1. Email Phishing and
2. May 2006 – Veterans Administration
laptop with personal information on
26.5M veterans is stolen. “Total
losses could top $500M.” – VA
Jan 2007- Hackers stole data from at
least 45.7 million credit and debit cards
at retailer T.J.Maxx – total costs could
May 2006 – CIO, CSO fired Ohio
University 137,000 student
3. Why Does This Happen?
Firewall IDS Anti-Virus
4. ATM is also a type of Phishing
5. Can you spot a “Social Engineer”?
Phishing is Social Engineering
6. Social Engineering
What is Social Engineering?
“An attempt to influence a person into granting
unauthorized access, unauthorized use or
unauthorized disclosure of an information system,
network or data. Modifying system configuration.”
“How to blunt the socially engineered hack” by Michael Casper
7. Social Engineering
… 70 percent of those asked said they would
reveal their computer passwords for a …
Schrage, Michael. 2005. Retrieved from
Bar of chocolate
8. Social Engineering
Methods of Social Engineering
Help desk/Support areas
9. Vulnerability in People
Cause: A large growing population of internet
illiterate users are using internet email and
other user friendly applications.
Threat: Illiteracy in how the internet works and
its threats allows miscreants to attack a
network or person through social engineering.
This is the fastest growing method of hacking
we have seen.
Human nature is that people are trusting, even
those things which may be false.
10. Social Engineering – Information
Scenario #1 – YOU: How many of you have
provided personal information online or over the
phone to a vendor or service?
Personal Information May Include
Social Security Number (or just the last 4 digits)
First, Middle, Last names – Maiden Name
Mothers Maiden Name
Address, Phone Number
Credit Card Number – CVV2 Code
ATM PIN Code
Passwords you may use elsewhere
11. Social Engineering – Information
Scenario #1 - YOU: Was that information sent
securely? Will it be shared with someone else?
Was it compromised?
Scenario #2 – SOMEONE ELSE: Have you
ever asked for personal information and been
offered that information freely or without much
12. Social Engineering – Information
Example: How many of you would provide
personal information to someone who called you
on the phone? Over the Internet?
Social Engineering is an art, basically the art of
listening and lying at the same time, while
seemingly having a typical conversation.
Read More: The Art of Deception – Kevin Mitnick
13. Social Engineering – Information
Scenario: You come back from lunch to find a
Post-it note on your desk asking you to change a
user password to something written on the Post-
14. ID Theft– New Way
Phishing / Pharming
15. On 7 October 2001. “Singer Britney Spears Killed in Car Accident”.
Due to a bug in CNN’s software, when people at the spoofed site clicked on
the “E-mail This” link, the real CNN system distributed a real CNN e-mail to
recipients with a link to the spoofed page.
With each click at the bogus site, the real site’s tally of most popular stories
was incremented for the bogus story.
Allegedly this hoax was started by a researcher who sent the spoofed story to
three users of AOL’s Instant Messenger chat software.
Within 12 hours more than 150,000 people had viewed the spoofed page.
Social Engineering Example
16. Social Engineering Phishing
17. What is Phishing?
“Fishing for personal information”
Use “spoofed” e-mails and fraudulent
websites designed to fool recipients into
divulging personal financial data such as
credit card numbers, account usernames and
passwords, social security numbers, etc.
Anti-Phishing Working Group
18. Surge in phishing
Based on the survey, 57 million Americans have
been, or think they have been, the victim of a
30 million were positive, Out of that pool, 11
million fell for the scams or about 19% of those
Almost 2 million, or about 3% of those attacked,
reported that they'd actually divulged sensitive
information eg. credit-card numbers, bank
accounts, passwords, etc.
Phishers have a one in 700 chance of getting
19. Social Engineering
20. Phishing New Threat
21. This is a Very
Common Tactic used
to Social Engineer
Lets walk through a
22. Click on the Link and
you get sent to the
Or do you…
Click Here and it takes
you to Official EBay
Not a Secure Website
LETS SCROLL DOWN
23. As we Scroll Down
the Page we find out
that it needs a lot of
to verify who you are.
NEVER Give this Out to Anyone
Just in case you mistyped your
OK.. I can see how Ebay
Might need this info… right
LETS SCROLL DOWN
Just in case you thought this
might be a scam…
24. CVV2 Code and PIN
Number to your bank
Can’t Use the CreditCard
Online without this!!
If we clone your card, we
might need this as well.
25. Lets take a look at
the email again…
How many of you
receive emails like
this on a regular
Does it look Legit?
Would it have
In this case, the whole message was actually an Image with the Image linked to
the malicious site, while the link in the image shows up as something legitimate.
26. What Companies are Doing
AMERICAN EXPRESS - How to Contact American Express
about Fraudulent E-Mails
If you receive an e-mail that you believe could be fraudulent,
immediately forward it to
firstname.lastname@example.org. Please do not
forward the e-mail as an attachment. Please note that any
submissions to this email address will result in an auto-
generated reply to notify you that we have received your e-mail.
If we find it to be fraudulent, we will immediately take
appropriate action. For consumers requiring additional
assistance, please contact us at Contact American Express
27. How to Detect Deception
Publish your mail server addresses (to thwart spoofing)
Educate customers (and employees)
Establish online communication protocols
Create a response plan now
Proactively monitor for phishers and fraud
Make yourself a difficult target
28. Prevent Phishing from Fraud Watch
Never click on hyperlinks
Use Anti-SPAM filters
Use Anti-Virus Software
Use personal firewalls
Keep all software updated
Always look for https and
sites that ask for “personal
Keep computer clean from
Know Fraudulent activity on
Check your credit report
immediately for free!
If unsure, ask!
29. First Phishing –
New generation of attack use of the internet
attack for extortion "Ransomware".
Follow-up to: phishing, pharming attacks
It starts with hijacking or stealing user files, encrypting them (so
the user loses access to vital information), then demanding
payment in exchange for the decryption key.
So far theses attacks are quite rare but it brings a new
dimension to the usage of the internet and a new generation of
30. Phishing – Variations
“Phishing”= social engineering
– Who: Online scammers, posing as legitimate companies or your
new best friend
– Why: They want your sensitive information (credit-card, billing-
routing, and Social Security numbers, among others)
“Pharming”= being diverted to a fake/spoofed
“Spear phishing”= spoofed email that targets
emails stolen from a company or organization
31. Phishing and Business Risks
“Look for stuff…”
Text has “Viagra”
“Go for Buzzwords”
and Neural Nets
“Mix a Cocktail”
You can’t fool all
of the filters all
of the time
But threats get more sophisticated
Tradeoffs false positives vs false negatives
User Awareness to Avoid Phishing
Caution: African shares $10 million…
Banks never ask for account info, in an e-mail
Don’t click on links suspicious e-mails
Report suspicious e-mails
37. Banking Technical Solutions
38. Anti-Phishing Laws
-Identity Theft Penalty Enhancement Act
-Aggregated Identity Theft - Defined as using a
stolen identity to commit other crimes.
-Mandatory sentencing of 2 years.
Anti-Phishing Act of 2005
-Prohibits the use of a website/email to coerce
others to divulge their personal information.
-Penalties: 5 years, $250,000 fine.
Effectiveness: Professionals vs. Amateurs
39. • FTC Identity Theft Website
• Anti-Phishing Working Group
• End ID Theft