SlideShare a Scribd company logo

Phishing Presentation

Download as PPTX, PDF
Nikolaos Georgitsopoulos
Nikolaos Georgitsopoulos

-The project "Strengthening European Network Centres of Excellence in Cybercrime" (SENTER project, Reference No HOME/2014/ISFP/AG/7170) is funded by the European Commission under Internal Security Fund-Police 2014-2020 (ISFP). The main goal of the project is to create a single point of Reference for EU national Cybercrime Centres of Excellence (CoE) and develop further the Network of national CoE into well-defined and well-functioning community. More details here: http://www.senter-project.eu/

Internet
1 of 35
SENTER Project HELLENIC POLICE LIEUTENANT’S SCHOOL Presentation of Phishing Police Lieutenant Trainee Nikolaos Georgitsopoulos Hellenic Police Lieutenant’s School Greece Athens, 03 November 2017 Seminar Work for the Module “Internet Technologies”
2 Presentation of Phishing: Athens, 03 November 2017 Contents 1. Theoretical Part a) Cybercrime b) What is Phishing? c) Phishing Types d) Phishing and Online Banking Fraud e) Spear Phishing f) Technical measures (browser technologies, security software, etc.) available to detect phishing attempts 2. Practical Part a) Phishing simulation program b) The Phishing Campaign c) General guidelines for employees in order to avoid phishing
3 Cybercrime 1. Cybercrime consists of criminal acts that are committed online by using electronic communications networks and information systems. 2. It is a borderless problem that can be classified in three broad definitions: Crimes specific to the Internet, such as attacks against information systems (like phishing etc). Online fraud and forgery. Illegal online content. Presentation of Phishing: Athens, 03 November 2017
4 Types of cybercrime (a) • Illegal computer hacking and cracking; • Developing and/or spreading malicious code; • Spamming; • Ddos attacks; • Network intrusion; • Software piracy; Presentation of Phishing: Athens, 03 November 2017
5 Types of cybercrime (b) • Network-based or network-enabled crimes (such as phishing); • Intellectual property rights (IPR) crimes; • Distribution of child sexual abuse imagery; • Grooming of children for sexual purposes • Phreaking; • Conditional access piracy. Presentation of Phishing: Athens, 03 November 2017
6 What is Phishing? (a) • Phishing is a form of Cybercrime. • Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. • Phishing is the process of enticing people into visiting fraudulent websites and persuading them to enter identity information such as usernames, passwords etc. Presentation of Phishing: Athens, 03 November 2017
7 What is Phishing? (b) • Phishing, the act of stealing personal information via the internet for the purpose of committing financial fraud. • Rely on unsolicited communications by email, SMS or telephone. • The attacker purports to represent a third reliable party. • An attempt to convince the victim to divulge sensitive information, such as login credentials or payment details. Presentation of Phishing: Athens, 03 November 2017
8 Short History of Phishing (a) • Originated sometime around the year 1995. • Phreaks and hackers have always been closely linked. The “ph” spelling was used to link phishing scams with these underground communities. • Through the America Online (AOL) in 1996, instant messenger and email systems, they would send messages to users while posing as AOL employees. Presentation of Phishing: Athens, 03 November 2017
9 Short History of Phishing (b) • In late 2003, phishers registered dozens of domains that looked like legitimate sites like eBay and PayPal if you weren't paying attention. • They used email worm programs to send out spoofed emails to PayPal customers. • By the beginning of 2004, phishers were riding a huge wave of success that included attacks on banking sites and their customers. • Popup windows were used to acquire sensitive information from victims. Presentation of Phishing: Athens, 03 November 2017
10 Phishing Types 1. Spear phishing 2. Phone phishing-Vishing (Voice Phishing) 3. SMS phishing-Smishing 4. Clone phishing 5. Link manipulation 6. Filter evasion 7. Website forgery 8. Malvertising 9. Covert redirect Presentation of Phishing: Athens, 03 November 2017
11 Phishing and Online Banking Fraud (a) • Bank customers are popular targets of those who engage in phishing attacks. • Sending out thousands of spoof emails. • Criminals impersonate bank websites in order to get unsuspecting users to provide their login credentials. • At the first glance the fraudulent email looks reliable regarding its sender, form, and content and is thus almost indistinguishable from a real one. Presentation of Phishing: Athens, 03 November 2017
12 Phishing and Online Banking Fraud (b) • After that the faked website asks for personal data or access information from the user that is then used for fraudulent transactions. • The cybercriminal now has all the necessary information to steal the victim’s identity and have access to the bank account. • The phishers use the information they've gathered to make illegal purchases or otherwise commit fraud. Presentation of Phishing: Athens, 03 November 2017
13 The flow of information in a phishing attack Presentation of Phishing: Athens, 03 November 2017
14 Examples of malware used to conduct bank phishing scams 1. Bancos (2003) also identified as banker by some anti- virus companies. 2. Targeted Brazilian banks. 3. Bancos monitored internet explorer for specific bank urls and attempts to capture account information. 4. Overlay certain banking web pages with a fake one that captures the information directly from a user. Presentation of Phishing: Athens, 03 November 2017
15 Spear Phishing (a) • Spear phishing is a much more targeted attack. • The hacker knows which specific individual or organization they are after. • Research on the target in order to make the attack more personalized. • Spear-phishing attacks are much more targeted and involve duping particular individuals within a specific organization. Presentation of Phishing: Athens, 03 November 2017
16 Spear Phishing (b) • They send customized, credible emails that appear to come from a trusted source. • Enhancing their authenticity and legitimacy. • Increasing the probability of the individual complying with their request. • The recipient of the e-mail needs to be convinced. • The hacker will gain remote access or log their keystrokes and ultimately gain access to their PCs. Presentation of Phishing: Athens, 03 November 2017
