Phishing

Ph(F)ebruary Phishing

Ph(F)ebruary Phishing

Did you know?

  • More than half of Internet users get at least 1 phishing email each day.

  • There are roughly over 100 billion spam emails sent each day.

  • According to the 2009 Consumer Reports, the cost of phishing in the United States was almost $500 million per year.

(www.phishing.org)

So what exactly is phishing?

Phishing attacks are socially engineered emails sent to a user falsely claiming to be a legitimate communication in an attempt to trick the user into responding or taking another action.  Responding with personal and/or financial information, clicking a link, or opening an attachment can all result in the attackers gaining access into networks that may provide them with vital information.

These attacks are often carefully crafted messages that lure email users into taking the desired action of the attacker.

For example, if you use your online banking account frequently and an attacker knows this about you then they can craft a message that looks like it is from your bank. The message may ask you directly for your username and password or it may have a link for you to click which when clicked can give them access to your information.

What do you need to be aware of?

Phishing scams are found in more that just email messages these days as well.  Attackers are creating websites that look legitimate for purchase of various goods and services.

Major events like the Super Bowl, the Olympic games and the World Cup are taken advantage of by phishing attackers.  Simply using a search engine to find tickets for these types of events can lead a victim straight to a phishing website.  These websites look real and may offer deals to entice people to enter their personal and financial information.

Quiz yourself! Can you tell which emails are phish?

Tags: 

Online Safety

Online Safety

Everyone connected to the Internet is a potential target. Use of anti-virus and firewall software is critical in protecting your computer online; however, simply protecting your computer is not enough. 

Web Browsers

Cyber criminals often target vulnerabilities in web browsers. Because Internet Explorer is the web browser used by most people, it has become a primary target. Using a different browser can reduce your risk while on the web. The table below lists alternative browsers:

Browser

Operating System

License

Firefox

Mac, Windows, Linux

Free (open source)

Chrome

Mac, Windows, Linux

Free

Opera

Mac, Windows, Linux

Free

Safari

Mac OS X

Free

Configure Settings

Changing the default security settings can help protect you while browsing.  Learn more here.

Update Regularly

It is important to keep your browser up-to-date on security patches. This can typically be done from within the browser, or directly from the vendor’s website. Check for updates at least monthly.

Note: If you use Internet Explorer with RIT Oracle Applications, you may not be able to use the newest versions of Internet Explorer are not certified for compatibility with Oracle at this time.

Use Limited Account Privileges

Learn more here.

Be Smart With What you Do Online

View our pages on Social Networking and Online Banking/Shopping.  Also look for posts on our blog about identity theft, online banking, and scams. 

Safe Social Networking and Blogging

Safe Social Networking and Blogging

Social networks are great. They do present some security challenges and risks, however.

This guide describes the dangers you face as a user of these websites, and provides tips on the safe use of social networking and blogging services.

Dangers of Social Networking

Many computer criminals uses these sites to distribute viruses and malware, to find private information people have posted publicly, and to find targets for phishing/social engineering schemes. Below is a short list of users who may be using the same sites as you:

Identity Thieves
Online criminals only need a few pieces of information to gain access to your financial resources. Phone numbers, addresses, names, and other personal information can be harvested easily from social networking sites and used for identity theft. The large numbers of people that use these sites also attract many online scammers.

Online Predators
Are your friends interested in seeing your class schedule online? Well, sex offenders or other criminals could be as well. Knowing your schedule and your whereabouts can make it very easy for someone to victimize you, whether it be breaking in while you're gone, or attacking you while you're out. Don't make it easy for the Facebook Stalker to find you!

Employers
More and more employers are beginning to investigate applicants and current employees through social networking sites and/or search engines. What you post online may put you in a negative light to prospective or current employers, especially if your profile picture features you doing something questionable or stupid.

Protecting Your Information - Safe Practices

Keeping your information out of the wrong hands can be fairly easy if you adopt a cautious attitude. Here are some tips to make sure your private information stays private.

Don't Post Personal Information Online!
It's the easiest way to keep your information private. Don't post your full birth date, your address, phone numbers, etc. Don't hesitate to ask friends to remove embarrassing or sensitive information about you from their posts either.

