How to Spot and Combat a Phishing Attack Webinar

Similar documents
Information Security Field Guide to Identifying Phishing and Scams

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C

Recognizing Spam. IT Computer Technical Support Newsletter

How to Identify Phishing s

Shield Your Business - Combat Phishing Attacks. A Phishnix White Paper

Advice about online security

Common Cyber Threats. Common cyber threats include:

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

DON T BE FOOLED BY SPAM FREE GUIDE. Provided by: Don t Be Fooled by Spam FREE GUIDE. December 2014 Oliver James Enterprise

NATIONAL CYBER SECURITY AWARENESS MONTH

Don t Fall Victim to Cybercrime:

Tips for Banking Online Safely

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

Avoid completing forms in messages that ask for personal financial information.

Anti-Phishing Best Practices for ISPs and Mailbox Providers

FRAUD ALERT THESE SCAMS CAN COST YOU MONEY

Protect Yourself. Who is asking? What information are they asking for? Why do they need it?

Protecting your business from fraud

OIG Fraud Alert Phishing

Scams and Schemes LESSON PLAN UNIT 1. Essential Question What is identity theft, and how can you protect yourself from it?

Expanded Header: Viewing in Microsoft Outlook

Spear Phishing Attacks Why They are Successful and How to Stop Them

Phishing Scams Security Update Best Practices for General User

Cyber Security Survival Guide

Online Cash Manager Security Guide

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

Phishing Past, Present and Future

Malware & Botnets. Botnets

Protection from Fraud and Identity Theft

Protect yourself online

Evaluating DMARC Effectiveness for the Financial Services Industry

Cyber Security Breakout Session. Ed Rosenberg, Vice President & Chief Security Officer, BMO Financial Group Legal, Corporate & Compliance Group

When registering on a jobsite, first ensure that the site is reputable and has a physical address and landline phone number.

Social Media and Cyber Safety

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

INFOCOMM SEC RITY. is INCOMPLETE WITHOUT. Be aware, responsible. secure!

Bad Ads Trend Alert: Shining a Light on Tech Support Advertising Scams. May TrustInAds.org. Keeping people safe from bad online ads

Credit Card Fraud Training

Fraud Trends. HSBCnet Online Security Controls PUBLIC

The Pennsylvania Lawyer May June 2012

The following information was provided by SANS and discusses IT Security Awareness. It was last updated in 2015.

OCT Training & Technology Solutions Training@qc.cuny.edu (718)

Phishing for Fraud: Don't Let your Company Get Hooked!

WHITEPAPER. V12 Group West Front Street, Suite 410 Red Bank, NJ

Guide to Preventing Social Engineering Fraud

Hot Topics in IT Security PREP#28 May 1, David Woska, Ph.D. OCIO Security

Cybersecurity: A Growing Concern for All Businesses. RLI Design Professionals Design Professionals Learning Event DPLE 160 October 7, 2015

PROTECT YOUR COMPUTER AND YOUR PRIVACY!

ecommercial SAT ecommercial Security Awareness Training Version 3.0

Not-For-Profit Finance Forum Westpac New Zealand Limited

Infocomm Sec rity is incomplete without U Be aware,

Personal. Protecting Yourself in a Digital World

Remote Deposit Quick Start Guide

SMALL BUSINESS IT SECURITY PRACTICAL GUIDE

MEASURES TO ENHANCE MARITIME SECURITY. Industry guidelines on cyber security on board ships. Submitted by ICS, BIMCO, INTERTANKO and INTERCARGO

how human behavior and decision making expose users to phishing attacks BY INA WANCA AND ASHLEY CANNON

Cyber Security. Securing Your Mobile and Online Banking Transactions

PREP Course #25: Hot Topics in Cyber Security and Database Security. Presented by: Joe Baskin Manager, Information Security, OCIO

OVERVIEW. 1. Cyber Crime Unit organization. 2. Legal framework. 3. Identity theft modus operandi. 4. How to avoid online identity theft

RC284. Protect Yourself Against Identity Theft

INTERNET SAFETY: VIRUS: a computer program that can copy itself and infect your computer. CAPTCHAS: type the letters to set up an online account

+GAMES. Information Security Advisor. Be a Human Firewall! The Human Firewall' s Top Concerns in the Cyber, People & Physical Domains

