A general education presentation, created to teach employees of an organization about Phishing, what it is, how to recognize it, avoid becoming a phishing victim, how to recognize common social engineering techniques, and what to do if you think you have been phished.

1. Organizational Phishing Education
Nicholas Davis, CISA, CISSP
November 15, 2016

2. Overview
• Phishing Background
• Threat to IT on within universities
• Phishing education
• Tricks employed
• Sample educational phishing emails sent
• Spotting the phish, after the click
• Q&A
11/15/2016 2

3. Phishing Defined
Phishing is the act of attempting to acquire
information such as usernames, passwords, and
credit card details (and sometimes, indirectly,
money) by masquerading as a trustworthy entity
in an electronic communication, usually email.
11/15/2016 3

4. Why Phishing Is Such a
Threat
• IT infrastructure is designed to protect the
campuses computing assets with many
technical controls
• However, this persuades hackers to pursue
access via alternate means, often choosing to
exploit the human factor
11/15/2016 4

5. Your Password Is the Key to
the Kingdom
If an attacker can
persuade you to give
them your password,
they can evade all the
controls put in place to
protect sensitive
systems
11/15/2016 5

6. Higher Education Proprietary
Research Interests Phishers
Consider the value of
an organization’s
intellectual property
11/15/2016 UNIVERSITY OF WISCONSIN 6

7. I am Too Smart to Fall For a
Trick Like Phishing
Most large organizations have a phishing
participation rate of around 10%
This rises when the population become the
subjects of Spear Phishing, which is phishing
email designed specifically for the recipient
11/15/2016 7

8. Phishing Relies Upon Social
Engineering
The practice of deceiving someone, either in
person, over the phone, or using a computer, with
the express intent of breaching some level of
security either personal or professional. Social
engineering techniques are considered con games
which are performed by con artists. The targets of
social engineering may never realize they have
been victimized.
11/15/2016 8

9. Tricks Used By Expert
Phishers
Socially Aware: Mining of information about the
target from publicly available resources, such as
Facebook, property records, or even CCAP
Context Aware: Make reference to an activity you
are likely to engage in, such as Amazon.com, or
UPS package receipt
11/15/2016 9

10. Specific Examples of
Complex Phishing Attempts
Baiting: Placing a USB flash drive or CD, with
malware on it, in a public place
11/15/2016 10

11. Specific Examples of
Complex Phishing Attempts
QR Code Curiosity: Embedding malicious code
within a QR code, on a printout posted to a
community bulletin board
11/15/2016 11

12. Specific Examples of
Complex Phishing Attempts
Out of Office, Out of Control: Taking advantage of
an autoresponder, leveraging specific knowledge
to exploit co-workers
11/15/2016 12

13. What Would Happen If You
Received This Email?
11/15/2016 13

14. What Would Happen If You
Received This Email?
11/15/2016 14

15. Tips To Spot Social Engineering Within
a Phishing Attempt
• Asks you to verify a sensitive piece of
information
• A sense of urgency is implied in the message
• An overt or implied threat may be present
• Flattery is used to get you to drop your guard
• Use, and sometimes overuse of organizational
knowledge in employed
• A bribe or reward for your “help” may be
offered
11/15/2016 15

16. Spotting the Phish After
the Click
• Website address looks odd or incorrect
• IP address shows in address bar
• Multiple pop-ups appear on top of legitimate
website window
• Website contains spelling or grammar errors
• No SSL lock is present on what should be a
secure site
11/15/2016 16

17. Can You Spot the Issue
Here
11/15/2016 17

18. How can you protect yourself?
• Try to remember that lurking behind every innocent-looking email
could be a giant shark waiting to make its move. This is true whether
it's work or personal email, so you must treat every email with a basic
level of caution.

19. Protect Your Information
• Do not send sensitive information such as bank details, social security
number, etc. over email. If you really need to, make sure you know
who you are sending it to and start a new email rather than replying
to a thread. Check the email address carefully.

20. Check the Address
• Be mindful of who is emailing you. Check email addresses for
accuracy and look for signs of suspicious activity, for example if an
email is not in the format you'd expect or a name appears to be spelt
incorrectly. Email addresses made up of seemingly random
combinations of letters and numbers may also be suspicious.

21. Don’t Click on Links
• Hover over links WITHOUT CLICKING — the destination will show in
the bottom left of your screen and you can see whether it looks right.
If in doubt, Google the address you need rather than clicking on a
link.

22. Don’t Open Suspicious Attachments
• Treat any attachment that you didn't request as highly suspect.
Contact your organizational help desk if you're not sure whether its
safe and they will check it out for you.

23. If In Doubt, Contact Your Help Desk
• If in doubt, email your organizational Help Desk. They will let you
know whether something is safe to open or click on. It's better to be
safe than sorry.

24. Combat Phishing Attempts
• Never give away personal information,
especially username and password
• Don’t let curiosity get the best of you
• Look for the tell-tail signs we have discussed
today
• There are no situations which justify
exceptions
• If something sounds too good to be true…
11/15/2016 24

25. If You Think You Have Been Phished
• This stuff isn't complicated, but it is incredibly easy to get caught out
by a well-crafted phishing campaign. If you should accidently
succumb to a phishing attempt, please do not feel ashamed or
fearful. It can happen to everyone, eventually.
• In such a situation, the worst thing you can do is keep quiet. Instead,
contact your organization’s Help Desk immediately. Your machine may
have been infected with malware, or your user credentials may be
compromised. The very best way to remedy such a situation is to
contact the Help Desk.

26. If You Think You Have Been Phished
• You should not be reprimanded or punished in any way when you
come forward with information about potential phishing incidents.
The Help Desk of your organization is there to assist, and help triage
the situation after a successful phish occurs

27. Curiosity Killed the Cat!
Lack of Curiosity Killed the
Phish!
Nicholas Davis, CISA, CISSP
Chief Information Security Officer
University of Wisconsin System
11/15/2016 27