17 An example of Spear Phishing: The CEO Fraud (a) • Target business companies and their employees trying to gain financial profit or intelligence profit by compromising business secrets or other information. • CEO fraud involves tricking someone into making a large wire transfer into what turns out to be a bogus account. • On a few occasions, however, checks are used instead of wire transfers. Presentation of Phishing: Athens, 03 November 2017
18 Presentation of Phishing: Athens, 03 November 2017 An example of Spear Phishing: The CEO Fraud (b)
19 1. A fraudster calls posing as a high ranking figure of the company (e.g. CEO or CFO). He appears to be the CEO or the CFO (Chief Financial Office). 2. That executive then requires from the employee an urgent transfer of funds confidential. 3. The fraudster invokes that this is a sensitive situation. 4. The fraudster pressures the employee not to follow the regular authorization procedures and bypass the security checks. 5. The fraudster gives the proper instructions to the employee on how to proceed. 6. The final step is the employee to transfer the funds to an account controlled by the fraudster. 7. The money is re-transferred to accounts in multiple jurisdictions. Presentation of Phishing: Athens, 03 November 2017 An example of Spear Phishing: The CEO Fraud (c)
20 Technical measures (browser technologies, security software, etc.) available to detect phishing attempts (a) • Anti-phishing software consists of computer programs that attempt to identify phishing content contained in websites and e-mail or block users from being tricked. • Web browsers comes with built-in anti-phishing and anti- malware protection services. • Password managers can also be used to help defend against phishing and protect sensitive data. • Filtering: anti-spam filters may be configured to identify specific known phishing messages and prevent them from reaching a user. Presentation of Phishing: Athens, 03 November 2017
21 Technical measures (browser technologies, security software, etc.) available to detect phishing attempts (b) • Authentication: determine whether the IP address of a transmitting mail transfer agent is authorized to send a message from the sender’s domain. • Signing: Cryptographic signing of email • Outgoing data monitoring: A browser plug-in such as a toolbar can store hashes of confidential information, and monitor outgoing information to detect confidential information being transmitted. • Data destination blacklisting: block data transmissions to specific IP addresses known to be associated with phishers. Presentation of Phishing: Athens, 03 November 2017
22 LUCY: A Phishing Simulation Program (a) • A customizable awareness program used by information security professionals in higher education and private industry. • An effective training program. • Allows organizations to simulate phishing e-mails. • Help identify which end users are more susceptible to such targeted e-mail attacks. • Engage in more focused training opportunities to help users recognize phishing attempts. Presentation of Phishing: Athens, 03 November 2017
23 LUCY: A Phishing Simulation Program (b) Presentation of Phishing: Athens, 03 November 2017 • Installed LUCY server through the virtual box • The server provides you with an IP address and a username and also a password.
24 LUCY: A Phishing Simulation Program (c) • The user needs to enter to Lucy login environment with the previous credentials. Presentation of Phishing: Athens, 03 November 2017
25 LUCY: A Phishing Simulation Program (d) Presentation of Phishing: Athens, 03 November 2017 Created a new phishing campaign. Two templates: 1. The first one was about a phishing e-mail coming from MasterCard. 2. The second one was informing the user that he had an encrypted message and he had to use his Microsoft account credentials.
26 LUCY: A Phishing Simulation Program (e) Add the recipients of the e-mails. I used all my functional e- mail accounts. Presentation of Phishing: Athens, 03 November 2017
27 LUCY: A Phishing Simulation Program (f) Launch my phishing attack Presentation of Phishing: Athens, 03 November 2017
28 LUCY: A Phishing Simulation Program (g) Checked my e-mails. Only in one of my four mail accounts I received the e-mail messages. Presentation of Phishing: Athens, 03 November 2017
29 LUCY: A Phishing Simulation Program (h) Presentation of Phishing: Athens, 03 November 2017
30 LUCY: A Phishing Simulation Program (j) The second mail was about a MasterCard service and asked from the user to change his password because there was a previous suspicious attempt. Presentation of Phishing: Athens, 03 November 2017
31 LUCY: A Phishing Simulation Program (k) Presentation of Phishing: Athens, 03 November 2017
32 LUCY: A Phishing Simulation Program (j) In conclusion the simulated phishing attack was partially successful because only two of the eight mails were delivered to the final recipients. The license doesn’t allow to see the collected data from this phishing attack. Presentation of Phishing: Athens, 03 November 2017
33 General guidelines for employees in order to avoid phishing, fraud scam and social engineering 1. Be AWARE of the risks and spread the information 2. Be careful when using social media 3. Avoid sharing sensitive information 4. Never open suspicious links or attachments received by e-mail 5. If you receive a call/email alerting you of a security breach, do not provide information right away or proceed with a transfer 6. Consult a colleague even if you were asked to use discretion. 7. Assigning responsibility 8. If a supplier informs you of a change in payment details, always contact him to confirm the new information 9. Strictly apply the security procedures in place for payments and procurement 10. Always contact the police in case of fraud attempts Presentation of Phishing: Athens, 03 November 2017
34 Conclusion 1. Phishing is a highly profitable activity for cybercriminals. 2. Phishing and its specific forms such as the spear phishing reveal that internet users may be vulnerable if they are not properly trained and do not know the immense dangers. 3. No single technology will completely stop phishing. 4. Good organization and practices, awareness training, proper application of current technologies, and improvements in security technology has the potential to drastically reduce the prevalence of phishing. Presentation of Phishing: Athens, 03 November 2017
Thank you for your attention! Hellenic Police Lieutenants’ School Address: Thrakomakedonon Av. 101, PO 13679 – Acharnes, Attiki - Greece Tel: +30 210-2424296, Fax : +30 210-2460964, E-mail: saea.policeacademy@hellenicpolice.gr, Website: www.hellenicpolice.gr

