Phishing is the act of illegally trying to acquire private information such as passwords, credit card account numbers, banking account information, and social security numbers by posing as a legitimate electronic communication.
2. How to Protect Your Business From
Internet Phishing Scams
Presented by: Tim Geigner
3. Malware: Malicious email that appears be
legit
Mass amounts of unpersonalizaed
emails are sentdamage to your
computer system
Phishing is the act of illegally trying to acquire private
information such as passwords, credit card account numbers,
banking account information, and social security numbers by
posing as a legitimate electronic communication.
What is Phishing?
Spear Phishing
Conventional Phishing
A targeted victim is sent a
personalized email. o be legit
9. How to Spot A Phishing Scam
Incorrect Spelling & Bad Grammar
Not typically personalized, yet they can be
An attachment that appears legit
Sense of urgency/threats
URL Links in email
http://www.chasebank.com/loginscritp/user1.jsp
Requests personal information: usernames, password, social
security numbers, date of birth, credit card numbers, etc.
Be Suspicious!
10. Dear Valued Customer,
It has come to our attention that your account information needs to be
updated due to inactive members, frauds and spoof reports.
It is critical that you take 5-10 minutes to renew your records, in order
for you to avoid any future issues with your online service. It is very
important to have this complete no later than: March 30, 2012. Faling
to take action will result in the closure of your account.
Please follow the link below and renew your account information.
https://www.chasebank.com/ukoup-date.htm
Sincerely,
Chase Bank Customer Department
Not personalized
Incorrect
spelling
Misguiding URL link
11. Why People Fall for Phishing Scams
Creates a reaction!
Not aware of the signs
Phishing scams are meant to appear legitimate
Typically include upsetting or exciting
(false) statements, special offers or
prizes:
14. 1. Report the issue to your bank or credit card company
What to do if you have been hacked?
15. 1. Report the issue to your bank or credit card company
2. Place a fraud alert through a credit reporting agency
What to do if you have been hacked?
16. 1. Report the issue to your bank or credit card company
2. Place a fraud alert through a credit reporting agency
3. Remove Internet Browser
What to do if you have been hacked?
17. 1. Report the issue to your bank or credit card company
2. Place a fraud alert through a credit reporting agency
3. Remove Internet Browser
What to do if you have been hacked?
4. Install and or up date anti-virus and personal
firewall software
18. 1. Report the issue to your bank or credit card company
2. Place a fraud alert through a credit reporting agency
3. Remove Internet Browser
What to do if you have been hacked?
4. Install and or up date anti-virus and personal
firewall software
5.Change your passwords
20. How to Protect Your Business Against
Phishing Scams
Install anti-virus and anti-spyware applications – keep updated
21. How to Protect Your Business Against
Phishing Scams
Install anti-virus and anti-spyware applications – keep updated
Install a firewall
22. How to Protect Your Business Against
Phishing Scams
Install anti-virus and anti-spyware applications – keep updated
Install a firewall
Do all online banking or credit card payments on a completely
locked down stand-alone computer
23. How to Protect Your Business Against
Phishing Scams
Install anti-virus and anti-spyware applications – keep updated
Install a firewall
Do all online banking or credit card payments on a completely
locked down stand-alone computer
Ensure Windows updates and security patches are updated and
installed – check for success on a regular basis
24. How to Protect Your Business Against
Phishing Scams
Install anti-virus and anti-spyware applications – keep updated
Install a firewall
Do all online banking or credit card payments on a completely
locked down stand-alone computer
Ensure Windows updates and security patches are updated and
installed – check for success on a regular basis
Do not click on hyperlinks within an email
25. How to Protect Your Business Against
Phishing Scams
Install anti-virus and anti-spyware applications – keep updated
Install a firewall
Do all online banking or credit card payments on a completely
locked down stand-alone computer
Ensure Windows updates and security patches are updated and
installed – check for success on a regular basis
Do not click on hyperlinks within an email
Create strong unique passwords
26. How to Protect Your Business Against
Phishing Scams
Install anti-virus and anti-spyware applications – keep updated
Install a firewall
Do all online banking or credit card payments on a completely
locked down stand-alone computer
Ensure Windows updates and security patches are updated and
installed – check for success on a regular basis
Do not click on hyperlinks within an email
Create strong unique passwords
Educate your employees on the signs
27. How to Protect Your Business Against
Phishing Scams
Install anti-virus and anti-spyware applications – keep updated
Install a firewall
Do all online banking or credit card payments on a completely
locked down stand-alone computer
Ensure Windows updates and security patches are updated and
installed – check for success on a regular basis
Do not click on hyperlinks within an email
Create strong unique passwords
Educate your employees on the signs
Discuss options with your IT professional
28. Free Network Security Audit
the first 7 people to respond or
Special Offer
Expires: April 30, 2012
(312) 957-7459
Or
www.digeratigroup.com/
Welcome and thank you for joining us for today’s webinar on protecting your business from internet phishing scams. While perhaps not a mainstream term yet, not only have the number of phishing attacks risen dramatically over the past five years, but so too has the sophistication and deceptiveness of these attacks. Today we’ll be discussing techniques for combatting this threat.
