Texas Christian UniversityTechnology Resources EMAIL SECURITY.

Texas Christian University Technology Resources

EMAIL SECURITY

TCU Information Security Services

OverviewPhishingSpamSpoofingAttachmentsBest PracticesData Protection


PhishingPhishing is an illegal

activity that uses social engineering techniques to trick people into giving out personal information.

Typically you will receive an email that appears to be from a legitimate business or organization asking for verification of personal or financial information.


Phishing EmailInformation asked for in a phishing email

may include:Username, userid, email id, email identityPasswordSocial security numberBirthdate

Or there may just be a link to click on that takes you to an official looking web site to enter information.


Phishing techniquesLink manipulation

Technical deception designed to make a link in an email and the spoofed website it leads to, appear to belong to the spoofed organization.

Spoofed website Looks almost exactly like the real thing

Website forgery A spoofed website that uses JavaScript to alter the

address bar to appear legitimate.Filter evasion

Misspelled words and images instead of text are used to evade anti-phishing filters.


Spear PhishingA highly targeted version of a phishing

scam is “spear phishing.” A spear phishing message may look like it is

coming from your employer or computer help desk.


VishingVoice Over Internet Protocol (VoIP) enables

phone calls over the web.For criminals this makes it easy to fake real

numbers and create phony automated customer service lines. They can’t be traced.

Vishing Scheme 1: You get phishing email with phone number to

call where you are asked for information.Vishing Scheme 2:

You get phone call directing you to take action to protect an account.


SmishingPhishing fraud sent via SMS (Short

Message Service) text messaging.Emerging as new threat to cell phone users.

ExamplesText message received contains web site

hyperlink which if clicked will download Trojan horse to phone.

Text message informing you that your bank account has been frozen. Call a phone number to unlock – automated (bogus) phone system asks for account number, ssn and pin.

Recent Phishing Email at TCU

Link manipulation

Spoofed email

TCU Technology Resources will NEVER send a link in an email which takes you to a website requesting that you login or enter your username and password.

http://ip-mediation.net/TCU/

Fake WebsiteLo

ok b

etw

een

first

dou

ble

//

and

first

sing

le /

- tha

t’s

NO

T TC

UNotice no https

https://my.is.tcu.edu/psp/pa9prd/?cmd=login

Real Website

That is TCU

Secure

Another TCU Phishing Email

Link manipulation

http://www.1025.ru/js/mail.tcu.edu

Fake WebsiteLo

ok b

etw

een

first

dou

ble

//

and

first

sing

le /

- tha

t’s

NO

T TC

UNo https

https://mobile.tcu.edu/owa/auth/logon.aspx

Real

That is TCU

Secure


And Another TCU Email

False urgency

Don’t give out your username or password!

TCU Technology Resources, including the Help Desk, will NEVER ask for your password –

in an email, over the phone or in person!

Misspellings of simple words


Phishing Example – Financial Institution

False urgency defined to get you to act without thinking.False

credibility

Untraceable phone

numberMore false urgency

Spoofed web address

Lack of personal greeting


Phishing Eample – Lottery ScamForeign lottery

scams are common

You won – but did you play?

If it sounds too good to be true, it

usually is.


Phishing Example – IRS ScamIRS web site clearly states that it will

not initiate taxpayer communications through email.False

credibility

False urgency

Links to spoofed web site.

Links in EmailsApproach links in an email with caution.They might look genuine, but they could be

forged.

Copy and paste the link to your web browser. Type in the address yourself.Or even Google the company and go to their

website from the search results.

Avoid being Phished!


Avoid being Phished (continued)Learn to spot non-legitimate web sites

Look at the address between the // and the first / - it should end with the company you expectFake: http://www.1025.ru/js/mail.tcu.eduReal:

https://mobile.tcu.edu/owa/auth/logon.aspx…Is it secure?

https in the addressYellow lock icon


Avoid being Phished (continued)Greet email or phone calls seeking

personal information with skepticism.If you think it may be legitimate, call

customer service number provided when account was opened.

Be leery of alarming statements that urge you to respond immediately.

Do NOT reply to phishing emails.


Avoid being Phished (continued)TCU Technology Resources, including the

computer help desk and information security services will NEVER ask you for your password via email, the phone or in person.

