help! why phishing works what is phishing? i think i’ve been … · 2014. 9. 26. · phishing is...

SUSPICIOUS ACTIVITY REPORTING

Why Phishing Works

•Weareeasilyenticed—wetrustknownbrands/logos

•Lackofusereducationandawareness

•LackofInformationAssuranceknowledgeandwarningindicators

•Visuallydeceptivetext

•Imagemasking

•ImagemimickingWindows

What is Phishing?Phishingisanattemptbyanindividualorgrouptosolicitpersonalinformationfromunsuspectingusersbyemployingsocialengineeringtechniques(i.e.,manipulatingpeopleintoperformingactionsordivulgingconfidentialinformation).Phishingemailsarecraftedtoappearasiftheyweresentfromalegitimateorganizationorknownindividual.Theseemailsoftenattempttoattractuserstoclickonalinkthatwilltaketheusertoafraudulentwebsitethatappearslegitimate.Theuserthenmaybeaskedtoprovidepersonalinformation,suchasaccountusernamesandpasswordsthatcanfurtherexposethem,theirnetwork,andtheirunittofuturecompromises.

Inordertofullyunderstandphishingandhowitcanimpactyouandyourunit,youshouldbeawarethattherearedifferenttypesofphishing:

Phishingisusuallyane-mailsenttoalargegroupofpeoplethatattemptstoscamtherecipients.Thepeoplethemessageissenttooftendonothaveanythingincommon.

Spear phishingisamessagesenttoasmaller,moreselectgroupoftargetedpeopleortoasingleindividual.

Whaling or whale phishingisahighlypersonalizedmessagesenttoseniorexecutives,high-levelofficials,ortheirpersonalexecutivestaffmembers.

Help! I think I’ve been

Phished!Anti Phishing Quick Reaction Drill

• Changeyourpasswordimmediatelyattherealwebsite:

• Typethewebsitenameinyourbrowser’saddressbar.

• Signintoyouraccountandclickthe“userprofile”or“changepassword”link.

• Followthewebsite’sinstructionstochangeyouraccountinformationandpassword.

• Clickthe“contactus”linkfoundonmostwebsitesandinformthemaboutthephishingattackyoujustexperienced.

• Ifyouareusingagovernmentcomputer,contactyourlocalInformationAssuranceOfficerandservicingNetworkEnterpriseCenter(NEC).

Recognizing & Avoiding Email Scams:http://www.us-cert.gov/reading_room/emailscams_0905.pdf

Report Phishing Attacks to Your Local Information Assurance Officer and your servicing Network

Enterprise Center (NEC)

SUSPICIOUS ACTIVITY REPORTING

Why Phishing Works

• Weareeasilyenticed—wetrustknownbrands/logos

• Lackofusereducationandawareness

• LackofInformationAssuranceknowledgeandwarningindicators

• Visuallydeceptivetext

• Imagemasking

• ImagemimickingWindows

What is Phishing?Phishingisanattemptbyanindividualorgrouptosolicitpersonalinformationfromunsuspectingusersbyemployingsocialengineeringtechniques(i.e.,manipulatingpeopleintoperformingactionsordivulgingconfidentialinformation).Phishingemailsarecraftedtoappearasiftheyweresentfromalegitimateorganizationorknownindividual.Theseemailsoftenattempttoattractuserstoclickonalinkthatwilltaketheusertoafraudulentwebsitethatappearslegitimate.Theuserthenmaybeaskedtoprovidepersonalinformation,suchasaccountusernamesandpasswordsthatcanfurtherexposethem,theirnetwork,andtheirunittofuturecompromises.

Inordertofullyunderstandphishingandhowitcanimpactyouandyourunit,youshouldbeawarethattherearedifferenttypesofphishing:

Phishingisusuallyane-mailsenttoalargegroupofpeoplethatattemptstoscamtherecipients.Thepeoplethemessageissenttooftendonothaveanythingincommon.

Spear phishingisamessagesenttoasmaller,moreselectgroupoftargetedpeopleortoasingleindividual.

Whaling or whale phishingisahighlypersonalizedmessagesenttoseniorexecutives,high-levelofficials,ortheirpersonalexecutivestaffmembers.

Help! I think I’ve been

Phished!Anti Phishing Quick Reaction Drill

•Changeyourpasswordimmediatelyattherealwebsite:

•Typethewebsitenameinyourbrowser’saddressbar.

•Signintoyouraccountandclickthe“userprofile”or“changepassword”link.

•Followthewebsite’sinstructionstochangeyouraccountinformationandpassword.

•Clickthe“contactus”linkfoundonmostwebsitesandinformthemaboutthephishingattackyoujustexperienced.