TOP 10 TIPS FOR EDUCATING EMPLOYEES ABOUT CYBERSECURITY. Mark

Computer Security Self-Test: Questions & Scenarios

Management and Storage of Sensitive Information UH Information Security Team (InfoSec)

Cyber crime. lingua house. 1 Internet crime. Lesson code: 9ZE5-4PDB-KC48 UPPER INTERMEDIATE + Match the following words to their correct definitions:

RLI PROFESSIONAL SERVICES GROUP PROFESSIONAL LEARNING EVENT PSGLE 123. Cybersecurity: A Growing Concern for Small Businesses

Cyber Security. Maintaining Your Identity on the Net

Managing Junk Mail. About the Junk Mail Filter

SMALL BUSINESS IT SECURITY PRACTICAL GUIDE

Importance: From: Anthem, Inc. Communications Sent: Thursday, February 26, :40 PM Subject: Important message from Anthem, Inc.

Cyber Security Solutions for Small Businesses Comparison Report: A Sampling of Cyber Security Solutions Designed for the Small Business Community

TLP WHITE. An introduction to social engineering 1.

The Top Web Application Attacks: Are you vulnerable?

With the Target breach on everyone s mind, you may find these Customer Service Q & A s helpful.

A new fake Citibank phishing scam using advanced techniques to manipulate users into surrendering online banking access has emerged.

Transcription:

How to Spot and Combat a Phishing Attack Webinar October 20 th, 2015 Kevin Patel Sr Director of Information Security, Compliance & IT Risk Mgmt kpatel@controlscan.com

Agenda 1) National Cyber Security Awareness Month (NCSAM) overview 2) Phishing overview 3) By the numbers - phishing stats 4) Which phishing tactics are on the rise and old tactics that are still working today 5) Anatomy of a phishing email 6) Sample phishing emails can you spot the phish? 7) What to do if an email appears to be a phishing attempt 8) So why should I care about phishing? 9) Online phishing resources 10) Q&A ControlScan 2015 2

National Cyber Security Awareness Month (NCSAM) NCSAM is celebrated every October 2015 marks NCSAM 12 th year A collaborative initiative between the government and industry to promote online safety awareness Primary goal of NCSAM is to educate people about the risks of cybersecurity and provide resources to stay safe and secure online. ControlScan supports NCSAM and is a champion this year joining a growing global effort of 400+ colleges and universities, businesses, government agencies, associations and non-profit organizations ControlScan 2015 3

They Didn t Avoid the Bait Majority of all the major data breaches over the past few years have what in common? PHISHING was the initial point of entry The following companies fell for sophisticated phishing attacks: Target - 110 million records compromised Anthem 78.8 million records JPMC 83 million records breached Sony 102 million records South Carolina DOR 8 million records ControlScan 2015 4

So What is Phishing? Phishing is a fraudulent attempt (a type of spam) which is usually made through email to steal your personal/sensitive information. Phishing is a psychological attack used by cybercriminals to trick you into giving up information or taking an action such as clicking on a link, opening an attachment, or responding to a scam. Phishing is a common form of social engineering and has become the preferred method for cybercriminals. The bad guys spoof legitimate companies and brands that the email recipient may be familiar with. Image Source: SANS ControlScan 2015 5

So What is Phishing? (cont.) Spear Phishing Sophisticated highly targeted phishing scam aimed at specific individuals or groups within an organization (i.e. C-Suite, Accounting, HR or IT) with the sole purpose of obtaining unauthorized access to sensitive data. Most popular form of phishing and on the rise. High-profile individuals are targeted, which is why its referred to as whaling. Spear Phishing makes use of information about a target to make attacks more specific and targeted. Hackers do their research! Intent remains the same - to steal intellectual property, financial data, trade or military secrets and other confidential data. Vishing A form of social engineering similar to email phishing but occurs over the phone primarily using automated voice systems. Instead of sending an e-mail, you receive a call on your home phone or mobile device, claiming to be from your bank or another institution you trust, and will request you share sensitive info. SMiShing Accomplished through text messages (SMS) via a cell phone or mobile device by asking you to call a particular number to gain sensitive information or click on a link that could contain malicious code. ControlScan 2015 6

