Don’t Know Something? Google It, But Be Careful.

During lunch with my coworkers yesterday I must have heard the statement “Google it” at least four times within the span of thirty minutes.  The statement would always be made when someone didn’t know the answer to a trivia question or wanted to prove a fact he or she stated.  After the second time someone went off to Google something I decide to tag along with him to see what he did after he typed the key words into the Google search bar.  He did exactly what I thought he would do and clicked on the very first result returned from the search.

It is not safe to assume a search result is safe to click on just because it was produced on a legitimate site like Google.  In an effort to trick users into launching their malicious act, scammers have devised ways to make websites containing their malicious code come out near the top of a search.  Manipulating a site to come out at the top or near the top of search a result is not difficult and can be as simple as altering the site’s name to closely resemble a popular website.

Does this means it is not safe to conduct Internet searches using search engines?  Well, we all know that is not a realistic solution, but there are other measures users can implement and practice to protect them when conducting an Internet search using a search engine.

 

One of the first things a user can do to protect their self is to use software specifically designed to check the results returned after an Internet search has been conducted and identify the results that are safe and the sites that may contain potentially dangerous content.  For example, McAfee offers free site checking security app called SiteAdvisor.  Users with SiteAdvisor will see a green, yellow, or red icon next to search results indicating if the site is safe to visit.  McAfee SiteAdvisor is just one of many site checking software applications available and users must choose the one that best meets their needs.

The next measure users can implement to protect their computer and / or network from malicious content when conducting Internet searches is to set the filter settings on the preferred search engine settings page. The search filter setting allows users to choose whether they would like to filter explicit content, which could contain malicious content, from their search results.  For example, Bing allows users to set filter settings without being signed in.  On the other hand, Google users must be signed in to choose and set their filter settings.

Last users can protect themselves by ensuring they type in the correct address.  Many scammers develop sites with addresses that are one character different than legit websites.  Typing in the correct address, ensuring secure pages begin with https, and ensuring sites end with the correct domain (.gov, .edu, .mil, .net) will decrease a user’s chances of visiting an erroneous site.  If there is any doubt as to the validity of a site users can check a site using Google’s safe browsing feature.  Users simply type in the following address into the address bar: http://google.com/safebrowsing/diagnostic?site= and input the name of the questioned site after the equal sign.  For example, if a user questioned the validity of Bellevue University’s website he or she would simple type the http://google.com/safebrowsing/dianostic?site=bellevue.edu into their Internet browser and receive a diagnostic page.

Be smart when you conduct Internet searches.  Implement the aforementioned at a minimum to protect yourself and mitigate your chances of becoming another scammed victim.

References

Safe search settings and software will help you avoid danger sites. (n.d.). Retrieved November 24, 2013, from http://www.scambusters.org/safesearch.html

Scam Protection with Encryption, Authentication, Network Design, and Policies

When I think about being scammed I think about someone tricking me into doing something that I would not do if I knew otherwise.  However, that is not always the case when it comes to scams conducted on the Internet.  According to SCAMwatch (n.d.), “A lot of internet scams take place without the victim even noticing.  It is only when their credit card statement or phone bill arrives that the person realizes that they might have been scammed” (Online Scams).

Scammers use a variety of techniques to obtain information that they feel will be of value to them.  Some of the scams can use passive attacks.  A passive attack is difficult to detect because the scammer does not alter any data.  Some passive attacks are shoulder surfing or dumpster diving.  On the other hand, some scammers choose to employ active attacks to carry out their scams.  According to Stallings (2014), “Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: masquerade, replay, modification of messages, and denial of service” (p. 11).

A masquerade attack occurs when an attacker poses as a valid entity to obtain access to a system.  Replay attacks take place when an attacker intercepts data during a transmission and then resends the data to create an undesirable effect.  Modification of messages involves altering message content to something that will benefit the person conducting the malicious act.  Modification of messages can also be used to delay or reorder messages to create an unauthorized effect.  Denial of service occurs when an attacker disrupts or delays the normal operation of a specific target or network.

