1 / 16

Phishing and Spam Email

Phishing and Spam Email. Introduction. There’s a good chance that in the past week you have received at least one email that pretends to be from your bank, a vendor, or other online site.

woody
Download Presentation

Phishing and Spam Email

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Phishing and Spam Email

  2. Introduction • There’s a good chance that in the past week you have received at least one email that pretends to be from your bank, a vendor, or other online site. • Hopefully, you have realized that many of these emails are not what they proclaim to be – they are not legitimate emails, but “phishing.” 2014 DHS IT Security & Privacy Training

  3. Introduction In other words, the sender of the emails (phisher) wants you to click on a link in the email and go to a fake website which you may think is the legitimate website. On the phishers’ website, they hope to obtain your user accountand passwords, financial, credit, and/or identity information. • They do this by asking you to enter passwords or other identifying information that unlocks your information; • They do this by recording your keystrokes while you are visiting their website; and • They do this by surreptitiously downloading malware on your computer while you are on their website. 2014 DHS IT Security & Privacy Training

  4. Social Engineering • “Phishing” is one form of social engineering. • Social engineering is the practice of deceiving someone, either in person, over the phone, or using a computer, with the express intent of breaching some level of security, either personal or professional. • Social engineering techniques are considered con games which are performed by con artists. • The targets of social engineering may never realize they have been victimized. 2014 DHS IT Security & Privacy Training

  5. Phishing Phishing uses e-mail messages that supposedly come from legitimate businesses you might have dealings with: • Banks such as Bank of America or Citibank; • Online organizations such as eBay or PayPal; • Internet service providers such as AOL, MSN, or Yahoo; • Online retailers such as Best Buy; and insurance agencies. The messages may look quite authentic, featuring corporate logos and formats similar to the ones used for legitimate messages. 2014 DHS IT Security & Privacy Training

  6. Phishing • Typically, phishers ask for verification of certain information, such as account numbers and passwords, allegedly for auditing purposes. • Identity theft is the name of the game. • And because these e-mails look so official, up to 20% of unsuspecting recipients may respond to them, resulting in financial losses, identity theft and other fraudulent activity. 2014 DHS IT Security & Privacy Training

  7. How Do You Know If It's Real or Fake? Fake email: • Often contains a generic greeting (it does not call you by name, but as “customer,” “friend,” etc.). • Often claims your personal information has been corrupted, lost, or has expired. • Directs you to a real-looking but counterfeit web site. Almost every company that has your personal information will have a policy that forbids the company from sending email attachments or pop-up windows asking for personal information from you and its other customers. 2014 DHS IT Security & Privacy Training

  8. What to Do With a Suspect Email If you get an email requesting private information: • Verify it really came from where it says before giving out any information. • Call the sender and verify the email is authentic. • Delete the email. If it is important, the sender will send it again. 2014 DHS IT Security & Privacy Training

  9. Spam v Phishing Email Not every junk or spam email is a phishing email. • The word "Spam" as applied to email means "Unsolicited Bulk Email". • Unsolicitedmeans the recipient has not granted permission for the message to be sent. • Bulkmeans that the message is sent as part of a larger collection of messages, all having essentially identical content. • A message is spamonly if it is both unsolicited and bulk. • Unsolicited email is normal email such as first contact enquiries, job enquiries, sales enquiries, etc. • Bulk email is normal email such as subscriber newsletters, customer communications, discussion lists. 2014 DHS IT Security & Privacy Training

  10. Spam v Phishing Email So, spam is unsolicited e-mail, usually from someone trying to sell something. The difference between spam and phishing emails is that spammers do not attempt to acquire sensitive information. 2014 DHS IT Security & Privacy Training

  11. What To Do With Spam Email If you use email, you will get spam on your computer. DHS uses a spam filter called the User Quarantine Release that uses a formula to identify email suspected of being spam and filters it out. 2014 DHS IT Security & Privacy Training

  12. Using the User Quarantine Release • The User Quarantine Release (UQR) is the DHS Outlook spam filter. It collects email suspected to be spam. That email does not go to your Outlook inbox. • You will receive an auto-generated email once a day or on days you have suspect email notifying you of any email message addressed to you that was quarantined because the system determined it might be spam. From within this notification, you may release messages that you believe are valid emails. • The UQR deletes the email it holds after a 7 days. The next slide gives an example of what the UQR looks like. 2014 DHS IT Security & Privacy Training

  13. Click here to approve or release email. Using the User Quarantine Release 2014 DHS IT Security & Privacy Training

  14. What To Do With Spam Email The best way to deal with spam email is to delete it. • You need to file a Security Incident Report for spam email only if your DHS computer is being overrun by spam email not being caught by the UQR. • Receiving an occasional spam email in your inbox does not need to be reported. 2014 DHS IT Security & Privacy Training

  15. DHS Policy 5006 Email Usage These are the primary guidelines of the policy: A User: • Accepts responsibility for any email created by that user, and for revisions in email messages that are forwarded or replied to. • Accepts responsibility for any email he or she stores or saves. • Does not have responsibility for messages received but not created by the user as long as those messages are deleted, not stored, from the user’s mailbox. 2014 DHS IT Security & Privacy Training

  16. DHS Policy 5006 Email Usage • Inappropriately modifying an email message or printing inappropriate email has negative consequences. • Evidence of misuse of the system may result in termination of access to the DHS network without notice. • DHS cannot guarantee protection from email containing viruses, worms, or malicious attachments. • Suspicious email should be reported on the IT Security Incident Report form. 2014 DHS IT Security & Privacy Training

More Related