•Ifyouareusingagovernmentcomputer,contactyourlocalInformationAssuranceOfficerandservicingNetworkEnterpriseCenter(NEC).

Recognizing & Avoiding Email Scams:http://www.us-cert.gov/reading_room/emailscams_0905.pdf

Report Phishing Attacks to Your Local Information Assurance Officer and your servicing Network

Enterprise Center (NEC)

SUSPICIOUS ACTIVITY REPORTING

Why Phishing Works

• Weareeasilyenticed—wetrustknownbrands/logos

• Lackofusereducationandawareness

• LackofInformationAssuranceknowledgeandwarningindicators

• Visuallydeceptivetext

• Imagemasking

• ImagemimickingWindows

What is Phishing?Phishingisanattemptbyanindividualorgrouptosolicitpersonalinformationfromunsuspectingusersbyemployingsocialengineeringtechniques(i.e.,manipulatingpeopleintoperformingactionsordivulgingconfidentialinformation).Phishingemailsarecraftedtoappearasiftheyweresentfromalegitimateorganizationorknownindividual.Theseemailsoftenattempttoattractuserstoclickonalinkthatwilltaketheusertoafraudulentwebsitethatappearslegitimate.Theuserthenmaybeaskedtoprovidepersonalinformation,suchasaccountusernamesandpasswordsthatcanfurtherexposethem,theirnetwork,andtheirunittofuturecompromises.

Inordertofullyunderstandphishingandhowitcanimpactyouandyourunit,youshouldbeawarethattherearedifferenttypesofphishing:

Phishingisusuallyane-mailsenttoalargegroupofpeoplethatattemptstoscamtherecipients.Thepeoplethemessageissenttooftendonothaveanythingincommon.

Spear phishingisamessagesenttoasmaller,moreselectgroupoftargetedpeopleortoasingleindividual.

Whaling or whale phishingisahighlypersonalizedmessagesenttoseniorexecutives,high-levelofficials,ortheirpersonalexecutivestaffmembers.

Help! I think I’ve been

Phished!Anti Phishing Quick Reaction Drill

•Changeyourpasswordimmediatelyattherealwebsite:

•Typethewebsitenameinyourbrowser’saddressbar.

•Signintoyouraccountandclickthe“userprofile”or“changepassword”link.

•Followthewebsite’sinstructionstochangeyouraccountinformationandpassword.

•Clickthe“contactus”linkfoundonmostwebsitesandinformthemaboutthephishingattackyoujustexperienced.

•Ifyouareusingagovernmentcomputer,contactyourlocalInformationAssuranceOfficerandservicingNetworkEnterpriseCenter(NEC).

Recognizing & Avoiding Email Scams:http://www.us-cert.gov/reading_room/emailscams_0905.pdf

Report Phishing Attacks to Your Local Information Assurance Officer and your servicing Network

Enterprise Center (NEC)

User Awareness•Mostphishingattemptsareforidentitytheft,butphishingisalsobeingusedtogainaccesstoonlinebanking,federal,andDoDinformation

• PhishingAttackscanbegearedtocollectpersonalinformationsuchas:SSN,mother’smaidenname,dateofbirth,passwords,creditcardnumbers,etc.

• Phishingemailsnotonlyattempttotrickyouintogivingoutsensitiveinformation,butalsocanincludemalicioussoftware

•MalicioussoftwarecanbevirusesandothercomputercodedesignedtoallowahackertouseyourcomputerforillegalInternetactivity,ortoaccessyourunit’snetworktogatherDoDinformation

•Maliciouscodemaycaptureyourkeystrokesorcaptureyourpersonalandworkfilesandsendthemtopeoplewithoutyourknowledge

How Phishing Works

Protect Yourself and Your Organization

DO

• Watchoutforphishing

• Deletesuspiciousemails

• ContactyourInformationAssuranceOfficeroryourservicingNetworkEnterpriseCenter(NEC)ifyouhavequestionsaboutemails

• Reportanypotentialincidents

DO NOT • Opensuspiciousemails

• Clickonsuspiciouslinksinemailsorpop-upwindows

• Calltelephonenumbersprovidedinsuspiciousemails

• Discloseanyinformation

User Awareness•Mostphishingattemptsareforidentitytheft,butphishingisalsobeingusedtogainaccesstoonlinebanking,federal,andDoDinformation

• PhishingAttackscanbegearedtocollectpersonalinformationsuchas:SSN,mother’smaidenname,dateofbirth,passwords,creditcardnumbers,etc.