Completely eliminating passive and active attacks is unrealistic.  However, the threats can be mitigated with the incorporation of encryption, authentication, network design, and policies.  Encryption makes messages unreadable to anyone that does not possess the key required to unencrypt them and make them readable.  Authentication is a measure that ensures entities are who they say they are before full access is granted to resources.  Network design is the concept of incorporating security standards that are known to be effective at preventing attacks.  An example of a network design security standard is a demilitarized zone (DMZ).  Policies are important because they outline security procedures to users in an effort to prevent passive attacks like shoulder surfing and dumpster diving.

There is no doubt that there are people out there conducting active and passive attacks.  The attacks they conduct can be difficult to detect and mitigate.  However, implementing the aforementioned measures will stop many attacks before they can penetrate the network’s perimeter, provide early detection, and facilitate recovery operations in the event an attack occurs.

References

Online scams. (n.d.). Retrieved August 21, 2013, from http://www.scamwatch.gov.au/content/index.phtml/tag/onlinescams

Stallings, W. (2014). Network security essentials (5th ed.). Boston, MA: Pearson Education.

Be Careful What You Search For

Searching for topics of interest on the Internet is something users do on a regular basis. The ability to search for information using a search engine is a great feature that will provide results in seconds. Unfortunately, indiscriminately searching for topics on the Internet can increase your chances of becoming a victim of an Internet scam.  Additionally, your chances increase drastically if you are someone that is drawn to celebrity news.

Celebrities always seem to be in the limelight.  They are constantly in the news and their pictures are ladened at checkout lines in grocery stores.  Attackers know a large portion of the population follows celebrity news.  Therefore, they have adapted their malicious techniques to incorporate celebrity features in an effort to draw you into their trap.

In an article titled McAfee Reveals Emma Watson as 2012’s Most Dangerous Cyber Celebrity, it was stated, “Cybercriminals follow the latest trends, often using the names of popular celebrities to lure people to sites that are actually laden with malicious software that are designed to steal passwords and personal information” (2012, para. 2).  The article also revealed the ten most risky celebrities to search for in 2012.  They are: 1) Emma Watson, 2) Jessica Biel, 3) Eva Mendes, 4) Selena Gomez, 5) Halle Berry, 6) Megan Fox,  7) Shakira, 8) Cameron Diaz, 9) Salma Hayek, 10) Sofia Vergara (McAfee Reveals Emma Watson as 2012’s Most Dangerous Cyber Celebrity ,2012).

Fortunately, there are measures you can practice that will enable you to continue to snoop on the lives of celebrities and keep your valuable information safe.  McAfee.com recommends the following when searching for celebrity information on the Internet: Watch or download content from a trusted site; don’t click on advertisements or pictures celebrities; avoid free downloads because attackers often use them to deliver their malicious content; reframe from searching for celebrity news; ensure all Internet accessible devices have up to date Internet security software (McAfee Reveals Emma Watson as 2012’s Most Dangerous Cyber Celebrity, 2012).

References:

McAfee reveals Emma Watson as 2012’s most dangerous cyber celebrity. (2012, September 10). Retrieved April 20, 2013, from http://www.mcafee.com/us/about/news/2012/q3/20120910-01.aspx

 

 