So what is phishing? Phishing emails usually appear to come from a well-known organization and ask for your personal information — such as credit card number, social security number, account number or password. Often times phishing attempts appear to come from legitimate sites, services and companies with which you do not even have an account.
Phishing scenarios are typically carried out through e-mail and often contain links to a fake website with a look and feel almost identical to a legitimate site. Once on the site users are cajoled into entering usernames and passwords or other sensitive information that will provide hackers with broad access to data.
Phishing is typically done via email.
Pop up sites are another method phishers use.
Instant messages are less common, but phishing is done through IM as well.
And social medida is kind of a no-brainer. If criminals can gather information about you from social media posts and profiles, they can use that information to try to trick you into trusting them. Security experts call this "spear phishing”, as it’s a more targeted approach.
A report provided by McAfee suggests: "Social media connections will eventually replace e-mail as the primary vector for distributing malicious code and links," “Last year ended with some of the lowest global e-mail spam levels in years, as more and more users transition from 'slower' legacy communications such as e-mail in favor of more immediate methods such as instant messaging and Twitter," the report says. And, as we all know, where the users go, so to will the scammers.
Let’s discuss some methods for identifying a phishing scam.
Sometimes scammers operate in a second language and they give themselves away by using poor grammar or spelling.
The most effective way to counter these types of attacks is to train the recipients on how to identify and avoid a phishing attempt on their own.
Phishing attacks are normally directed towards millions of people through email spam. The emails sent out during a phish are therefore impersonal and general, contrary to emails from your bank which are usually personal in nature. The big banks with a higher probability for hitting customers are impersonated most often. Nearly all large banks in the world have been subject to phishing frauds trying to reach their customers. Examples are the Bank of America, Bank of Montreal and the ANZ Bank of Australia.
Valid messages from your bank or e-commerce company generally are personalized, but always call to check if you are unsure
Attachments that appear legit is how a phisher places malware on your computer. That malware can result in a variety of attacks, including rogue antivirus and other programs that ask for financial information.
Going along with these communications is usually some threat or urgent deadline, including fake reports of malware, bank account policy changes, etc.
These emails also tend to include URL links, almost always to imposter sites run by the criminals.
And, of course, they’re after personal information, login information, and financial information.
In order for criminals to successfully "phish" your personal information, they often must get you to go from an email to a website. Phishing emails will almost always tell you to click a link that takes you to a site where your personal information is requested. Legitimate organizations would never request this information of you via email.
As an example, an Official-looking email from your favorite bank requests you to change your online banking password or update personal data by following a spoofed website link.
No financial institution with any sense will email you and ask you to input your sensitive information. In fact, most institutions are informing customers that “We will never ask you for your personal information via phone or email”.
Phishing scams are meant to and usually do a pretty good job at making the email or pop up it is in appear legitimate. they might include a graphic from the bank right on the email message or website. Or, the link provided in the email may look like it goes to the bank’s website while the victim is actually sent to a very different site
Users should double check with their financial institutions before opening attachments or clicking on any links.
Organized Internet Criminal Groups, most often located overseas, are the typical phishing culprits
As for the software itself, Hacking groups offer software packages (sometimes for free) that make it easy to quickly set up a fraudulent web site mimicking a known brand in order to trick people in proving personal info. This software is then used by others to spread phishing attacks.
Regardless of our precautions, sometimes phishing attacks are successful, so let’s discuss what we do in the event of a hack.
If the scam involved a bank or credit card account information being transferred report the issue to the appropriate place. CC companies usually have a 24-hour service to deal with emergencies like this. Depending on the financial institution’s recommendations it might be necessary to cancel that account and open up a new one.
