Phishing is a type of scam where fraudulent emails are sent to steal personal information like credit card numbers or passwords. Phishing originated in the 1970s as "phreaking" to make free phone calls and has evolved over time. By 2007, phishing targeted major banks and payment sites like PayPal to steal money from bank accounts. Current phishing techniques employ social engineering by appearing to come from trusted contacts or references to recent online activities to trick victims. The document provides tips on identifying phishing scams by looking for requests to verify accounts or update personal information through email links or urgent messages.
2. Recognize Phishing Scams and Fraudulent E-mails
• Phishing is a type of deception designed to steal yo
ur valuable personal data, such as credit card number
s, passwords, account data, or other information.
• Con artists might send millions of fraudulent e-mail
messages that appear to come from Web sites you tru
st, like your bank or credit card company, and request
that you provide personal information.
3. Phreaking + Fishing = Phishing
- Phreaking = making phone calls for free back in 70’s
- Fishing = Use bait to lure the target
Phishing in 1995
Target: Internet users
Purpose: getting account passwords
Threat level: low
Phishing in 2001
Target: Ebayers and major banks
Purpose: getting credit card numbers, accounts
Threat level: medium
• Phishing in 2007
Target: Paypal, banks, ebay
Purpose: bank accounts
Threat level: high
History of Phishing
4. • Over 28,000 unique phishing attacks reported in Dec.
2006, about double the number from 2005
• Estimates suggest phishing affected 2 million US citiz
ens and cost businesses billions of dollars in 2005
• Additional losses due to consumer fears
Phishing: A Growing Problem
5. What Does a Phishing Scam Look Like?
• As scam artists become more sophisticated, so d
o their phishing e-mail messages and pop-up win
dows.
• They often include official-looking logos from real
organizations and other identifying information tak
en directly from legitimate Web sites.
6. • Employ visual elements from target site
• DNS Tricks:
–www.ebay.com.kr
–www.ebay.com@192.168.0.5
–www.gooogle.com
–Unicode attacks
• JavaScript Attacks
–Spoofed SSL lock
• Certificates
–Phishers can acquire certificates for domains
they own
–Certificate authorities make mistakes
Current Phishing Techniques
7. • Socially aware attacks
Mine social relationships from public data
Phishing email appears to arrive from someone known to the victim
Use spoofed identity of trusted organization to gain trust
Urge victims to update or validate their account
Threaten to terminate the account if the victims not reply
Use gift or bonus as a bait
Security promises
• Context-aware attacks
“Your bid on eBay has won!”
“The books on your Amazon wish list are on sale!”
Spear-Phishing: Improved Target Selection
8. Here are a few phrases to look for if you think an e-mail message is a ph
ishing scam.
• "Verify your account." Businesses should not ask you to send passw
ords, login names, Social Security numbers, or other personal informatio
n through e-mail. If you receive an e-mail from anyone asking you to upd
ate your credit card information, do not respond: this is a phishing scam
.
• "If you don't respond within 48 hours, your account will be closed.
" These messages convey a sense of urgency so that you'll respond im
mediately without thinking.
How To Tell If An E-mail Message is Fraudulent
9. How To Tell If An E-mail Message is Fraudulent (cont’d)
• "Dear Valued Customer." Phishing e-mail messages are u
sually sent out in bulk and often do not contain your first or last
name.
• "Click the link below to gain access to your account." HT
ML-formatted messages can contain links or forms that you can
fill out just as you'd fill out a form on a Web site. The links that
you are urged to click may contain all or part of a real company'
s name and are usually "masked," meaning that the link you s
ee does not take you to that address but somewhere different,
usually a phony Web site.
• Resting the mouse pointer on the link reveals the real Web ad
dress. The string of cryptic numbers looks nothing like the com
pany's Web address, which is a suspicious sign.
10. Con artists also use Uniform Resource Locators (URLs)
that resemble the name of a well-known company but are
slightly altered by adding, omitting, or transposing letters.
For example, the URL "www.microsoft.com" could appear
instead as:
www.micosoft.com
www.mircosoft.com
www.verify-microsoft.com
How To Tell If An E-mail Message is Fraudulent (cont’d)
11. • Never respond to an email asking for personal information
• Always check the site to see if it is secure. Call the phone nu
mber if necessary
• Never click on the link on the email. Retype the address in a
new window
• Keep your browser updated
• Keep antivirus definitions updated
• Use a firewall
P.S: Always shred your home documents before discarding them.