Recommended

Phishing
PhishingPhishing
Phishing
Sagar Rai
 
Phishing
PhishingPhishing
Phishing
SouganthikaSankaresw
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
Aryan Ragu
 
Phishing
PhishingPhishing
Phishing
SaurabhKantSahu1
 
Phishing
PhishingPhishing
Phishing
anjalika sinha
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
shindept123
 
PPT on Phishing
PPT on PhishingPPT on Phishing
PPT on Phishing
Pankaj Yadav
 
Identity theft
Identity theftIdentity theft
Identity theft
Eqhball Ghazizadeh
 

Recommended

Phishing
PhishingPhishing
Phishing
Sagar Rai
 
Phishing
PhishingPhishing
Phishing
SouganthikaSankaresw
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
Aryan Ragu
 
Phishing
PhishingPhishing
Phishing
SaurabhKantSahu1
 
Phishing
PhishingPhishing
Phishing
anjalika sinha
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
shindept123
 
PPT on Phishing
PPT on PhishingPPT on Phishing
PPT on Phishing
Pankaj Yadav
 
Identity theft
Identity theftIdentity theft
Identity theft
Eqhball Ghazizadeh
 
Spoofing
SpoofingSpoofing
Spoofing
Sanjeev
 
What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?
Quick Heal Technologies Ltd.
 
Phishing attack seminar presentation
Phishing attack seminar presentation Phishing attack seminar presentation
Phishing attack seminar presentation
AniketPandit18
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
Sanjay Kumar
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasures
Jorge Sebastiao
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing Attacks
SysCloud
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
pooja_doshi
 
Phishing attack
Phishing attackPhishing attack
Phishing attack
Raghav Chhabra
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and security
Sharath Raj
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacks
Ramiro Cid
 
Anti phishing
Anti phishingAnti phishing
Anti phishing
Shethwala Ridhvesh
 
Cyber Crime And Security
Cyber Crime And Security Cyber Crime And Security
Cyber Crime And Security
ritik shukla
 
Types of cyber attacks
Types of cyber attacksTypes of cyber attacks
Types of cyber attacks
krishh sivakrishna
 
Social engineering
Social engineering Social engineering
Social engineering
Vîñàý Pãtêl
 
Spam & Phishing
Spam & PhishingSpam & Phishing
Spam & Phishing
GrittyCC
 
Cybersecurity Awareness
Cybersecurity AwarenessCybersecurity Awareness
Cybersecurity Awareness
JoshuaWisniewski3
 
Cyber security
Cyber securityCyber security
Cyber security
Manjushree Mashal
 
Social engineering
Social engineeringSocial engineering
Social engineering
Alexander Zhuravlev
 
Cyber crime ppt
Cyber crime pptCyber crime ppt
Cyber crime ppt
Ritesh Thakur
 
Phising a Threat to Network Security
Phising a Threat to Network SecurityPhising a Threat to Network Security
Phising a Threat to Network Security
anjuselina
 
Phishing.pdf
Phishing.pdfPhishing.pdf
Phishing.pdf
MariGogokhia
 
Intelligent Phishing Website Detection and Prevention System by Using Link Gu...
Intelligent Phishing Website Detection and Prevention System by Using Link Gu...Intelligent Phishing Website Detection and Prevention System by Using Link Gu...
Intelligent Phishing Website Detection and Prevention System by Using Link Gu...
IOSR Journals
 

More Related Content

What's hot

Spoofing
SpoofingSpoofing
Spoofing
Sanjeev
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
pooja_doshi
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and security
Sharath Raj
 

What's hot (20)

Spoofing
SpoofingSpoofing
Spoofing
 
What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?What is Phishing and How can you Avoid it?
What is Phishing and How can you Avoid it?
 
Phishing attack seminar presentation
Phishing attack seminar presentation Phishing attack seminar presentation
Phishing attack seminar presentation
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
 
Email phishing and countermeasures
Email phishing and countermeasuresEmail phishing and countermeasures
Email phishing and countermeasures
 
Different Types of Phishing Attacks
Different Types of Phishing AttacksDifferent Types of Phishing Attacks
Different Types of Phishing Attacks
 
Social engineering presentation
Social engineering presentationSocial engineering presentation
Social engineering presentation
 
Phishing attack
Phishing attackPhishing attack
Phishing attack
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and security
 
Social engineering attacks
Social engineering attacksSocial engineering attacks
Social engineering attacks
 
Anti phishing
Anti phishingAnti phishing
Anti phishing
 
Cyber Crime And Security
Cyber Crime And Security Cyber Crime And Security
Cyber Crime And Security
 
Types of cyber attacks
Types of cyber attacksTypes of cyber attacks
Types of cyber attacks
 
Social engineering
Social engineering Social engineering
Social engineering
 
Spam & Phishing
Spam & PhishingSpam & Phishing
Spam & Phishing
 
Cybersecurity Awareness
Cybersecurity AwarenessCybersecurity Awareness
Cybersecurity Awareness
 
Cyber security
Cyber securityCyber security
Cyber security
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Cyber crime ppt
Cyber crime pptCyber crime ppt
Cyber crime ppt
 
Phising a Threat to Network Security
Phising a Threat to Network SecurityPhising a Threat to Network Security
Phising a Threat to Network Security
 

Similar to Phishing Presentation

Phishing & spamming
Phishing & spammingPhishing & spamming
Phishing & spamming
Kavis Pandey
 
phishingppt-160209144204.pdf
phishingppt-160209144204.pdfphishingppt-160209144204.pdf
phishingppt-160209144204.pdf
vinayakjadhav94
 