Banks invest more in the consumer because if they lose money, the bank recovers the loss. The bank doesn’t normally doesn’t have to refund business accounts, however. In addition, there are usually different rules for customers and businesses when it comes to disputing charges, Consumer: 60 days from receipt of monthly statement to dispute Business: Typically have no more than 2 business days to spot and dispute
being hacked into you should file a report with law enforcement. You should provide them with a written document of what was lost, dates, times, etc.
You should also take a look at your billing statements to check for any unauthorized charges.
If you have received an email from a hacker posing as a financial institution, but did not fall victim to the attempt you can still report the issue. If you click on a link and are directed to a site that downloads malware (virus) into your computer, you
Identity theft occurs when someone uses your personal information such as your name, Social Security number, credit card number or other identifying information, without your permission to commit fraud or other crimes. If you have given out this kind of information to a phisher, you should do the following:
Report the theft to the three major credit reporting agencies, Experian, Equifax and TransUnion Corporation, and do the following:
Request that they place a fraud alert and a victim’s statement in your file.
Request a FREE copy of your credit report to check whether any accounts were opened without your consent.
Request that the agencies remove inquiries and/or fraudulent accounts stemming from the theft.
Some phishing attacks use viruses and/or Trojans to install programs called "key loggers" on your computer. These programs capture and send out any information that you type to the phisher, including credit card numbers, usernames and passwords, Social Security Numbers, etc. In this case, you should wipe your browser completely and reinstall a fresh copy.
In addition, often times phishing attacks will deliver additional malware to the user’s machine. To protect against this, you should:
Install and/or update anti-virus and personal firewall software
Update all virus definitions and run a full scan
Confirm every connection your firewall allows
If your system appears to have been compromised, fix it and then change your password again, since you may well have transmitted the new one to the hacker.
Getting away from the user for a moment, let’s discuss how to globally protect your business against phishing scams.
Although anti-virus and spyware software can’t offer 100% protection, One of the most important things you can do to avoid phishing attacks is keep your antivirus software up-to-date because most antivirus vendors have signatures that protect against some common exploits. This can prevent things such as a Trojans disguising your Web address bar or mimicking an https secure link. If your antivirus software is not up-to-date, you are usually more susceptible to attacks that can hijack your Web browser and put you at risk for phishing attacks. Make sure every computer used has up-to-date virus and malware protection. Schedule regular full system scans. Never download "anti-virus" software from an unknown entity. It's better to stick with trusted brands.
A perimeter firewall is key as well, for all the same reasons as endpoint antivirus software. Make sure your firewall is under maintenance and has all the latest definitions and updates.
Any financial transactions should only be done on a trusted, secure computer.
Make sure your network is current on its Windows updates and patches. Don’t wait for Patch Tuesday to secure your equipment, since the criminals won’t wait. Keep your machines current on an ONGOING basis.
It is never a good idea to click on any hyperlink in an e-mail, especially from unknown sources. You never know where the link is going to really take you or whether it will trigger malicious code. Some hyperlinks can take you to a fake HTML page that may try to scam you into typing sensitive information. If you really want to check out the link, manually retype it into a Web browser.
Create strong unique passwords and change themfrequently
At least 10 characters long, use a combination of upper and lower case, letters, numbers, and symbols. Avoid using any of the following: your name, your spouse, children’s, or your pet’s name; your birthdate, address, any part of your social security number, a series of consecutive numbers, any single word that appears in a dictionary, or double or repeat words
Make sure your employees are aware of what phishing scams are, and are cautious when reading and responding to suspicious emails. Instead of clicking a link, open another browser window and go to the official website.
We covered various signs of a phishing scam email: Incorrect Spelling, Sense of Urgency , Asking for personal financial information i.e. usernames, passwords, social security numbers, date of birth, credit card numbers, etc, Email from a bank or credit card company you are not a customer with, email from a bank that requests personal information. Make sure your users know the warning signs.
IT professionals can make more complete and appropriate recommendations tailored specifically around your equipment, software, and users.
And that wraps it up. Thank you for joining us for today’s webinar. Before we sign off, we did want to leave you with a free offer from Digerati Group. The first 7 folks that respond to us with a call or email will receive a free network security audit, during which we’ll:
Test your firewall, anti-virus and spyware protection
Check your backups
Review your acceptable use policy
Check your online security settings
Discuss the training needs of your staff with regards to security
And with that, I’d like to open up the call to any questions or comments.