Social Engineering Phishing

INFORMATION SYSTEM SECURITY
Social Engineering
Phishing
Billy Gargita
Effin Alfianto
Nirwanda Pacchuzi Silaban
Discussion
IDENTIFY
PROTECT
points DETECT
NIST CyberSecurity Framework

RESPOND
RECOVER
CONCLUSION
What's Phishing
Phishing is a cyber attack that uses email as a tool. Its purpose is to trick email
recipients into believing the message is something they want or need
to click on a link or download an attachment.
Phishing attacks typically stress urgency or play on a person's willingness to help.

Phishing attacks can also evoke a sense of fear, by warning of serious consequences.
Sometimes you'll see this as a threat to suspended services, the loss of critical data, or
various personal consequences. The most common observation, though, is that phishing
attacks start by triggering the victim's sense of curiosity. This is why the victim opens the
email to begin with.
Types of Phishing
Spear phishing Smishing
Spear phishing targets a specific group or type of Smishing is an attack that uses our text messaging or SMS
individuals such as the company’s system administrators. (short message service) to get our attention. A message
that comes into your cell phone through SMS that contains
a link to click through or a phone number to call would
result in a smishing attack.
Whaling Vishing
Whaling is an even more targeted type of phishing than Vishing or Voice phishing is a type of attack carried out
just spear phishing as it goes after the whales, the BIG over the telephone and utilizes Voice Over Internet
fish. Protocol (VOIP) technology.
How Phishing
STEP 1 STEP 2
The legitimate website The login page is

WORK is cloned changed to point to a
credential-stealing
script
STEP 3 STEP 4 STEP 5
The modified files are The phishing kit is Emails are sent with
bundled into a zip file to uploaded to the hacked links pointing to the new
make a phishing kit website, files are spoofed website
unzipped
There are a couple of different ways to break attacks down into categories. One is by the purpose of
the phishing attempt. Generally, a phishing campaign tries to get the victim to do one of two things:
HAND OVER SENSITIVE INFORMATION DOWNLOAD MALWARE

These messages are intended to trick the user into revealing Like a lot of spam, these types of phishing emails aim to get
critical data - often a username and password that an attacker the victim to infect their own computer with malware.
could use to breach a system or account. These attachments are often .zip files or Microsoft Office
The victim clicks on the link in the message and is taken to a documents with malicious embedded code. The most
malicious site designed to resemble a web page, and then common form of malicious code is ransomware.
enters their username and password. The attacker can now
access the victim's account.
Phishing emails can be targeted in several different ways. sometimes they aren't targeted
at all emails are sent to millions of potential victims to try to trick them into
logging in to fake versions of very popular websites.
How to Identify
The email might ask you to confirm personal account

information such as a password or prompt you to open a
malicious attachment that infects your computer with a virus or
malware.
IDENTIFY A THE EMAIL ASKS YOU TO CONFIRM
PERSONAL INFORMATION
THE WEB AND EMAIL ADDRESSES DO
NOT LOOK GENUINE
PHISHING Often an email will arrive in your Often times phishing emails come
inbox that looks very authentic. from addresses that appear to be
Do not reply or click on any links genuine. by including a valid
and if you think there is a possibility company name in the e-mail
that email is genuine. just manually structure and web address. if you
type in the browser to make sure. take the time to actually check the
email address, you may find that it
is a fake variation that is meant to
appear genuine.
IT’S POORLY WRITTEN THERE’S A SUSPICIOUS ATTACHMENT THE MESSAGE IS DESIGNED TO MAKE YOU PANIC
Read the email and check for The attachment could contain a It is common for phishing emails to instill
spelling and grammar mistakes, as malicious URL or trojan, leading to panic in the recipient. The email may claim
well as strange phrase changes. If the installation of a virus or that your account may have been
you receive an unexpected email malware on your PC or network. compromised and the only way to verify it is
from a company, and the email is Even if you think an attachment is to enter your login details. Make sure you
full of errors, this can be a strong genuine, it’s good practice to really think about whether an email asking
indicator that the email is actually always scan it first using antivirus you something makes sense. If you are
phish. software. unsure, please contact the company via
another method.
Turn on 2-Step Verification
PROTECT against
With 2-Step Verification (two-factor authentication), you add
an extra layer of security to your account in case your
password is stolen.
Phishing Scams
Install an Anti-Phishing toolbar
This won't block all phishing messages, but will reduce the
number of phishing attempts.
Know about Phishing Tecniques

New phishing scams are being developed all the time. Without
knowing phishing techniques, you cannot protect your
personal information from attacker.
06
DETECTING
PHISING ATTACKS
> >
You can hover over any hyperlinks in the email to see the Always be doubtful when you receive emails such as free
actual hyperlinked address, which may not match. For prizes or other rewards, to convince people to hand over
instance, the link may say facebook.com but actually money or personal information. Others may use threats, which
hyperlinks to a fake address like facebo0k.com. could be anything from threatening to close your account if
personal information is not “confirmed” (given to the
scammers), to full-on blackmail.
RESPOND Phishing attack
When in doubt, throw it out: Links in emails, social media posts and online advertising are often how
cybercriminals try to steal your personal information. Even if you know the source, if something looks
suspicious, delete it.
Be cautious about all Do not click on any links Do not enter personal
communications you listed in the email message, information in a pop-up
receive. If it appears to be a and do not open any screen. Legitimate
phishing communication, do attachments contained in a companies, agencies, and
not respond. Delete it. suspicious email. organizations don't ask for
personal information via
pop-up screens.
RECOVERING FROM PHISHING ATTACK
Make a Back-up
Change Your Credentials
Scan Your System for Malware
PHISHING Security awareness training

How Phishing work Simulation
- GROUP 4 -
Conclusion
Never click on a link in an
email, open the browser and
type the URL in manually.

Social Engineering Phishing

Uploaded by

Copyright:

Available Formats

Social Engineering Phishing

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Social Engineering Phishing

Uploaded by

Copyright:

Available Formats

INFORMATION SYSTEM SECURITY

NIST CyberSecurity Framework

Phishing attacks typically stress urgency or play on a person's willingness to help.

The legitimate website The login page is

STEP 3 STEP 4 STEP 5

HAND OVER SENSITIVE INFORMATION DOWNLOAD MALWARE

The email might ask you to confirm personal account

Know about Phishing Tecniques

Change Your Credentials

Scan Your System for Malware

PHISHING Security awareness training

You might also like