 316.

Don’t get phished!, recognize the bait

Lesson 3 Safe Computing.

Phishing, what you should know

Phishing is a form of social engineering that attempts to steal sensitive information.

Presented by: Brendan Walsh Manager, Security and Access Management

Cybersecurity Awareness

Information Security Session October 24, 2005

Personal IT Security Cyber Security – Basic Steps

What is it? Why do I keep getting from Barracuda? SPAM.

Setting up a Gmail Account & Safety Kamlesh Singh Bisht IT Specialist.

Cybersecurity Simplified: Phishing

Presentation transcript:

Detecting Phishing Attacks: Theory, Cues, and Practice CSU PDI Steve Lovaas January 8, 2010

Overview What is phishing Overview of the problem Evolution of the attacks How to tackle the problem Awareness & Attitude Clues Practice

What is “Phishing”? From: Directeur de la recherche technique, Université de la Sorbonne To: Steve Lovas Subject: Pressant! Veuillez taper votre mot de passe:

Official Definitions Social engineering: the act of manipulating people into performing actions or divulging confidential information. Phishing: social engineering in the form of fraudulent/deceptive , typically requesting personal/financial information or access credentials

Practical Definitions Trying to trick you into doing something Exploiting established trust or trusting nature Hoping you won’t pay adequate attention “Please send me your username, password, bank account number, credit card number, and SSN…”

Phishing Factors Deceptive , usually broadly distributed Addresses, subject, attachments, and message text can all utilized to deceive… – “Spoof” of a familiar source – “Reply-to” that is different than “From” – Emotional appeals – Current social issues, breaking news – Appeal to entertainment, profit, etc. – Money for nothing (too good to be true) – DIRE CONSEQUENCES IN ALL CAPS – Spelling errors – Bad grammar Technical cues Contextual cues Linguistic (syntactical) cues

Recent Evolution of Tactics Spearphishing – From a carefully chosen source you should know – Targeted specifically at members of an organization – Graphics, style, tone carefully chosen to look right – Becoming more common More, better graphics – More visual content = more likely to trust – Media-rich content plays to our habits, tendencies – Eventual inclusion of audio, video?

So What’s Going On? SenderMessageChannel Encoding Decoding by many different receivers Smells like phish Tendency to trust Empathy Technical understanding Culture Social norms Previous experience with sender

How to Tackle the Problem? Technical defenses Technical/social environment Social norms User education/awareness User attitude

Protection Points SenderMessageChannel Encoding Decoding by many different receivers Smells like phish Tendency to trust Empathy Technical understanding Culture Social norms Previous experience with sender Anti-virus, Anti-spam Digital signatures Individual education Building organizational norms Highlighting Current Attacks

Focus on Awareness & Attitude Awareness (our focus here today) – Knowledge of the problem – Knowledge of the tactics – Ability to recognize attacks (cues) Attitude (WHY you’re here today) – Inclination to act – Tendencies to trust or be suspicious – Default behaviors Of course our ultimate goal is behavior (don’t fall victim)… but we can hope to achieve that by working on:

Clues/Cues in the Message What are some features of messages that can clue you in to a phishing attack? Things that make you go “hmm…”

Some “mailbox capacity Account” (?) Impersonal greeting Grammar! NEVER do this! Bates?? We don’t have anything called “Webmail Helpdesk” Expires in 4

From: Sent: Thursday, December 11, :00 AM To: Samaniego,Rosalie Subject: Electronic Tax Document Signup For Colorado State University This has been sent by Colorado State University / ECSI asking for your consent to receive notification of your 1098-T tax form electronically. If you would like to receive notification electronically please give your consent by following the link below, logging in, and following the instructions. If you would like to receive a paper copy of your 1098-T form, do nothing. The benefits to receiving electronic notification are: * Online delivery provides access to the form 1098-T earlier than the traditional mailing process. * Online delivery eliminates the chance that the 1098-T will get lost, misdirected or delayed during delivery, or misplaced once the student receives it. * Signing up for online delivery is easy and secure. * Students can receive their 1098-T form even while traveling or on assignment away from their home address. To give consent to receive your notification electronically, log in to the SECURE website below using the given information: Step 1: Website: School Code: JW Account : (your Social Security Number or Student ID) Password : Step 2: Under Account Tools: Click "Signup for Electronic Tax Documents" Step 3: Read information, check the consent box, verify your address, and click the submit button. Thank you for your response. ECSI's 1098-T Project Manager, Mike Trombetta ECSI: Service Never Rests 181 Montour Run Road | Coraopolis, PA v | f | More Practice Who is ecsi.net? Request for financial transaction Sent to a real user, but no personalized greeting, generic message Apparently wants my SSN?? Use a password in the ? No mention of anyone from CSU

Summary NEVER send your username/password in – or your CC#, SSN, etc. Avoid clicking URLs directly from an If it claims to be from ACNS, look for a digital signature If an looks suspicious, ask your IT person Listen to the little voice in your head!