Phishing attacks are socially engineered emails sent to a user falsely claiming to be a legitimate communication in an attempt to trick the user into responding or taking another action. Responding with personal and/or financial information, clicking a link, or opening an attachment can all result in the attackers gaining access into networks that may provide them with vital information.
These attacks are often carefully crafted messages that lure email users into taking the desired action of the attacker.
For example, if you use your online banking account frequently and an attacker knows this about you then they can craft a message that looks like it is from your bank. The message may ask you directly for your username and password or it may have a link for you to click which when clicked can give them access to your information.
What do you need to be aware of?
Phishing scams are found in more that just email messages these days as well. Attackers are creating websites that look legitimate for purchase of various goods and services.
Major events like the Super Bowl, the Olympic games and the World Cup are taken advantage of by phishing attackers. Simply using a search engine to find tickets for these types of events can lead a victim straight to a phishing website. These websites look real and may offer deals to entice people to enter their personal and financial information.
Everyone connected to the Internet is a potential target. Use of anti-virus, anti-spyware, and firewall software is critical in protecting your computer online; however, simply protecting your computer is not enough.
Cyber criminals often target vulnerabilities in web browsers. Because Internet Explorer is the web browser used by most people, it has become a primary target. Using a different browser can reduce your risk while on the web. The table below lists alternative browsers:
Social networks are great. They do present some security challenges and risks, however.
This guide describes the dangers you face as a user of these websites, and provides tips on the safe use of social networking and blogging services.
Dangers of Social Networking
Many computer criminals uses these sites to distribute viruses and malware, to find private information people have posted publicly, and to find targets for phishing/social engineering schemes. Below is a short list of users who may be using the same sites as you:
Online criminals only need a few pieces of information to gain access to your financial resources. Phone numbers, addresses, names, and other personal information can be harvested easily from social networking sites and used for identity theft. The large numbers of people that use these sites also attract many online scammers.
Are your friends interested in seeing your class schedule online? Well, sex offenders or other criminals could be as well. Knowing your schedule and your whereabouts can make it very easy for someone to victimize you, whether it be breaking in while you're gone, or attacking you while you're out. Don't make it easy for the Facebook Stalker to find you!
Employers More and more employers are beginning to investigate applicants and current employees through social networking sites and/or search engines. What you post online may put you in a negative light to prospective or current employers, especially if your profile picture features you doing something questionable or stupid.
Protecting Your Information - Safe Practices
Keeping your information out of the wrong hands can be fairly easy if you adopt a cautious attitude. Here are some tips to make sure your private information stays private.
Don't Post Personal Information Online!
It's the easiest way to keep your information private. Don't post your full birth date, your address, phone numbers, etc. Don't hesitate to ask friends to remove embarrassing or sensitive information about you from their posts either.
Use Built-In Privacy Settings
Most social networking sites offer various ways in which you can restrict public access to your profile, such only allowing your "friends" to view your profile. Of course, this only works if you only allow a few people to see your postings-if you have 10,000 "friends" your privacy won't be very well protected. Your best bet is to disable all the extra options, and re-enable only the ones you know you'll use. Sophos provides Recommended Facebook Privacy Settings. These best practices can be applied to any social networking or blogging website.
Be wary of others
Most sites do not have a rigorous process to verify identity of members so always be cautious when dealing with unfamiliar people online.
Search for yourself
Find out what information other people have easy access to. Put your name into Google (make sure to use quotes around your name). Try searching for your nicknames, phone numbers, and addresses as well-you might be surprised at what you find. Many blogging sites have instructions on how to exclude your posts from appearing in search engine results using something called a "robots text file." More information can be found here.
What Happens on the Web, Stays on the Web
Before posting anything online, remember the maxim "what happens on the web, stays on the web." Information on the Internet is public and available for anyone to see, and security is never perfect. With browser caching and server backups, there is a good chance that what you post will circulate on the web for years to come. So be safe and think twice about anything you post online.
Phishing is a form of social engineering where the attacker attempts to trick people into revealing private information by sending spoofed e-mails that appear to be from reputable companies. Phishing e-mails provide a link to a seemingly authentic page where you can login and reveal your username, password and other personal identifying information (PII)." Online scammers can then use this information to access your accounts, gather additional private information about you, and make purchases or apply for credit in your name.
General protection against phishing scams
NEVER RESPOND TO A REQUEST FOR YOUR PASSWORD sent by e-mail, even if the request appears legitimate. RIT will NEVER ask for your password through e-mail.
Do not provide identity information, including credit card numbers, when you receive an unsolicited e-mail or phone call.
Do not open attachments in unexpected or suspicious e-mails or instant messages.
Do not click anywhere on the e-mail—even in what may appear to be white space.
Delete the e-mail or instant message.
If the e-mail or instant message provides a link to a site where you are requested to enter personal information, it may be a phish. The real link may also be masked. Move your mouse over the link and it may show a different address than the one displayed in the e-mail.
Be selective in what sites you provide with your RIT e-mail address.
Use a limited or non-administrator account when opening e-mail and browsing the Internet. A limited account will help protect you against many malware attacks. Finance and Administration (and some RIT colleges) already protect their users by giving them limited accounts.
Spear phishing targets a specific person or group of people (usually within a specific organization or government agency). Spear phishing e-mails are tailored to match internal communications at the target organization and may even include personal details.
Phishing in Instant Messaging
Although most phishing occurs through e-mails, fraudsters have begun using instant messaging to pose as government officials and trick people into revealing identity information.
Current Phishing Scams
Millersmiles.co.uk is an Internet community that archives phishing scams. Visit them to check if a particular e-mail or website has been reported by others, or report it yourself.
Internet Explorer 7.x and higher, Safari 3.2 and higher, and Mozilla Firefox 3.x and higher all provide some protection against phishing. E-mail clients such as Microsoft Outlook 2007 and Mozilla Thunderbird 2 also include anti-phishing features, such as disabling suspicious links and blocking pictures and attachments. As of August 1, 2009, all RIT-owned and leased computers must have some form of anti-phishing controls in place.
We recommend the following browser tools to help you identify suspicious websites:
The Netcraft Toolbar is a browser plug-in available for Firefox on Windows, Mac, and Linux. The toolbar helps stop phishing attempts by blocking known phishing sites and providing hosting information about the sites you visit.
The McAfee Site Advisor is a browser plug-in available for Internet Explorer and Firefox. Site Advisor warns you of websites known to have malicious downloads or links by checking them against a database at McAfee.
Note: You should not install this version of McAfee Site Advisor on any RIT-owned computer currently running McAfee ePO. More information can be found here.