Nontechnical Methods Used for Scamming

It is evident that Scammers will utilize a variety of techniques to launch their scams.  For the past 10 weeks I have discussed some of their technical methods they utilized and in week 7 I briefly discussed nontechnical methods attackers (Hackers or Scammers) use in an effort to obtain your personal information or information about the organization you work for.
This week I want to provide you with more information about the nontechnical methods that attackers will use to obtain your valuable information.  In addition to technical methods, attackers will utilize psychological manipulation and physical acts to obtain valuable information.  These nontechnical methods are more commonly referred to as social engineering attacks in the information security field.
Psychological manipulation is a method that attempts to persuade you to do something through the use of flattery, conformity, empathy, urgency, or friendliness.  Attackers will employ a variety of psychological manipulation tactics that include but are not limited to: impersonation, phishing, spam, and hoaxes (Ciampa, 2012, p. 58).  Impersonation is the act of making others believe that you are some that you really are not.  According to Ciampa (2012) attackers will often take on the fictitious role of a repair person, an employee, a law enforcement official, a manager, or a trusted third party (p. 59).  So in other words, attackers can just about impersonate anyone; their imagination is their only limit.
I discussed phishing in previous post about 5 weeks ago.  It is one of the more preferred methods of attackers because it is very effective.  An area I failed to talk about in my post on phishing was various types of phishing attacks.  Some of the types of phishing attacks are as follows:
Pharming: when attackers alter a sever on the Internet to redirect users to a fake Web site.  Users often don't even know they are visiting a fake Web site.
Spear phishing: a customized phishing attack that is tailored for a certain recipient.
Whaling: similar to spear phishing but targets recipients in upper management or that have a lot of money.
Vishing: when an attacker launches their attack by calling a victim instead of e-mailing them.
Spam is those unwelcome emails you may receive that.  Like phishing, spamming is very effective and can net the person responsible for sending them thousands if not millions of dollars.  They normally appear as an advertisement that tries to get you to purchase a product.  However, they are commonly used by attackers to deliver viruses or other malicious code.
Hoaxes are normally delivered via email too.  They attempt to get you to do something by warning you about a false event.  In the end the event did not or will not occur and the directions may be a list of computer configurations that an attacker may need completed in order to gain access to a system.
As mentioned earlier, attackers also employ physical acts in order to obtain information.  Some attackers will even go through the trash looking for any information that may be of value to them.  Attackers are known to find documents in the trash that contain valuable information.  So double check that piece of paper for any information of value before you go to throw it away.
Another common physical act is known as tailgating.  Tailgating is when an attacker waits outside of a secured door that has an automated access control system and follows someone that has access in.  An easy way to defend against tailgating is to make sure that no one follows you in after you enter and that the door secures behind you.  Additionally, you should report any one hanging out by a secured entry point to your organization's security personnel.
Don't fall victim to a social engineering attack.  Educate yourself, employees, and family members on the methods attackers employ in an attempt to obtain your valuable information.  Also, follow the security measures your organization has hopefully implemented.  And, in this instance, common sense goes a long way.  Do not comply with the demands in an email, phone call, or face to face visit if there is any doubt as to the validity of it.
References:
Ciampa, M. (2012). Security+ guide to network security fundamentals (4th ed.). Boston, MA: Course Technology.

Firewalls: Protect Your Computer, Personal Information, and Help Prevent You From Getting Scammed

http://www.clker.com/clipart-1771.html

What kind of information do you store on your computer?  Do you store financial documents?  Are you one of those people that receive all of you bills via electronic statements and stores them on your computer?  Or maybe you are one of those people that has scanned and saved important documents like birth and marriage certificates.
The next question is what security measures have you implemented to safeguard that important information on your computer?  Many may reply to this question with stating they use antivirus software to protect their computer and information.  Well, that is a start; however, another line of defense to add to your information security arsenal should be to implement and maintain a firewall.
According to Audri and Jim Lanford, "Independent tests show that without a firewall, a standard PC that is connected to the Internet can be compromised in 10 to 20 minutes"  (http://www.scambusters.org/firewall.html).  If that statistic doesn't motivate you to learn more about firewalls and implement one at your home and maybe even your business then I don't know what will.  If you have decided to continue reading then I have probably got your attention.
A firewall is a shield that protects malicious content from the Internet from entering your network or computer.  They function by monitoring incoming Internet traffic for known malicious content or content that appears suspicious.  When known or suspected content is discovered a properly configured firewall will block the content and alert the user of the activity.
Firewalls come in two forms, hardware or software.  Home networks and computers often utilize firewall software.  This is mainly due to their ease of use and affordability.  Hardware firewalls are commonly used in organizations with extensive networks and can be quit complicated to configure.  They provide better protection and are more expensive when compared to software firewalls.  However, hardware firewall purchase costs continue to decrease which has triggered the implementation of them in homes and other small networks (Audri Lanford and Jim Lanford, n.d., http://www.scambusters.org/firewall.html).
It is apparent that a firewall can strengthen your information security by providing another line of defense that must be circumvented in order to get to your valued information.  It is important to note that a firewall doesn't always protect you from malicious attacks.  Scammers are constantly inventing new methods that attempt to evade your information security measures.  That is it is important to have multiple lines of defense (education, training, antivirus, etc.) to protect your personal information and lessen your chances of falling victim to a scam.