Why is Phishing So Popular with Hackers? Phishing is a top hacker technique since it is usually the path of least resistance for the bad guys to get the sensitive data they want without being detected. Phishing is the No. 1 method to gain unauthorized access and steal data since the bad guys like to take advantage of human error. ControlScan 2015 7

What do the Cybercriminals want? Protected Health Information (PHI) ControlScan 2015 8

Top 3 Ways to get Phished ControlScan 2015 9

By the Numbers - Phishing Stats Data/Image Sources: 1. Lireo Designs - The State of Phishing 2. Kaspersky Labs - The Evolution of Phishing Attacks: 2011-2013 3. APWG - Global Phishing Survey: Trends and Domain Names Use in 1H2014 4. http://www.returnpath.com/wp-content/uploads/2015/07/the-anatomy-of-a-phishing-email.pdf 5. http://blog.inspiredelearning.com/wp-content/uploads/2014/04/phishing-infographic-full.jpg ControlScan 2015 10

By the Numbers - Phishing Stats (cont.) Data/Image Sources: 1. Kaspersky Labs - The Evolution of Phishing Attacks: 2011-2013 2. APWG - Global Phishing Survey: Trends and Domain Names Use in 1H2014 3. HP - State of Network Security, August 2014 ControlScan 2015 11

Anatomy of a Phishing Email In order for you to successfully identify and combat phishing emails we must first understand the anatomy of the email. To deceive email recipients into divulging sensitive information, cybercriminals will use a variety of tactics such as: Image Source: http://www.returnpath.com/wp-content/uploads/2015/07/the-anatomy-of-a-phishing-email.pdf ControlScan 2015 12

Sample Phishing Email Can you spot the phish? Source: www.phishtank.com ControlScan 2015 13

Sample Phishing Email Can you spot the phish? Source: www.phishtank.com ControlScan 2015 14

Sample Phishing Email Can you spot the phish? Source: www.phishtank.com ControlScan 2015 15

Phishing Indicators Can you spot the phish? Sent from someone's personal email account Generic greeting Grammar and spelling mistakes Requires immediate action and creates a sense of urgency Malicious Link mouse over to verify link Generic sender lack of contact info Suspicious attachment Source: SANS Don t Get Hooked Poster ControlScan 2015 16

Sample Phishing Website Can you spot the phish? Source: www.phishtank.com ControlScan 2015 17

Sample Phishing Website Can you spot the phish? Source: www.phishtank.com ControlScan 2015 18

Phishing Email Checklist Don t believe everything you see If it sounds to good to be true it usually is. No, you didn t just win a $1,000 gift card. Beware of threatening language or invoking a sense of urgency Analyze the greeting generic salutation Dear Customer use is a tell-tale sign Look but do NOT click mouse over links, avoid URLs with @ signs Be suspicious of attachments i.e..exe,.com,.pif,.bat,.msi,.scr,.zip,.vbs Requests personal information - Do NOT share personal/sensitive information Check for mistakes in spelling and grammar most organizations proofread Review the signature generic and lack of detail or contact info Source: www.returnpath.com ControlScan 2015 19

What to do if you receive a Phishing Email? Report It & Delete It You should report suspected phishing emails to your local IT support staff or security team immediately Notify the company, bank, or organization impersonated by the phishing email. Many large companies provide directions on there websites on how to report phishing. FTC: Forward phishing emails to spam@uce.gov APWG: https://apwg.org/report-phishing/ Forward the suspected phishing email to reportphishing@apwg.org US-CERT: Report phishing emails and sites https://www.us-cert.gov/report-phishing Forward phishing emails to US-CERT phishing-report@us-cert.gov **Remember to include the full email header when reporting phishing emails ControlScan 2015 20

So Why Should I Care About Phishing? We are the first line of defense in successfully detecting and stopping phishing attacks We are all phishing targets both at work and at home Hackers take advantage of the human factor (potential for human error) by enticing you to click or download. The bad guys know that careless or untrained employees are the quickest and easiest way to circumvent even the best security controls. Hackers want your personal and financial information, access to your accounts and your devices. If it has value on the black-market the hackers want it! Its that simple ControlScan 2015 21

Online Phishing Resources CRI Cyber Security Awareness - Phishing Video: https://youtu.be/wzwxxdxmazs ControlScan 2015 22

Q&A Remember all it takes is ONE click to become a victim of phishing When in doubt DELETE ControlScan 2015 23

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information