A Review on Antiphishing Framework
A Review on Antiphishing FrameworkA Review on Antiphishing Framework
A Review on Antiphishing Framework
IJAEMSJORNAL
 
Email phishing: Text classification using natural language processing
Email phishing: Text classification using natural language processingEmail phishing: Text classification using natural language processing
Email phishing: Text classification using natural language processing
CSITiaesprime
 
Running head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docx
Running head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docxRunning head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docx
Running head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docx
wlynn1
 

Similar to Phishing Presentation (20)

Phishing.pdf
Phishing.pdfPhishing.pdf
Phishing.pdf
 
Intelligent Phishing Website Detection and Prevention System by Using Link Gu...
Intelligent Phishing Website Detection and Prevention System by Using Link Gu...Intelligent Phishing Website Detection and Prevention System by Using Link Gu...
Intelligent Phishing Website Detection and Prevention System by Using Link Gu...
 
Dealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking SphereDealing with Fraud in E-Banking Sphere
Dealing with Fraud in E-Banking Sphere
 
Phishing & spamming
Phishing & spammingPhishing & spamming
Phishing & spamming
 
Seminar
SeminarSeminar
Seminar
 
phishingppt-160209144204.pdf
phishingppt-160209144204.pdfphishingppt-160209144204.pdf
phishingppt-160209144204.pdf
 
Phishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS WorkingPhishing attack, with SSL Encryption and HTTPS Working
Phishing attack, with SSL Encryption and HTTPS Working
 
A Review on Antiphishing Framework
A Review on Antiphishing FrameworkA Review on Antiphishing Framework
A Review on Antiphishing Framework
 
Phishing Attack : A big Threat
Phishing Attack : A big ThreatPhishing Attack : A big Threat
Phishing Attack : A big Threat
 
Phishing file pp
Phishing file ppPhishing file pp
Phishing file pp
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
 
phishing attack - man in the middle.pptx
phishing attack - man in the middle.pptxphishing attack - man in the middle.pptx
phishing attack - man in the middle.pptx
 
phishing-technology-730-J1A0e1Q.pptx
phishing-technology-730-J1A0e1Q.pptxphishing-technology-730-J1A0e1Q.pptx
phishing-technology-730-J1A0e1Q.pptx
 
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
How to Reduce Avenues of Attack: Using Intel to Plan for Cyber Threats in 2017
 
Phishing: Analysis and Countermeasures
Phishing: Analysis and CountermeasuresPhishing: Analysis and Countermeasures
Phishing: Analysis and Countermeasures
 
Phishing: Swiming with the sharks
Phishing: Swiming with the sharksPhishing: Swiming with the sharks
Phishing: Swiming with the sharks
 
Email phishing: Text classification using natural language processing
Email phishing: Text classification using natural language processingEmail phishing: Text classification using natural language processing
Email phishing: Text classification using natural language processing
 
Running head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docx
Running head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docxRunning head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docx
Running head HOW TO AVOID INTERNET SCAMS AT THE WORKPLACE 1 .docx
 
Chapter 3
Chapter 3Chapter 3
Chapter 3
 
Lesson iv on fraud awareness (cyber frauds)
Lesson iv on fraud awareness (cyber frauds)Lesson iv on fraud awareness (cyber frauds)
Lesson iv on fraud awareness (cyber frauds)
 

More from Nikolaos Georgitsopoulos

Presentation democracy ethics vs. intelligencε security.
Presentation democracy ethics vs. intelligencε security.Presentation democracy ethics vs. intelligencε security.
Presentation democracy ethics vs. intelligencε security.
Nikolaos Georgitsopoulos
 
Police body worn cameras-6th Security Project Conference-16 March 2018, Athens
Police body worn cameras-6th Security Project Conference-16 March 2018, AthensPolice body worn cameras-6th Security Project Conference-16 March 2018, Athens
Police body worn cameras-6th Security Project Conference-16 March 2018, Athens
Nikolaos Georgitsopoulos
 
Summer school 2017 giannakoula _european agenda on security
Summer school 2017 giannakoula _european agenda on securitySummer school 2017 giannakoula _european agenda on security
Summer school 2017 giannakoula _european agenda on security
Nikolaos Georgitsopoulos
 
Money Laundering -Mark Pieth
Money Laundering -Mark PiethMoney Laundering -Mark Pieth
Money Laundering -Mark Pieth
Nikolaos Georgitsopoulos
 
Fighting corruption
Fighting corruptionFighting corruption
Fighting corruption
Nikolaos Georgitsopoulos
 
Police Body Worn Cameras WAVE 2017 Presentation (in Greek)
Police Body Worn Cameras WAVE 2017 Presentation (in Greek)Police Body Worn Cameras WAVE 2017 Presentation (in Greek)
Police Body Worn Cameras WAVE 2017 Presentation (in Greek)
Nikolaos Georgitsopoulos
 

More from Nikolaos Georgitsopoulos (17)

It security koutepas-2018-05_02
It security koutepas-2018-05_02It security koutepas-2018-05_02
It security koutepas-2018-05_02
 
«Αρχή του Καταλογισμού σε ενοχή και απαγόρευση αντικειμενικής ευθύνης στο Ποι...
«Αρχή του Καταλογισμού σε ενοχή και απαγόρευση αντικειμενικής ευθύνης στο Ποι...«Αρχή του Καταλογισμού σε ενοχή και απαγόρευση αντικειμενικής ευθύνης στο Ποι...
«Αρχή του Καταλογισμού σε ενοχή και απαγόρευση αντικειμενικής ευθύνης στο Ποι...
 