References:

Lanford, A., & Lanford, J. (n.d.). How does a firewall work and how can it protect your computer? Retrieved February 12, 2013, from http://www.scambusters.org/firewall.html

OCAL. (n.d.). Firewall network block communication data clip art [Image]. Retrieved from http://www.clker.com/clipart-1771.html

Enhancing Information Security Through the Use of Risk Management

http://blog.icorps.com/bid/134760/5-IT-Security-Mistakes-That-Companies-Still-Make

There is no escaping risk.  Risk is present in just about every activity that is conducted by an organization.   Risk is also present in the functions that we conduct on a daily basis at home.  If left unmanaged, risk can elevate to a level that could potentially have catastrophic and often irreversible affects especially in the information technology world.  On the other hand, risk that is managed reinforces a security program by controlling or mitigating risks.

In order to control and mitigate risk it is important to develop a risk management plan.  A risk management plan can be completed in 2 phases.  The first phase is risk identification and assessment.  During this phase assets are inventoried, threats and vulnerabilities are identified, and risk factors are calculated for each asset.  After, the risk factors are calculated each asset can be prioritized according to the given risk factor.  Last, controls in the form of policies, programs, and/or technical controls are developed for each threat with a vulnerability associated to it (Whitman & Mattord, 2010, p. 276-301).

The second phase of the risk management process is risk control.  During this phase risk control strategies are utilized to control the risks that are created by the vulnerabilities. According to Whitman and Mattord (2010) there are four strategies that can be utilized to control risk.  The four strategies are avoidance, transference, mitigation, and acceptance (p. 309).

Risk avoidance are techniques that are implemented through the use of policies, training and education, threat countering, and/or technical controls to fortify assets with vulnerabilities.  Risk transference is a method utilized to pass risk to another asset or organization.  Risk mitigation is a strategy used to lessen the severity of an incident or disaster by ensuring plans are prepared that address detection and rapid response.  Risk acceptance the strategy of accepting a risk for what it is because the cost of protection exceeds the value of the asset (Whitman & Mattord, 2010, p. 276-301).

Another strategy that Whitman & Mattord do not identify but is listed in National Institute of Standards and Technology (NIST) Special Publication 800-39 (2011) is risk sharing.  Risk sharing is similar to risk transference; however, it only shifts a portion of the risk whereas risk transference transfers the entire risk to asset or organization (p. 43).

One of the most important steps in the risk management process is monitoring and reevaluation.  Threats are constantly changing and new vulnerabilities are being discovered.  Therefore, risk assessments and strategies should be conducted regularly to ensure that the control is maintained and risks that are mitigated continue to be mitigated.

After all this you may be wondering how this all fits into Internet scams. Well, when properly conducted, an information security risk assessment should include the assets that could be affected by the threats that are associated with Internet scams.  After the assessment is completed and a risk rating factor is assigned to each asset, a single or combination of control strategies can be implemented to control and/or mitigate the risk related to each asset that can be affected by an Internet scam.  Or you can choose to not utilize the risk management process, roll the risk dice, and hope you have done everything you can to protect the assets under your control.

References:

NIST SP 800-39 managing information security risk. (2011, March). Retrieved February 5, 2013, from http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf

[Risk]. (2012, September 27). Retrieved from http://blog.icorps.com/bid/134760/ 5-IT-Security-Mistakes-That-Companies-Still-Make

Whitman, M., & Mattord, H. (2010). Management of information security (3rd ed.). Boston, MA: Course Technology Cengage Learning.

Connect With Friends and Family, Meet New People, and Possibly Get Scammed

https://www.facebook.com/facebook

I can’t even begin to tell you how many times I have been asked, “Are you on Facebook?”  My response every time is NO and to this day I still do not have a Facebook account.  There is no doubt in my mind that Facebook connects people with their friends and family and enables them to meet new people, however, there has always been something about Facebook that makes me uneasy.