• Phishingemailsnotonlyattempttotrickyouintogivingoutsensitiveinformation,butalsocanincludemalicioussoftware

•MalicioussoftwarecanbevirusesandothercomputercodedesignedtoallowahackertouseyourcomputerforillegalInternetactivity,ortoaccessyourunit’snetworktogatherDoDinformation

•Maliciouscodemaycaptureyourkeystrokesorcaptureyourpersonalandworkfilesandsendthemtopeoplewithoutyourknowledge

How Phishing Works

Protect Yourself and Your Organization

DO

• Watchoutforphishing

• Deletesuspiciousemails

• ContactyourInformationAssuranceOfficeroryourservicingNetworkEnterpriseCenter(NEC)ifyouhavequestionsaboutemails

• Reportanypotentialincidents

DO NOT • Opensuspiciousemails

• Clickonsuspiciouslinksinemailsorpop-upwindows

• Calltelephonenumbersprovidedinsuspiciousemails

• Discloseanyinformation

User Awareness•Mostphishingattemptsareforidentitytheft,butphishingisalsobeingusedtogainaccesstoonlinebanking,federal,andDoDinformation

• PhishingAttackscanbegearedtocollectpersonalinformationsuchas:SSN,mother’smaidenname,dateofbirth,passwords,creditcardnumbers,etc.

• Phishingemailsnotonlyattempttotrickyouintogivingoutsensitiveinformation,butalsocanincludemalicioussoftware

•MalicioussoftwarecanbevirusesandothercomputercodedesignedtoallowahackertouseyourcomputerforillegalInternetactivity,ortoaccessyourunit’snetworktogatherDoDinformation

•Maliciouscodemaycaptureyourkeystrokesorcaptureyourpersonalandworkfilesandsendthemtopeoplewithoutyourknowledge

How Phishing Works

Protect Yourself and Your Organization

DO

• Watchoutforphishing

• Deletesuspiciousemails

• ContactyourInformationAssuranceOfficeroryourservicingNetworkEnterpriseCenter(NEC)ifyouhavequestionsaboutemails

• Reportanypotentialincidents

DO NOT • Opensuspiciousemails

• Clickonsuspiciouslinksinemailsorpop-upwindows

• Calltelephonenumbersprovidedinsuspiciousemails

• Discloseanyinformation

SUSPICIOUS ACTIVITY REPORTING

Why Phishing Works

•Weareeasilyenticed—wetrustknownbrands/logos

•Lackofusereducationandawareness

•LackofInformationAssuranceknowledgeandwarningindicators

•Visuallydeceptivetext

•Imagemasking

•ImagemimickingWindows

What is Phishing?Phishingisanattemptbyanindividualorgrouptosolicitpersonalinformationfromunsuspectingusersbyemployingsocialengineeringtechniques(i.e.,manipulatingpeopleintoperformingactionsordivulgingconfidentialinformation).Phishingemailsarecraftedtoappearasiftheyweresentfromalegitimateorganizationorknownindividual.Theseemailsoftenattempttoattractuserstoclickonalinkthatwilltaketheusertoafraudulentwebsitethatappearslegitimate.Theuserthenmaybeaskedtoprovidepersonalinformation,suchasaccountusernamesandpasswordsthatcanfurtherexposethem,theirnetwork,andtheirunittofuturecompromises.

Inordertofullyunderstandphishingandhowitcanimpactyouandyourunit,youshouldbeawarethattherearedifferenttypesofphishing:

Phishingisusuallyane-mailsenttoalargegroupofpeoplethatattemptstoscamtherecipients.Thepeoplethemessageissenttooftendonothaveanythingincommon.

Spear phishingisamessagesenttoasmaller,moreselectgroupoftargetedpeopleortoasingleindividual.

Whaling or whale phishingisahighlypersonalizedmessagesenttoseniorexecutives,high-levelofficials,ortheirpersonalexecutivestaffmembers.

Help! I think I’ve been

Phished!Anti Phishing Quick Reaction Drill

• Changeyourpasswordimmediatelyattherealwebsite:

• Typethewebsitenameinyourbrowser’saddressbar.

• Signintoyouraccountandclickthe“userprofile”or“changepassword”link.

• Followthewebsite’sinstructionstochangeyouraccountinformationandpassword.

• Clickthe“contactus”linkfoundonmostwebsitesandinformthemaboutthephishingattackyoujustexperienced.

• Ifyouareusingagovernmentcomputer,contactyourlocalInformationAssuranceOfficerandservicingNetworkEnterpriseCenter(NEC).

Recognizing & Avoiding Email Scams:http://www.us-cert.gov/reading_room/emailscams_0905.pdf

Report Phishing Attacks to Your Local Information Assurance Officer and your servicing Network

Enterprise Center (NEC)