Organizational Phishing EducationNicholas Davis, CISA, CISSP

November 15, 2016

Overview• Phishing Background• Threat to IT on within universities• Phishing education• Tricks employed• Sample educational phishing emails sent• Spotting the phish, after the click• Q&A

05/02/2023 2

Phishing DefinedPhishing is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication, usually email.

05/02/2023 3

Why Phishing Is Such a Threat

• IT infrastructure is designed to protect the campuses computing assets with many technical controls

• However, this persuades hackers to pursue access via alternate means, often choosing to exploit the human factor

05/02/2023 4

Your Password Is the Key to the Kingdom

If an attacker can persuade you to give them your password, they can evade all the controls put in place to protect sensitive systems

05/02/2023 5

Higher Education Proprietary Research Interests Phishers

Consider the value of an organization’s intellectual property

05/02/2023 UNIVERSITY OF WISCONSIN 6

I am Too Smart to Fall For a Trick Like Phishing

Most large organizations have a phishing participation rate of around 10%This rises when the population become the subjects of Spear Phishing, which is phishing email designed specifically for the recipient

05/02/2023 7

Phishing Relies Upon Social Engineering

The practice of deceiving someone, either in person, over the phone, or using a computer, with the express intent of breaching some level of security either personal or professional. Social engineering techniques are considered con games which are performed by con artists. The targets of social engineering may never realize they have been victimized.

05/02/2023 8

Tricks Used By Expert Phishers

Socially Aware: Mining of information about the target from publicly available resources, such as Facebook, property records, or even CCAPContext Aware: Make reference to an activity you are likely to engage in, such as Amazon.com, or UPS package receipt

05/02/2023 9

Specific Examples of Complex Phishing Attempts

Baiting: Placing a USB flash drive or CD, with malware on it, in a public place

05/02/2023 10

Specific Examples of Complex Phishing Attempts

QR Code Curiosity: Embedding malicious code within a QR code, on a printout posted to a community bulletin board

05/02/2023 11

Specific Examples of Complex Phishing Attempts

Out of Office, Out of Control: Taking advantage of an autoresponder, leveraging specific knowledge to exploit co-workers

05/02/2023 12

What Would Happen If You Received This Email?

05/02/2023 13

What Would Happen If You Received This Email?

05/02/2023 14

Tips To Spot Social Engineering Within a Phishing Attempt

• Asks you to verify a sensitive piece of information

• A sense of urgency is implied in the message• An overt or implied threat may be present• Flattery is used to get you to drop your guard• Use, and sometimes overuse of organizational

knowledge in employed• A bribe or reward for your “help” may be

offered

05/02/2023 15

Spotting the Phish After the Click

• Website address looks odd or incorrect• IP address shows in address bar• Multiple pop-ups appear on top of legitimate

website window• Website contains spelling or grammar errors• No SSL lock is present on what should be a

secure site

05/02/2023 16

Can You Spot the Issue Here

05/02/2023 17

How can you protect yourself?

• Try to remember that lurking behind every innocent-looking email could be a giant shark waiting to make its move. This is true whether it's work or personal email, so you must treat every email with a basic level of caution.

Protect Your Information• Do not send sensitive information such as bank details, social security

number, etc. over email. If you really need to, make sure you know who you are sending it to and start a new email rather than replying to a thread. Check the email address carefully.

Check the Address• Be mindful of who is emailing you. Check email addresses for

accuracy and look for signs of suspicious activity, for example if an email is not in the format you'd expect or a name appears to be spelt incorrectly. Email addresses made up of seemingly random combinations of letters and numbers may also be suspicious.

Don’t Click on Links• Hover over links WITHOUT CLICKING — the destination will show in

the bottom left of your screen and you can see whether it looks right. If in doubt, Google the address you need rather than clicking on a link.

Don’t Open Suspicious Attachments• Treat any attachment that you didn't request as highly suspect.

Contact your organizational help desk if you're not sure whether its safe and they will check it out for you.

If In Doubt, Contact Your Help Desk• If in doubt, email your organizational Help Desk. They will let you

know whether something is safe to open or click on. It's better to be safe than sorry.

Combat Phishing Attempts

• Never give away personal information, especially username and password

• Don’t let curiosity get the best of you• Look for the tell-tail signs we have discussed

today• There are no situations which justify

exceptions• If something sounds too good to be true…

05/02/2023 24

If You Think You Have Been Phished• This stuff isn't complicated, but it is incredibly easy to get caught out

by a well-crafted phishing campaign. If you should accidently succumb to a phishing attempt, please do not feel ashamed or fearful. It can happen to everyone, eventually. • In such a situation, the worst thing you can do is keep quiet. Instead,

contact your organization’s Help Desk immediately. Your machine may have been infected with malware, or your user credentials may be compromised. The very best way to remedy such a situation is to contact the Help Desk.

If You Think You Have Been Phished• You should not be reprimanded or punished in any way when you

come forward with information about potential phishing incidents. The Help Desk of your organization is there to assist, and help triage the situation after a successful phish occurs

Curiosity Killed the Cat!Lack of Curiosity Killed the Phish!

Nicholas Davis, CISA, CISSPChief Information Security OfficerUniversity of Wisconsin System

05/02/2023 27