As you can see in the picture above, there have been at least 85 million people that have visited Facebook’s Facebook page and that is just the people that gave the page a thumbs up.  Now that is a lot of people.  For a scammer this site could potentially be a gold mine if they could only find a way to employ their malicious scams on it.  Well, they already have and they have been doing it for some time now.

The goals of the scams on Facebook are basically the same as many of the other scams on the Internet.  They attempt to steal your personal information, trick you into subscribing to some service, or initiate a download of malicious code (Zorz, 2013, Facebook scams and why users fall for them).

In order to accomplish their goals, scammers have devised many methods to employ their them on Facebook.  Their scams include a myriad of methods that include but are not limited to: correspondence disguised as if it came from Facebook directly  (Facebook preference changes, free Facebook items to give away, Facebook account scare alerts, and Facebook notification emails), free items for give away by third parties (free iPad or iPhone, free Walmart gift card, etc), attention grabbing news (can be real or fake news), or  attention grabbing videos, pictures, or statements (Zorz, 2013, Facebook scams and why users fall for them).

As always, there are measures you can practice to protect yourself on Facebook.

1. Educate yourself on the methods scammers are employing.  There are many websites that  identify the scams that are currently employed on Facebook.  Locate a website you like and read up on the scams (Zorz, 2013, How to avoid Facebook scams and limit the damage they make).

2. Restrain yourself from clicking on interesting pictures, videos, or links.  I know it can be hard to not clink on them; in the end, just reframe from it (Zorz, 2013, How to avoid Facebook scams and limit the damage they make).

3. Click with caution.  Scammers insert links on Facebook hoping you click on it.  Examine links carefully.  You can do this by examining a links URL.  A link's URL can be viewed by right clicking it and selecting properties.  Signs of an illegitimate URL are: a shorten link making it unidentifiable, misspellings of Facebook, unusually long, or contain many numbers or letters (Zorz, 2013, How to avoid Facebook scams and limit the damage they make).

4. Be cautious when approving apps.  Many Facebook users fail to read the fine print before approving an app or are forced into approving an app.  If fine print is present read it thoroughly.  The fine print may reveal that you are authorizing the app to do something like access your address book and/or use your user name.  Additionally, if you find yourself being forced into allowing an app then it is probably safe to say the app has malicious intent.  Those types of apps can be stopped from executing by closing the browser (Zorz, 2013, How to avoid Facebook scams and limit the damage they make).

There is one last measure that I would like to add, but many may not think it is practical so I am not going to list it as measure number 5.  However, I will share it strictly as a personal recommendation.  If you are really worried about the scams on Facebook then don’t use it.  I personally don’t have a Facebook account because I like keeping my life as private as possible.  Additionally, if I want to connect with friends or family then I will call them, email them, or in some cases I will even send them a letter or card through the U.S. mail.

Resources:

Facebook is on Facebook. (n.d.). Retrieved January 29, 2013, from https://www.facebook.com/facebook

Zorz, Z. (2013, January 17). Facebook scams and why users fall for them. Retrieved January 29, 2013, from http://www.net-security.org/secworld.php?id=14252

Zorz, Z. (2013, January 25). How to avoid Facebook scams and limit the damage they make. Retrieved January 29, 2013, from http://www.net-security.org/secworld.php?id=14304

Do You Really Safeguard Your Information?

My job requires me to travel from time to time.  When I do travel for work purposes I normally have to travel by air to the location I am required to go.  I am usually very careful when I make my airline reservations.  However, when I made my flight arrangements for a trip I took last week I made a mistake which resulted in a five hour overlay.  Needless to say, I had a lot of time to waste in an airport that I really did not want to be at.

During that long stretch of time, I started to think about a video that I watched on You Tube a couple of months back.  The video is of a presentation called No-Tech Hacking which is presented by a computer security expert named Johnny Long.  I have inserted the video, which I obtained from You Tube, below for those that would like to watch it.

http://www.youtube.com/watch?v=5CWrzVJYLWw

What is so interesting about the presentation is that Johnny Long informs the audience on how easy it is to obtain information on people, organizations, and / or businesses by observing the actions of others and / or by paying attention to what is in plain view.  I used to think that attackers (scammers, hackers, and cyber terrorists) would obtain personal information by using technical methods until I watched Johnny Long's presentation.  What Johnny Long reveals is that people often give up their private information without even knowing it.