Presentation democracy ethics vs. intelligencε security.
Presentation democracy ethics vs. intelligencε security.Presentation democracy ethics vs. intelligencε security.
Presentation democracy ethics vs. intelligencε security.
 
Police body worn cameras-6th Security Project Conference-16 March 2018, Athens
Police body worn cameras-6th Security Project Conference-16 March 2018, AthensPolice body worn cameras-6th Security Project Conference-16 March 2018, Athens
Police body worn cameras-6th Security Project Conference-16 March 2018, Athens
 
Summer school 2017 giannakoula _european agenda on security
Summer school 2017 giannakoula _european agenda on securitySummer school 2017 giannakoula _european agenda on security
Summer school 2017 giannakoula _european agenda on security
 
Money Laundering -Mark Pieth
Money Laundering -Mark PiethMoney Laundering -Mark Pieth
Money Laundering -Mark Pieth
 
Fighting corruption
Fighting corruptionFighting corruption
Fighting corruption
 
Police cooperation within the eu
Police cooperation within the euPolice cooperation within the eu
Police cooperation within the eu
 
Professor skiadas eu operational schemes on border control
Professor skiadas eu operational schemes on border controlProfessor skiadas eu operational schemes on border control
Professor skiadas eu operational schemes on border control
 
Professor chrysomallis institutional asfj
Professor chrysomallis institutional asfjProfessor chrysomallis institutional asfj
Professor chrysomallis institutional asfj
 
Asylum eu greece
Asylum eu greeceAsylum eu greece
Asylum eu greece
 
Afsj summer school 2 legal immigration
Afsj summer school 2 legal immigrationAfsj summer school 2 legal immigration
Afsj summer school 2 legal immigration
 
Afsj summer school 1 immigration paths
Afsj summer school 1 immigration pathsAfsj summer school 1 immigration paths
Afsj summer school 1 immigration paths
 
Cryptocurrencies Presentation- Smart Contracts
Cryptocurrencies Presentation- Smart ContractsCryptocurrencies Presentation- Smart Contracts
Cryptocurrencies Presentation- Smart Contracts
 
Afsj summer school 3 illegal immigration
Afsj summer school 3 illegal immigrationAfsj summer school 3 illegal immigration
Afsj summer school 3 illegal immigration
 
The eu on the borderline
The eu on the borderlineThe eu on the borderline
The eu on the borderline
 
Police Body Worn Cameras WAVE 2017 Presentation (in Greek)
Police Body Worn Cameras WAVE 2017 Presentation (in Greek)Police Body Worn Cameras WAVE 2017 Presentation (in Greek)
Police Body Worn Cameras WAVE 2017 Presentation (in Greek)
 

Recently uploaded

在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
galaxypingy
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
Asmae Rabhi
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 

Recently uploaded (20)

