Phishing

So how do bad guys get your

identity?

They ask for it!

City of Phoenix

Information Security and Privacy Office

What is Phishing?

• Phishing: “spoofed” e-mails and fraudulent websites designed to fool recipients into divulging personal information such as credit card numbers, account usernames and passwords, social security numbers…

• E-mails look very authentic with company logos and link to authentic-looking web sites

• Spear Phishing: phishing e-mails targeted to a small group (like executive managers)

Don’t Get Hooked

• Never assume an e-mail/text is legitimate

• Be suspicious of sensational, upsetting, or exciting (but

false) statements

– Goal is to get you to click / react immediately without thinking

• Never click on links embedded within Internet e-mail/text

messages

– Enter web addresses manually and/or telephone the company

• Never assume a link goes where it says it’s going

– Mouse over links and check the status bar

– Multiple links in an e-mail may go to different sites

• Never respond to external requests for personal

information

PayPal Tsunami

• E-Mail “features”

– Takes advantage of our need to help and

shows others have already contributed

– Much of the content is copied from legitimate

sites

• Status Bar

– Domain is signupaccount.com

– That’s not PayPal!

sylvia@gmail.com

Sylvia J Smyth

Sylvia J Smyth

sylvia@gmail.com

Sylvia J Smyth

Sylvia J Smyth

AmEx Year-End Summary

• E-Mail “features”

– Has correct name and last digits of credit card

– Doesn’t sensationalize information

• Summary won’t be deleted tomorrow

• Status Bar

– Domain is americanexpress.com

• I expect this type of communication

Don’t Be Mistaken for a Phish

• When writing to the public…

– Provide good contact info (phone/name)

– Do not threaten (we’ll cut off your account in 2

days)

– Write professionally (good grammar, spelling)

– Never ask for personal or financial information

in e-mail

– When possible, do not include links

Should You Trust Website?

• Check the protocol

– Look for https:// in the address bar

– “http” = normal; “https” = secure

• Check a site’s digital certificate

– “Lock” icon in bottom right corner or by address bar

• Check the address line – work your way

backward (from the .com back to www) – http://www.gotyouscammed.com/paypal/login.htm

– http://www.paypal.com/login.htm

– http://www.amazon.com@mdelas.com

Should You Trust a Website?

What’s a Digital Certificate?

• Digital certificate: Electronic document to verify

that users and Websites are who/what they

claim to be

– Often used in e-mail to verify sender

– Used on Websites to indicate they’re authentic

My

credentials

Are verified by a

certificate authority

That issues a

digital certificate

• Look for

– Issued to site matches

site name

– Issued by is reputable

– Certificate is valid (not

expired)

True or False

• A Website using https and having a good

digital certificate will 100% protect my

information

A Website using https and having a good

digital certificate will 100% protect my

information

https only encrypts your info during

transmission to/from the site. We don’t

know how the organization protects

your info once they have it.

Name 3 Protection Strategies

• Phishing and fraudulent Websites

Name 3 Protection Strategies

• Phishing and fraudulent Websites

– Be skeptical and check URLs

– Look for encrypted transmission (https)

– Check digital certificates

Thanks!

Questions? Contact

ispo@phoenix.gov