For example, when I was sitting in the airport waiting for my connecting flight I was able to learn a lot about the people around me.  I was able to observe a man enter his password on his Mobile device not once or twice, but three times.  By the way, I had it memorized after the second time.  Additionally, I was able to view the screens of many laptops and many had what appeared to be work related information on their screens.

So what can we all learn from this? What I learned is that I have to be more careful about concealing my personal information when I am in public or private places. Many may think I am being paranoid, but just remember that attackers will use a variety of methods to try and obtain your personal information so they can use it for malicious purposes.  Even if it means using a method that is as simple as observing your actions in an airport.

Resources:

Basic204. (2008, September 11). No-tech hacking [Video file]. Retrieved from http://www.youtube.com/watch?v=5CWrzVJYLWw

 

People Are the First Line of Defense

In my blog post for last week I talked about the effectiveness of phishing attacks and methods to practice that will lessen your chances of becoming a victim.  This week I would like to go over an incident that was more than likely initiated with a phishing attack and identify a security measure that is often not utilized, but when implemented can strengthen an organizations information security program.

In October of 2012 South Carolina State officials released that the South Carolina Department of Revenue experienced a massive data breach.  The attacker responsible for the attack apparently had access to South Carolina Department of Revenue's database for months and was able to obtain 1.9 million social security numbers and 3.3 million bank account numbers (Schwartz, 2012).

The most socking aspect of the South Carolina Department of Revenue data breach incident for me is that the data breach may have been initiated with a phishing attack.  The security firm Mandiant provided a theory as to how the attacker gained access to the Department of Revenue's database.  They found evidence that suggests that a phishing attack, in the form of an e-mail, was sent to multiple Department of Revenue employees.  At least one of the employees clicked on the link that was contained in the e-mail which launched the malicious code that captured the employee's user name and password.  The attacker was now able to use the employee's user name and password to access the user's workstation, manipulate the user's access rights, and access other Department of Revenue systems and databases (Heilman &Glyer, 2012, p. 2-3).

This incident is a perfect example to illustrate that people are the first line of defense when it comes to security.  In order to strengthen that first line of defense, it would be very beneficial for any organization to implement a security education, training, and awareness (SETA) program.  According to Whitman and Mattord (2010), "SETA programs enhance general education and training programs by focusing on information security" (p. 189).  With that being said, it would be interesting to know if the South Carolina Department of Revenue has a SETA program and if they do whether or not the employee that clicked on the link in the malicious e-mail completed any mandated information security training.

Implementing a SETA program is not any easy task.  There are many aspects that have to be analyzed and considered when developing a program.  However, before one begins the momentous task, he or she should first obtain support from management.  This too is not easy to sell, but may be accomplished by informing management of the consequences that could occur by not having a SETA program.  In addition, the benefits can be briefed to management in an attempt to get them to buy into the program.

With cyber threats increasing at a rapid rate it is only logical to invest in the first line of defense.  An effective SETA program will provide employees with the education, training, and awareness that are necessary to fight the cyber security war and mitigate incidents like the South Carolina Department of Revenue data breach from occurring.

Resources

Heilman, M., & Glyer, C. (2012, November 20). South Carolina Department of Revenue public incident response report. Retrieved January 15, 2013, from http://governor.sc.gov/Documents/MANDIANT%20Public%20IR%20Report%20%20Department%20of%20Revenue%20%2011%2020%202012.pdf

Schwartz, M. (2012, November 26). How South Carolina failed to spot hack attack. Retrieved January 15, 2013, from http://www.informationweek.com/security/attacks/how-south-carolina-failed-to-spot-hack-a/240142543

Whitman, M., & Mattord, H. (2010). Management of information security (3rd ed.). Boston, MA: Course Technology Cengage Learning.