20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 

Phishing Presentation

  • 1. SENTER Project HELLENIC POLICE LIEUTENANT’S SCHOOL Presentation of Phishing Police Lieutenant Trainee Nikolaos Georgitsopoulos Hellenic Police Lieutenant’s School Greece Athens, 03 November 2017 Seminar Work for the Module “Internet Technologies”
  • 2. 2 Presentation of Phishing: Athens, 03 November 2017 Contents 1. Theoretical Part a) Cybercrime b) What is Phishing? c) Phishing Types d) Phishing and Online Banking Fraud e) Spear Phishing f) Technical measures (browser technologies, security software, etc.) available to detect phishing attempts 2. Practical Part a) Phishing simulation program b) The Phishing Campaign c) General guidelines for employees in order to avoid phishing
  • 3. 3 Cybercrime 1. Cybercrime consists of criminal acts that are committed online by using electronic communications networks and information systems. 2. It is a borderless problem that can be classified in three broad definitions: Crimes specific to the Internet, such as attacks against information systems (like phishing etc). Online fraud and forgery. Illegal online content. Presentation of Phishing: Athens, 03 November 2017
  • 4. 4 Types of cybercrime (a) • Illegal computer hacking and cracking; • Developing and/or spreading malicious code; • Spamming; • Ddos attacks; • Network intrusion; • Software piracy; Presentation of Phishing: Athens, 03 November 2017
  • 5. 5 Types of cybercrime (b) • Network-based or network-enabled crimes (such as phishing); • Intellectual property rights (IPR) crimes; • Distribution of child sexual abuse imagery; • Grooming of children for sexual purposes • Phreaking; • Conditional access piracy. Presentation of Phishing: Athens, 03 November 2017
  • 6. 6 What is Phishing? (a) • Phishing is a form of Cybercrime. • Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication. • Phishing is the process of enticing people into visiting fraudulent websites and persuading them to enter identity information such as usernames, passwords etc. Presentation of Phishing: Athens, 03 November 2017
  • 7. 7 What is Phishing? (b) • Phishing, the act of stealing personal information via the internet for the purpose of committing financial fraud. • Rely on unsolicited communications by email, SMS or telephone. • The attacker purports to represent a third reliable party. • An attempt to convince the victim to divulge sensitive information, such as login credentials or payment details. Presentation of Phishing: Athens, 03 November 2017
  • 8. 8 Short History of Phishing (a) • Originated sometime around the year 1995. • Phreaks and hackers have always been closely linked. The “ph” spelling was used to link phishing scams with these underground communities. • Through the America Online (AOL) in 1996, instant messenger and email systems, they would send messages to users while posing as AOL employees. Presentation of Phishing: Athens, 03 November 2017
  • 9. 9 Short History of Phishing (b) • In late 2003, phishers registered dozens of domains that looked like legitimate sites like eBay and PayPal if you weren't paying attention. • They used email worm programs to send out spoofed emails to PayPal customers. • By the beginning of 2004, phishers were riding a huge wave of success that included attacks on banking sites and their customers. • Popup windows were used to acquire sensitive information from victims. Presentation of Phishing: Athens, 03 November 2017
  • 10. 10 Phishing Types 1. Spear phishing 2. Phone phishing-Vishing (Voice Phishing) 3. SMS phishing-Smishing 4. Clone phishing 5. Link manipulation 6. Filter evasion 7. Website forgery 8. Malvertising 9. Covert redirect Presentation of Phishing: Athens, 03 November 2017
  • 11. 11 Phishing and Online Banking Fraud (a) • Bank customers are popular targets of those who engage in phishing attacks. • Sending out thousands of spoof emails. • Criminals impersonate bank websites in order to get unsuspecting users to provide their login credentials. • At the first glance the fraudulent email looks reliable regarding its sender, form, and content and is thus almost indistinguishable from a real one. Presentation of Phishing: Athens, 03 November 2017
  • 12. 12 Phishing and Online Banking Fraud (b) • After that the faked website asks for personal data or access information from the user that is then used for fraudulent transactions. • The cybercriminal now has all the necessary information to steal the victim’s identity and have access to the bank account. • The phishers use the information they've gathered to make illegal purchases or otherwise commit fraud. Presentation of Phishing: Athens, 03 November 2017
  • 13. 13 The flow of information in a phishing attack Presentation of Phishing: Athens, 03 November 2017
  • 14. 14 Examples of malware used to conduct bank phishing scams 1. Bancos (2003) also identified as banker by some anti- virus companies. 2. Targeted Brazilian banks. 3. Bancos monitored internet explorer for specific bank urls and attempts to capture account information. 4. Overlay certain banking web pages with a fake one that captures the information directly from a user. Presentation of Phishing: Athens, 03 November 2017
  • 15. 15 Spear Phishing (a) • Spear phishing is a much more targeted attack. • The hacker knows which specific individual or organization they are after. • Research on the target in order to make the attack more personalized. • Spear-phishing attacks are much more targeted and involve duping particular individuals within a specific organization. Presentation of Phishing: Athens, 03 November 2017
  • 16. 16 Spear Phishing (b) • They send customized, credible emails that appear to come from a trusted source. • Enhancing their authenticity and legitimacy. • Increasing the probability of the individual complying with their request. • The recipient of the e-mail needs to be convinced. • The hacker will gain remote access or log their keystrokes and ultimately gain access to their PCs. Presentation of Phishing: Athens, 03 November 2017
  • 17. 17 An example of Spear Phishing: The CEO Fraud (a) • Target business companies and their employees trying to gain financial profit or intelligence profit by compromising business secrets or other information. • CEO fraud involves tricking someone into making a large wire transfer into what turns out to be a bogus account. • On a few occasions, however, checks are used instead of wire transfers. Presentation of Phishing: Athens, 03 November 2017