Use Built-In Privacy Settings
Most social networking sites offer various ways in which you can restrict public access to your profile, such only allowing your "friends" to view your profile. Of course, this only works if you only allow a few people to see your postings-if you have 10,000 "friends" your privacy won't be very well protected. Your best bet is to disable all the extra options, and re-enable only the ones you know you'll use. Sophos provides Recommended Facebook Privacy Settings. These best practices can be applied to any social networking or blogging website.

Be wary of others
Most sites do not have a rigorous process to verify identity of members so always be cautious when dealing with unfamiliar people online.

Search for yourself
Find out what information other people have easy access to. Put your name into Google (make sure to use quotes around your name). Try searching for your nicknames, phone numbers, and addresses as well-you might be surprised at what you find. Many blogging sites have instructions on how to exclude your posts from appearing in search engine results using something called a "robots text file." More information can be found here.

What Happens on the Web, Stays on the Web

Before posting anything online, remember the maxim "what happens on the web, stays on the web." Information on the Internet is public and available for anyone to see, and security is never perfect. With browser caching and server backups, there is a good chance that what you post will circulate on the web for years to come. So be safe and think twice about anything you post online.

Find out more about how information security affects you by becoming a Fan of the RIT Information Security Facebook page. Follow us on Twitter for updates on current security threats.

Phishing

Phishing

Phishing is a form of social engineering where the attacker attempts to trick people into revealing private information by sending spoofed e-mails that appear to be from reputable companies. Phishing e-mails provide a link to a seemingly authentic page where you can login and reveal your username, password and other personal identifying information (PII)." Online scammers can then use this information to access your accounts, gather additional private information about you, and make purchases or apply for credit in your name.

General protection against phishing scams 

Safe practices

  • NEVER RESPOND TO A REQUEST FOR YOUR PASSWORD sent by e-mail, even if the request appears legitimate. RIT will NEVER ask for your password through e-mail.
  • Do not provide identity information, including credit card numbers, when you receive an unsolicited e-mail or phone call.
  • Do not open attachments in unexpected or suspicious e-mails or instant messages.
  • Do not click anywhere on the e-mail—even in what may appear to be white space.
  • Delete the e-mail or instant message.
  • If the e-mail or instant message provides a link to a site where you are requested to enter personal information, it may be a phish. The real link may also be masked. Move your mouse over the link and it may show a different address than the one displayed in the e-mail.
  • Be selective in what sites you provide with your RIT e-mail address.

Technical solutions

  • Use a limited or non-administrator account when opening e-mail and browsing the Internet. A limited account will help protect you against many malware attacks. Finance and Administration (and some RIT colleges) already protect their users by giving them limited accounts. 
  • Enable site checking on your browser.
  • Add an anti-phishing toolbar to your browser. Anti-phishing toolbars help detect and may block known phishing sites. ITS is providing McAfee anti-phishing tools to ePO-managed users.

Report a Phish

Report a phish by emailing spam@rit.edu.  You can forward phishing attempts to this email.

Resources to Help Identify and Avoid Falling for a Phish

Spear Phishing

Spear phishing targets a specific person or group of people (usually within a specific organization or government agency). Spear phishing e-mails are tailored to match internal communications at the target organization and may even include personal details.

Phishing in Instant Messaging

Although most phishing occurs through e-mails, fraudsters have begun using instant messaging to pose as government officials and trick people into revealing identity information.

Current Phishing Scams

Millersmiles.co.uk is an Internet community that archives phishing scams. Visit them to check if a particular e-mail or website has been reported by others, or report it yourself.

Anti-Phishing Tools

Internet Explorer 7.x and higher, Safari 3.2 and higher, and Mozilla Firefox 3.x and higher all provide some protection against phishing. E-mail clients such as Microsoft Outlook 2007 and Mozilla Thunderbird 2 also include anti-phishing features, such as disabling suspicious links and blocking pictures and attachments. As of August 1, 2009, all RIT-owned and leased computers must have some form of anti-phishing controls in place.

We recommend the following browser tools to help you identify suspicious websites:

  • The Netcraft Toolbar is a browser plug-in available for Firefox on Windows, Mac, and Linux. The toolbar helps stop phishing attempts by blocking known phishing sites and providing hosting information about the sites you visit.
  • The McAfee Site Advisor is a browser plug-in available for Internet Explorer and Firefox. Site Advisor warns you of websites known to have malicious downloads or links by checking them against a database at McAfee.

Note: You should not install this version of McAfee Site Advisor on any RIT-owned computer currently running McAfee ePO. More information can be found here.

Subscribe to RSS - Phishing