Most Scammers Would Rather Be Phishing

I am one of those people that thinks, "Who would fall for that?" when it comes to phishing scams.  For example, I received this text message not too long ago.  Really, I just won a $1000 Best Buy Gift Card??  I don't even recollect filling anything out to submit my name into the drawing.  Plus, I have never won anything so this is definitely a scam.

My wife was looking over my shoulder as I was inserting the above picture for this post and she kind of chuckled. I asked her what was so funny and she said that she received a text like that a couple of months ago that stated she won something from Wal-Mart. I said, "You deleted it right?"  She said, "No I clicked on the link and it brought me to this weird website.  After that I closed out of it, but this weird $10.00 charge ended up on our cellphone bill after that.  I had to call them and they ended up removing the charge."  I couldn't believe what I was hearing.  Of all the people, my wife fell for the obvious phishing scam.  I just consider myself lucky this time.

 

The whole situation made me think about the effectiveness of phishing.  According to scambusters.org phishing scams are on the rise.  This is probably because they are easy for scammers to employ and they are effective, but just how effective are they?  Statistics on it are scarce which may be because it is difficult to retrieve data on a phishing scam after it has been uncovered.  However, Bortnik (2011), an Awareness & Research Coordinator at ESET Latinoamerica, reported in his blog that his organization researched a phishing attack that lasted just over five hours.  The brief phishing scam resulted in 164 people accessing the site with 35 of them entering their credit card information (http://blog.eset.com/2011/01/26/inside-a-phishing-attack-35-credit-cards-in-5-hours).  I consider that to be an effective phishing scam in my book.  Another statistic provided by http://www.phishing.org states, "the cost of phishing is nearly $500 million per year in the United States alone."  Now that is a lot of money and proves that phishing is very effective.

 

So what is phishing and what can you do to prevent yourself from becoming a victim?  Phishing is a method that attackers use that attempts to get people to provide their sensitive information.  They can employ their method by using different methods either by email or phone.  In addition, attackers are  also employing their phishing attacks on mobile devices since they are growing rapidly in use and popularity.

 

Surprisingly, phishing attacks are easy to defend against even though they are becoming more sophisticated.  If you practice the following techniques provided by http://www.phishing.org then you will decrease your chances of becoming a victim of a phishing attack:

 

1. Check email carefully: look for errors and investigate the information.  One way to investigate the information is by calling the organization stated in the email directly.  However, do not use the phone number in the email if provided.  It could be another trick.

 

2. Never provide private information: many emails will ask for your private information after you click on a link in the message.  Never provide information when prompted to after clicking a link in an email.

 

3. Identify fake phone numbers: phishing attacks over phones may disguise their phone number.  Try to identify if it is fake or not.  When in doubt, don't relinquish any private information.  I personally never provide any information unless I initiate the call to the organization.

 

4. Use firewalls and antivirus: firewalls and antivirus will aid in preventing and / or identifying phishing attackes when configured correctly and updated regularly.

 

5. Never send private information in an email: there is no telling who may end up with private information you send in an email.  The best practice is to just not do it.

 

6. Check your finances regularly:  this will allow you to identify and dispute any discrepancies shortly after they occur.

 

7. Never download files from unreliable sources: If you have any doubt at all as to the legitimacy of an email or website then don't download any files from the source.

 

Phishing scams are effective and therefore, I think they will remain to be a method that attackers are going to continue to employ.  Thankfully, there are ways to combat their ploys.  Practice the above suggestions and you will lessen your chances of becoming a victim.  Thanks for reading and look for my next post sometime next week.

 

Resources

 

Bortnik, S. (2011, January 26). Inside a phishing attack: 35 credit cards in 5 hours [Blog post]. Retrieved from ESET Threat Blog: http://blog.eset.com/2011/01/26/inside-a-phishing-attack-35-credit-cards-in-5-hours

 

How to prevent phishing scams. (n.d.). Retrieved January 11, 2013, from http://www.phishing.org/

 

Phishing scams: How you can protect yourself. (n.d.). Retrieved January 11, 2013, from http://www.scambusters.org/phishing.html