Security awareness class I teach with tips to protect yourself from some common email dangers & scams.

1. {
Email Security
Awareness
Tips to protect yourself from some common email
dangers & scams

2.  The driving force is MONEY!
 Drive you to a site to sell you something
 Scams, advanced fee, lottery
 Collect personal information
 Fake AV, Scareware! Ransomware!
 Stealing login credentials
 Key loggers
 Attackers are finding ways to compromise
computer, passwords, data, accounts
 Easier to hack people then find way into company
network through perimeter defenses
Protect Yourself

3.  Password may be only line of defense for email account
 Don’t reuse passwords for all online accounts
 Compromised password could give access to multiple
accounts or sites
 Avoid common words, names, birthdays
 Use passphrase, mix upper and lower case
letters, numbers, and special characters
 Minimum 14 characters
 Never keep passwords on sticky note on monitor
 Login page using HTTPS required when using unsecure
network (public Hot Spot)
 https://www.microsoft.com/security/pc-security/password-
checker.aspx
Strong Passwords

4.  Sense of urgency! Act now, respond now, need help
 Don’t think, just click! NOW, NOW, NOW!
 Alarmist messages and threats of account closures
 Any email requesting personal information, bank
account, credit card number, access codes, etc… (Phishing)
 Spelling errors, grammatical errors
 Promises of money for little or no effort
 Work from home (money mule scams)
 Generic greeting, Dear Customer
 Request for help, related to urgency scams, emotional pull
 Sender in foreign county needs help and money
Tips to Avoid Scams

5.  Send money up front to receive prize
 Deals that sound too good to be true
 Free may have a price tag!
 Electronics, iPads, gift cards, lottery scams, inheritance
scams etc…
 Downloads and attachments
 Fake software updates
 Holiday scams, ecards (zip file attachment or links)
 May lead to unwanted software being loaded on
computer, Trojan horse program with key logger, fake
AV, bot, rootkit, etc…
 Senders email address
 Email may claim to be from BOA, but sender address is
not related to company, EX johndoe@badguysite.com
Tips to Avoid Scams

6.  Requests to donate to a charitable organization after a
disaster that has been in the news
 Shortened links, or confusing links
 Redirect to bad guys site
 Go directly to company web site if in doubt
 Chain letters
 May be collecting addresses for spammers
 Unsubscribe links, may confirm live email account
 Junk Mail in GroupWise
 Report as spam or set up filter to block future emails
(Gmail, Hotmail, Yahoo, etc…)
 Similar scams may arrive as instant
messages, Skype, Facebook posts, Twitter DMs
 Social networking is a huge target for scams
Tips to Avoid Scams

7.  No! I don’t need cheap meds!
 Not malicious
 Similar to postal junk mail
 Usually selling merchandise or advertisements
 Link to ecommerce website
 Drive customer to website selling products or offering
services
Spam

8.  The number “419” refers to the article of the Nigerian
Criminal Code dealing with fraud
 Started before email as Spanish prisoner scam
 Many variations,
 Iraqi gold, blood diamonds, inheritance or investment
scams, etc…
 Advanced fee scams
 Usually involve millions of dollars
 Assistance is needed, transfer money to you and you
earn percentage, catch is paying fees or taxes up front
 Made to believe paying fees or taxes will lead to
“bigger” prize!
Nigerian 419 Email Scams

9.  There is no big prize or reward!
 Do not respond
 Delete message
 Junkmail, report as spam
Don’t Respond

10.  URGENCY! Dire need of help!
 Receive email from friend or relative that is in foreign
county and has been robbed
 Needs money to settle bills
Robbed in London

11.  Call person, try to speak to person to verify their
location
 Never in country that email claims!
 Senders email account has been hacked or accessed by
unauthorized person
 Bad guy sending email to all contacts in address book
 Person is unaware account was hacked and “fake”
emails are being sent
 Person should change password to account
immediately
 Check for forwarding rules
 Contact ISP or email provider for assistance
Never Respond

12.  To obtain information for the purpose of fraud or
identity theft
 Account may be locked or suspended
 Have short time frame to verify
 Problem with payment or credit card
 Verify login credentials
 Email account storage limits
 URGRNCY pull is involved
Phishing

13.  Can use company logos
 Copy from web site
 Look and feel authentic
 Links do not go to actual company website
 Shortened links, bit.ly
 Redirect to bad guy site
 May sign name of actual employee with company
 Senders email address is not related to company
Phishing

14.  Phishing Video
 http://onguardonline.gov/media/video-0007-phishy-
office
Phishing

15.  More specific
 Targeted audience
 Directed at specific company, people at certain levels in
company or in certain departments
Spear Phishing

16.  The name is derived from SMS Phishing, SMS (Short
Message Service) is the technology used for text
messages on cell phones
 URGENCY!
 (Voice phISHING) it is the voice counterpart to
phishing. The caller can ask for personal information
or direct user to malicious website.
 Support call to download “fake” software update.
 Caller ID numbers and names can be spoofed.
Smishing

17. Smishing Example

18.  Never reply to an email to verify personal
information, bank account numbers, credit card
numbers, passwords, etc…
 Call bank or credit card company directly
 Verify if they sent email
 Some companies have ways to report suspected fraud
emails
Don’t Respond

19.  Microsoft and Adobe never send updates through
email
 Attachments will not update programs, but load
unwanted software
 Links will not take to you to company web site or
download attachment
 Go directly to company website
 Microsoft Updates through IE
 Check for updates in Adobe Reader
 Run PSI or Qualys Browser Check to verify updates are
available
Software Updates

20.  Work from home scams
 Make money part time, spare time
 Have computer you can make thousands of dollars
 Open bank account, bad guy deposits money, you
transfer, or with draw money and wire it to
someone, and keep percentage
 No legitimate company works like this!
Money Mule Scams

21.  Zeus Trojan bust reveals sophisticated 'money
mules' operation in U.S. (September 2010)
 https://www.computerworld.com/s/article/9189038/Ze
us_Trojan_bust_reveals_sophisticated_money_mules_
operation_in_U.S
In the News

22.  Phishing Game
 http://onguardonline.gov/media/game-0011-phishing-
scams
 Scam and Spam Game
 http://onguardonline.gov/media/game-0012-spam-
scam-slam
For Fun

23.  http://ilookbothways.com/spot-the-spam/
 http://www.microsoft.com/security/online-
privacy/phishing-symptoms.aspx
 http://onguardonline.gov/topics/avoid-scams
Additional Resources