  • 18. 18 Presentation of Phishing: Athens, 03 November 2017 An example of Spear Phishing: The CEO Fraud (b)
  • 19. 19 1. A fraudster calls posing as a high ranking figure of the company (e.g. CEO or CFO). He appears to be the CEO or the CFO (Chief Financial Office). 2. That executive then requires from the employee an urgent transfer of funds confidential. 3. The fraudster invokes that this is a sensitive situation. 4. The fraudster pressures the employee not to follow the regular authorization procedures and bypass the security checks. 5. The fraudster gives the proper instructions to the employee on how to proceed. 6. The final step is the employee to transfer the funds to an account controlled by the fraudster. 7. The money is re-transferred to accounts in multiple jurisdictions. Presentation of Phishing: Athens, 03 November 2017 An example of Spear Phishing: The CEO Fraud (c)
  • 20. 20 Technical measures (browser technologies, security software, etc.) available to detect phishing attempts (a) • Anti-phishing software consists of computer programs that attempt to identify phishing content contained in websites and e-mail or block users from being tricked. • Web browsers comes with built-in anti-phishing and anti- malware protection services. • Password managers can also be used to help defend against phishing and protect sensitive data. • Filtering: anti-spam filters may be configured to identify specific known phishing messages and prevent them from reaching a user. Presentation of Phishing: Athens, 03 November 2017
  • 21. 21 Technical measures (browser technologies, security software, etc.) available to detect phishing attempts (b) • Authentication: determine whether the IP address of a transmitting mail transfer agent is authorized to send a message from the sender’s domain. • Signing: Cryptographic signing of email • Outgoing data monitoring: A browser plug-in such as a toolbar can store hashes of confidential information, and monitor outgoing information to detect confidential information being transmitted. • Data destination blacklisting: block data transmissions to specific IP addresses known to be associated with phishers. Presentation of Phishing: Athens, 03 November 2017
  • 22. 22 LUCY: A Phishing Simulation Program (a) • A customizable awareness program used by information security professionals in higher education and private industry. • An effective training program. • Allows organizations to simulate phishing e-mails. • Help identify which end users are more susceptible to such targeted e-mail attacks. • Engage in more focused training opportunities to help users recognize phishing attempts. Presentation of Phishing: Athens, 03 November 2017
  • 23. 23 LUCY: A Phishing Simulation Program (b) Presentation of Phishing: Athens, 03 November 2017 • Installed LUCY server through the virtual box • The server provides you with an IP address and a username and also a password.
  • 24. 24 LUCY: A Phishing Simulation Program (c) • The user needs to enter to Lucy login environment with the previous credentials. Presentation of Phishing: Athens, 03 November 2017
  • 25. 25 LUCY: A Phishing Simulation Program (d) Presentation of Phishing: Athens, 03 November 2017 Created a new phishing campaign. Two templates: 1. The first one was about a phishing e-mail coming from MasterCard. 2. The second one was informing the user that he had an encrypted message and he had to use his Microsoft account credentials.
  • 26. 26 LUCY: A Phishing Simulation Program (e) Add the recipients of the e-mails. I used all my functional e- mail accounts. Presentation of Phishing: Athens, 03 November 2017
  • 27. 27 LUCY: A Phishing Simulation Program (f) Launch my phishing attack Presentation of Phishing: Athens, 03 November 2017
  • 28. 28 LUCY: A Phishing Simulation Program (g) Checked my e-mails. Only in one of my four mail accounts I received the e-mail messages. Presentation of Phishing: Athens, 03 November 2017
  • 29. 29 LUCY: A Phishing Simulation Program (h) Presentation of Phishing: Athens, 03 November 2017
  • 30. 30 LUCY: A Phishing Simulation Program (j) The second mail was about a MasterCard service and asked from the user to change his password because there was a previous suspicious attempt. Presentation of Phishing: Athens, 03 November 2017
  • 31. 31 LUCY: A Phishing Simulation Program (k) Presentation of Phishing: Athens, 03 November 2017
  • 32. 32 LUCY: A Phishing Simulation Program (j) In conclusion the simulated phishing attack was partially successful because only two of the eight mails were delivered to the final recipients. The license doesn’t allow to see the collected data from this phishing attack. Presentation of Phishing: Athens, 03 November 2017
  • 33. 33 General guidelines for employees in order to avoid phishing, fraud scam and social engineering 1. Be AWARE of the risks and spread the information 2. Be careful when using social media 3. Avoid sharing sensitive information 4. Never open suspicious links or attachments received by e-mail 5. If you receive a call/email alerting you of a security breach, do not provide information right away or proceed with a transfer 6. Consult a colleague even if you were asked to use discretion. 7. Assigning responsibility 8. If a supplier informs you of a change in payment details, always contact him to confirm the new information 9. Strictly apply the security procedures in place for payments and procurement 10. Always contact the police in case of fraud attempts Presentation of Phishing: Athens, 03 November 2017
  • 34. 34 Conclusion 1. Phishing is a highly profitable activity for cybercriminals. 2. Phishing and its specific forms such as the spear phishing reveal that internet users may be vulnerable if they are not properly trained and do not know the immense dangers. 3. No single technology will completely stop phishing. 4. Good organization and practices, awareness training, proper application of current technologies, and improvements in security technology has the potential to drastically reduce the prevalence of phishing. Presentation of Phishing: Athens, 03 November 2017
  • 35. Thank you for your attention! Hellenic Police Lieutenants’ School Address: Thrakomakedonon Av. 101, PO 13679 – Acharnes, Attiki - Greece Tel: +30 210-2424296, Fax : +30 210-2460964, E-mail: saea.policeacademy@hellenicpolice.gr, Website: www.hellenicpolice.gr

