Teaching Your Staff About Phishing
•Download as PPTX, PDF•
1 like•3,814 views
Micheal Green - JustTech Mary O'Shaughnessy - Her Justice Sart Rowe - LSNTAP In this webinar we look at what phishing is, how it impacts legal aid organizations, and how to take steps to reduce the likelihood and impact of getting hit with an attack.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Teaching Your Staff About Phishing
Similar to Teaching Your Staff About Phishing (20)
More from Legal Services National Technology Assistance Project (LSNTAP)
More from Legal Services National Technology Assistance Project (LSNTAP) (20)
Recently uploaded
Recently uploaded (20)
Teaching Your Staff About Phishing
- 1. Removing The Bait From Phishing Attacks Presented By:
- 2. Who We Are Michael Green, Just-Tech Mike is a Technical Consultant & Engineer at Just-Tech with over 18 years of experience in the field of Information Technology, and works with clients on project planning and systems implementation. He also works as an engineer behind the scenes. Mary O’Shaughnessy, Her Justice Mary has long experience in for-profit and nonprofit technology services, including technology audit. She has been Director, Information Services at Her Justice since 2012.
- 3. What is Phishing? An attempt to bait a user into giving up sensitive information or to otherwise provide access to their system.
- 4. Why are they doing this? Their end-game is $Money$! Most common methods to accomplish: 1. Compromise systems and key user accounts who have control over finances and move money covertly themselves. 2. Hold systems and/or data hostage for a ransom payment.
- 5. Impact ● Access to CMS- client information & disclosure rules ● Access to internal files- ID theft & personal info ● Damage to reputation/community relationship ● Increased recovery cost if unprepared ● System downtime
- 6. The Phisherman’s Bait ● Disguised to mislead- FedEx/Invoices, Client Assistance/Urgent Emails ● Can be personalized (Spear Phishing) (Whaling: targeting top executives) ● Password Reset phishing/Fake communications from IT ● URL manipulation - falsifying hyperlinks ● Attachments with malware
- 7. How to recognize it? Though the Phishers are deceptive in their tactics, there are tell-tale signs of fake information. 1. The email is threatening, provoking, or pretends to be authentic correspondence, in an effort to get you to open attachments or click links on impulse. Phishers need you to “take the bait” and allow them in. 2. The actual sender’s email address does not match who they claim to be. 3. Mouse-over hyperlinks reveal sketchy website destination. 4. Porr sppelling or errors grammatical. 5. Sender claims to be internal, popular, or reputable source.
- 8. Real examples of Phishing
- 9. Real examples of Phishing
- 10. Real examples of Phishing
- 11. Real examples of Phishing If you were to look up the “shipment number” on the UPS website, you would get an error message stating that this is not a valid number.
- 12. What to copy from Outlook With the email open, click on File. Click on Properties. Copy everything in the Internet headers box. Note that the email address is not really UPS - originated.
- 13. Technology Prevention ● Keep systems & antivirus updated and enabled ● Have measures in place (disable URLs/scan attachments where possible) ● Reliable Backups and Recovery Plan ● Cyber Insurance
- 14. Human Prevention ● Check with IT for verification before action ● Ignore unsolicited email links & attachments ● Continual Training & “Cheat Sheets” for staff ● When in doubt, Ask about ● Add to Junk Mail list
- 15. Policies - Acceptable Use, Mobile Device, Guest Use, & Email policies are just a few New Staff/Veterans/Volunteers - Whether they started yesterday or 20 years ago, continual training and coaching is a necessary component to prevention. Viruses and Malware continue to evolve, we need to adapt as well Training Practice https://www.phishingbox.com/ US Computer Emergency Response Team tips https://www.us-cert.gov/ncas/tips/ST04-014 Policies/Training
- 16. Helpful Resources ● LSNTAP-lsntap.org ● Idealware- www.idealware.org ● Security Awareness Training-www.travelingcoaches.com ● You Tube Videos- While not tailored, can provide self-help ● Resources on corporate identity theft-
- 17. just-tech.com 929.277.9800 CHANGE EVENT OR PRESENTATION TITLE ON MASTER – 1ST SLIDE just-tech.com 929.277.9800 Michael Green 929-277-0610 mgreen@just-tech.com Mary O’Shaughnessy 646-442-1179 moshaughnessy@herjustice.org Contact Us
- 18. just-tech.com 929.277.9800 CHANGE EVENT OR PRESENTATION TITLE ON MASTER – 1ST SLIDE just-tech.com 929.277.9800 Thanks!
- 19. just-tech.com 929.277.9800 CHANGE EVENT OR PRESENTATION TITLE ON MASTER – 1ST SLIDE just-tech.com 929.277.9800
Editor's Notes
- Sart
- Mike Start. Mary Intro herself
- Mike
- Mike
- Mary to start What can go wrong with getting phished? Client information can be disclosed, as can employee data. Bogus communications that look like they are from your organization (or actually from hacked valid email accounts) can damage your reputation. Talk about Petya ransomware
- Mary to take this -- “bait” gets your attention and move you to click or enter data, without being over-the-top in subject or action. Password resets are particularly invidious. If you get something that claims to be from IT, call an actual organization IT person known to you. URLs can be off by a domain ending, or a couple of switched letters. Hover over the link in the email to see what it really is. Attachments can look like they have innocent extensions, but hide additional ones past the first dot-three-letters.
- Mary to describe signs and symptoms :) Common fakes: IRS, Microsoft, Apple, Homeland Security. The email address is misspelled or has a nonsense domain. The mouse-over is a safe way of examining a hyperlink.
- Mary to point out the misspellings and disconnect between email address and alleged sender. See bad sentence structure. csims@addisonpark.org is real but it doesn’t make any sense that you would be getting an IT email from that person.
- Mike to discuss apparently valid email addresses.
- Mike to discuss sense of urgency and “state attorney.” Bogus attachment claiming to be a legitimate .pdf
- Mary to discuss invalid UPS information and bad link. If you get information about a shipment, go directly to the shipper’s website and do not rely on links.
- Mary: You don’t have to read every line of the detail--just look at that From:
- Mike Intro https://www.bankinfosecurity.com/nhs-denies-widespread-windows-xp-use-a-9915 It’s ok to not update Microsoft patches the day they are released. Test your backups regularly--at least monthly. Multiple backups from different points in time are good, in case an infected/hacked system gets backed up accidentally.
- Mike Intro. https://www.bankinfosecurity.com/nhs-denies-widespread-windows-xp-use-a-9915 It’s ok to not update Microsoft patches the day they are released, but patch updates should not be postponed for months. Pass no judgments on anyone who asks you to look at an email. Be encouraging, especially of their asking before clicking. If it sounds fake, it probably is. 5 minutes to verify -vs- hours, days, potentially weeks, and $$$ to clean up and “recover”
- Mike Intro. Acceptable use--there is no expectation of privacy on work assets--computers and accounts (e.g. email) If you plan to do a phishing test, you should tell your Executive Director before sending it.
- Mary Intro. http://forums.techsoup.org/cs/community/b/tsblog/archive/2016/03/10/the-greatest-security-threat-is-already-inside-your-office.aspx
- Contact info
- Thank you and Q & A