When TCU upgrades its computer or email systems we will NEVER send a link inside an email which will go to a website requesting that you login or enter your username and password.

Phishing Scams GamePlay the Phishing Scam Gamehttp://www.onguardonline.gov/games/

phishing-scams.aspx



SpamSpam is anonymous, unsolicited junk email

sent indiscriminately to huge numbers of recipients.

What for?Advertising goods and services (often of a

dubious nature)Quasi-charity appealsFinancial scamsChain lettersPhishing attemptsSpread malware and viruses


Origins of the term "Spam" WWII England Spam was only meat not rationed. 1970 Monty Python skit:

http://www.youtube.com/watch?v=anwy2MPT5RE Every item on the menu includes Spam Vikings drown out dialogue by repeating SPAM, SPAM,

SPAM, SPAM 1980’s – in early internet Chat rooms quotes from the skit

were used repeatedly to drive out newcomers or invade “rival” chat rooms (Star Wars/Star Trek)

In 1993 the term Spam was used on Usenet to mean excessive multiple postings of the same message.

In 1998 the new meaning was included in the New Oxford Dictionary of English.

http://www.youtube.com/watch?v=anwy2MPT5RE


What to do with SpamDo not open email that is obviously Spam.If you do open junk mail, do not click on any

links.Including a link that claims it will remove you from

the list. Spammers use this to verify that you have a “live” email address.

Use “disposable email address” – setup a yahoo or gmail account to use on the web.

Send spam to [email protected] as an attachment.End User Quarantine reduces amount of Spam

received.

mailto:[email protected]


How to send email as attachmentIn Outlook 2007

From the Inbox, click to select the email message

From the menu choose Actions, Forward as Attachment.

In Entourage 2004 for Mac OSX From the Inbox, click to

select the email messageFrom the menu choose

Message, Forward as Attachment.

SpoofingEmail appears to be from a friend,

colleague or yourself but subject and text obviously not something you or they would send

Spoofing is a way of sending counterfeit email using stolen addresses


Spoofing continuedFavorite technique of spammers and

phishersHow do they steal email addresses

Write programs that gather email addresses from websites, discussion boards, blogs.

Also worms and viruses collect addresses from address books they infect

What can you doNothing to prevent spoofingJust be aware and never fully trust the

“From” field of an email.TCU Information Security Services


AttachmentsComputer viruses and other malicious

software are often spread through email attachments.

If a file attached to an email contains a virus, it is often launched when you open (or double-click) the attachment.

Don’t open email attachments unless you know whom it is from and you were expecting it.


Should You Open that Attachment?

If it is suspicious, do not open it!What is suspicious?

Not work-related.The email containing the attachment was not

addressed to you, specifically, by name.Incorrect or suspicious filename.Unexpected attachments.Attachments with suspicious or unknown file

extensions (e.g., .exe, .vbs, .bin, .com, .pif, or .zzx)

Unusual topic lines: “Your car?”; “Oh!”; “Nice Pic!”; “Family Update!”; “Very Funny!”


Email Best PracticesUse the BCC field when

sending to large distribution lists.Protects recipients email addressesPrevents Reply to All issues

Avoid use of large distribution lists unless legitimate business purpose.E.g., All Faculty/Staff listUse TCU Announce instead

Beware of Reply to All buttonDon’t forward chain email letters.


Data ProtectionDo Not Email Unencrypted Sensitive Personal

Information (SPI) On-campus email – encrypt or use shared drive

instead.Digital ID

Allows you to digitally sign and encrypt email.Required for sender and recipient.Email [email protected] to request.

WinZip version 10 and above – create encrypted archive to send in email.

Office 2007 - allows AES encryption .

Email password separately

!



ResourcesTCU Computer Help Desk

[email protected]://Help.tcu.edu Location: Mary Couts Burnett Library, first

floorInformation Security Services

https://Security.tcu.edu [email protected]


http://Help.tcu.edu/

https://Security.tcu.edu/


Texas Christian UniversityTechnology Resources EMAIL SECURITY.

Documents

Transcript of Texas Christian UniversityTechnology Resources EMAIL SECURITY.