Editor's Notes

  1. Good Moring. My name is Nikolaos Georgitsopoulos. For today the topic of my presentation will be Phishing.
  2. First we gonna see: This working paper presents phishing and its various forms. The work is divided into two parts. A theoretical one and second a practical one. The theoretical part presents all theoretical elements such as what phishing is, a brief history of it, how phishing works and some examples. After that it explained is a more specific form of phishing (spear) and analyzing it. The reader can then find information on technical measures in how to address this phenomenon. The practical part introduces the creation of a simulated phishing campaign through a dedicated software. The recipients of this simulated attack were identified and then designed for how to perform. Through a LUCY platform, we have been able to create such a campaign so that its users can assess the risks and threats that may be of interest to them in each branch of activity.
  3. In the bibliography there is not an agreed definition of cybercrime, the terms "cybercrime", "computer crime", "computer-related crime" or "high-tech crime" are often used interchangeably. In general, “cybercrime” is understood as "criminal acts committed using electronic communications networks and information systems or against such networks and systems", (Council of Europe, 2001). Cybercrime consists of criminal acts that are committed online by using electronic communications networks and information systems. It is a borderless problem that can be classified in three broad definitions, (European Commission, 2017): Crimes specific to the Internet, such as attacks against information systems or phishing (e.g. fake bank websites to solicit passwords enabling access to victims' bank accounts). Online fraud and forgery. Large-scale fraud can be committed online through instruments such as identity theft, phishing, spam and malicious code. Illegal online content, including child sexual abuse material, incitement to racial hatred, incitement to terrorist acts and glorification of violence, terrorism, racism and xenophobia.
  4. illegal computer hacking and cracking (the unauthorised access of computers, sometimes exploiting flaws in the system itself); developing and/or spreading malicious code (such as viruses and Trojans which do damage to computer operating systems or are used in other ways to commit cybercrimes or conventional crimes); spamming (sending out multiple emails, usually through a set of infected computers called a 'Botnet'); DDoS attacks ('Distributed Denial of Service’, a way of flooding a server with multiple requests that might then bring the website down); network intrusion (breaking into computer networks, often using hacking techniques and usually to steal information, sow viruses or attempt blackmail); software piracy (stealing commercial software);
  5. network-based or network-enabled crimes (such as phishing – an attempt to 'con' people through unsolicited emails – and identity theft), Intellectual Property Rights (IPR) crimes (for example illegal file-sharing of copyright-protected music and video, stealing confidential commercial information); distribution of child sexual abuse imagery; grooming of children for sexual purposes, e.g. through social network sites; phreaking (unauthorised use of telephone systems either to make free calls or increasingly as a form of anonymity for organised crime); conditional access piracy (for example the illegal decryption of satellite TV signals).
  6. In this chapter we are going to focus on definitions about phishing. According to a definition…
  7. Although the practice originated sometime around the year 1995, these types of scams were not commonly known by everyday people until nearly ten years later. There is also a good reason for the use of “ph” in place of the “f” in the spelling of the term. Some of the earliest hackers were known as phreaks. Phreaking refers to the exploration, experimenting and study of telecommunication systems. Phreaks and hackers have always been closely linked. The “ph” spelling was used to link phishing scams with these underground communities. Back when America Online (AOL) in 1996 was the number-one provider of Internet access, millions of people logged on to the service each day. Its popularity made it a natural choice for those who had less than pure motives. From the beginning, hackers and those who traded pirated software used the service to communicate with one another. This community was referred to as the warez community. It was this community that eventually made the first moves to conduct phishing attacks,
  8. Spear phishing Is an email-spoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information. Clone phishing is a type of phishing attack whereby a legitimate, and previously delivered, email containing an attachment or link has had its content and recipient address(es) taken and used to create an almost identical or cloned email. Most methods of phishing use some form of technical deception designed to make a link in an email (and the spoofed website it leads to) appear to belong to the spoofed organization. Phishers have even started using images instead of text to make it harder for anti-phishing filters to detect text commonly used in phishing emails. Website forgery: the link to the website is crafted to carry out the attack, making it very difficult to spot without specialist knowledge. Malvertising is malicious advertising that contains active scripts designed to download malware or force unwanted content onto your computer. Covert redirect is a subtle method to perform phishing attacks that makes links appear legitimate, but actually redirect a victim to an attacker's website.
  9. According to Emigh, (2005) the simplified flow of information in a phishing attack is: A deceptive message is sent from the phisher to the user. A user provides confidential information to a phishing server (normally after some interaction with the server). The phisher obtains the confidential information from the server. The confidential information is used to impersonate the user. The phisher obtains illicit monetary gain.
  10. Cybercriminals make their research and they target business companies and their employees trying to gain financial profit or intelligence profit by compromising business secrets or other information. CEO fraud is another name for this scam and it usually involves tricking someone into making a large wire transfer into what turns out to be a bogus account On a few occasions, however, checks are used instead of wire transfers Two main modi operandi dominated on European law enforcement cases was, (Europol, 2017): 1. CEO (Chief Executive Office) fraud and 2. Mandate fraud
  11. Step 1: A fraudster calls posing as a high ranking figure of the company (e.g. CEO or CFO). He appears to be the CEO or the CFO (Chief Financial Office). This is a typical example of vishing. Step 2: That executive then requires from the employee an urgent transfer of funds. Additionally this transfer must be absolute confidential. Step 3: The fraudster invokes that this is a sensitive situation (e.g. tax control; merger; acquisition etc). Step 4: The fraudster pressures the employee not to follow the regular authorization procedures and bypass the security checks. Step 5: The fraudster gives the proper instructions to the employee on how to proceed. Instructions might also be given later by a third-person or via e-mail. Step 6: The final step is the employee to transfer the funds to an account controlled by the fraudster. The money is re-transferred to accounts in multiple jurisdictions.
  12. Step 1: A fraudster calls posing as a high ranking figure of the company (e.g. CEO or CFO). He appears to be the CEO or the CFO (Chief Financial Office). This is a typical example of vishing. Step 2: That executive then requires from the employee an urgent transfer of funds. Additionally this transfer must be absolute confidentiality. Step 3: The fraudster invokes that this is a sensitive situation (e.g. tax control; merger; acquisition etc). Step 4: The fraudster pressures the employee not to follow the regular authorization procedures and bypass the security checks. Step 5: The fraudster gives the proper instructions to the employee on how to proceed. Instructions might also be given later by a third-person or via e-mail. Step 6: The final step is the employee to transfer the funds to an account controlled by the fraudster. The money is re-transferred to accounts in multiple jurisdictions. Vishing: Phishing through VOIP and Telephone.
  13. Be AWARE of the risks and spread the information within your company. Be careful when using social media: by sharing information on your workplace and responsibilities you increase the risks of becoming a target. Avoid sharing sensitive information on the company’s hierarchy, security or procedures. Never open suspicious links or attachments received by e-mail. Be particularly careful when checking your personal mail boxes on the company’s computers. Always carefully check e-mail addresses when dealing with sensitive information/money transfers. Fraudsters often use copycat e-mails where only one character differs from the original. If you receive a suspicious e-mail or call, always inform your IT department; they are the ones in charge of such issues. They can check the content of suspicious mail and block the sender if necessary. In case of doubt on a transfer order, always consult a colleague even if you were asked to use discretion. If you receive a call/email alerting you of a security breach, do not provide information right away or proceed with a transfer. Always start by calling the person back using a phone number found in your own records or on the official website of the company; do not use the number provided to you in the mail or by the caller. If you were contacted by phone, call back using another phone (fraudsters use technology to remain online after you hang up). In case of doubt on a transfer order, always consult a colleague even if you were asked to use discretion. Consider assigning responsibility to an employee whom others can consult in case of doubt. If a supplier informs you of a change in payment details, always contact him to confirm the new information. Keep in mind that the e-mail/phone number provided on the invoice might have been modified. Strictly apply the security procedures in place for payments and procurement. Do not skip any steps and do not give in to pressure. Always contact the police in case of fraud attempts, even if you did not fall victim to the scam.
  14. Phishing is a highly profitable activity for cybercriminals. Phishing and its specific forms such as the spear phishing reveal that internet users may be vulnerable if they are not properly trained and do not know the immense dangers. No single technology will completely stop phishing. Good organization and practices, awareness training, proper application of current technologies, and improvements in security technology has the potential to drastically reduce the prevalence of phishing.