Phishing - City of Phoenix Home€¦ · What is Phishing? • Phishing: “spoofed” e-mails and...
Transcript of Phishing - City of Phoenix Home€¦ · What is Phishing? • Phishing: “spoofed” e-mails and...
Phishing
So how do bad guys get your
identity?
They ask for it!
City of Phoenix
Information Security and Privacy Office
What is Phishing?
• Phishing: “spoofed” e-mails and fraudulent websites designed to fool recipients into divulging personal information such as credit card numbers, account usernames and passwords, social security numbers…
• E-mails look very authentic with company logos and link to authentic-looking web sites
• Spear Phishing: phishing e-mails targeted to a small group (like executive managers)
Don’t Get Hooked
• Never assume an e-mail/text is legitimate
• Be suspicious of sensational, upsetting, or exciting (but
false) statements
– Goal is to get you to click / react immediately without thinking
• Never click on links embedded within Internet e-mail/text
messages
– Enter web addresses manually and/or telephone the company
• Never assume a link goes where it says it’s going
– Mouse over links and check the status bar
– Multiple links in an e-mail may go to different sites
• Never respond to external requests for personal
information
PayPal Tsunami
• E-Mail “features”
– Takes advantage of our need to help and
shows others have already contributed
– Much of the content is copied from legitimate
sites
• Status Bar
– Domain is signupaccount.com
– That’s not PayPal!
AmEx Year-End Summary
• E-Mail “features”
– Has correct name and last digits of credit card
– Doesn’t sensationalize information
• Summary won’t be deleted tomorrow
• Status Bar
– Domain is americanexpress.com
• I expect this type of communication
Don’t Be Mistaken for a Phish
• When writing to the public…
– Provide good contact info (phone/name)
– Do not threaten (we’ll cut off your account in 2
days)
– Write professionally (good grammar, spelling)
– Never ask for personal or financial information
in e-mail
– When possible, do not include links
Should You Trust Website?
• Check the protocol
– Look for https:// in the address bar
– “http” = normal; “https” = secure
• Check a site’s digital certificate
– “Lock” icon in bottom right corner or by address bar
• Check the address line – work your way
backward (from the .com back to www) – http://www.gotyouscammed.com/paypal/login.htm
– http://www.paypal.com/login.htm
– http://[email protected]
What’s a Digital Certificate?
• Digital certificate: Electronic document to verify
that users and Websites are who/what they
claim to be
– Often used in e-mail to verify sender
– Used on Websites to indicate they’re authentic
My
credentials
Are verified by a
certificate authority
That issues a
digital certificate
• Look for
– Issued to site matches
site name
– Issued by is reputable
– Certificate is valid (not
expired)
True or False
• A Website using https and having a good
digital certificate will 100% protect my
information
A Website using https and having a good
digital certificate will 100% protect my
information
https only encrypts your info during
transmission to/from the site. We don’t
know how the organization protects
your info once they have it.
Name 3 Protection Strategies
• Phishing and fraudulent Websites
– Be skeptical and check URLs
– Look for encrypted transmission (https)
– Check digital certificates