Phishing

This material was developed with funding from the National Science Foundation under Grant # DUE 1601612

PLAY

Next

Phishing Mystery

Back

Restart

A phisher has been up to no good and he has released phishes into the sea. Your mission is to catch each type of phish to learn more about it.

?

Along the way you will collect clues.  Then use your expertise to determine who the phisher is. To begin enter your name below.

ENTER NAME

CLUE

CLOSE

Social media offers a number of ways for criminals to trick people such as via faking URLs, spoofing websites, posts, and tweets, and persuading people to divulge sensitive information or download malware through instant messaging. Angler phishing is the practice of masquerading as a customer service account on social media, hoping to reach a disgruntled consumer to trying to lure them into handing over access to their personal data or account credentials. To protect against angler phishing attacks, organizations should identify their social media accounts, ensure they have strong passwords and are regularly changed, use verified accounts, and continually monitor for fraudulent accounts.

You found a clue! Click to see the clue.

As users become wiser to traditional phishing scams, phishers are resorting to pharming. This method of phishing uses cache poisoning of the domain name system called a DNS cache poisoning attack. The pharmer targets a DNS server and changes the IP address associated with a website name, thereby allowing an attacker to redirect users to a spoofed malicious website of their choice, even if the victim enters the correct site name. To protect against pharming attacks, organizations should encourage employees to enter in login credentials only on HTTPS-protected sites. Companies should also implement anti-virus software on all corporate devices and update it on a regular basis.

You found all 6 clues!

Vishing is a type of phishing attack that relies on placing a phone call rather than sending an email. An attacker can perpetrate this type of attack by setting up a Voice over Internet Protocol (VoIP) server to mimic various entities in order to steal sensitive data and/or funds. Vishing attacks have taken on various forms, but their goal is the same as most other phishing attacks: to acquire login credentials to be used to steal money. To protect against vishing attacks, users should avoid answering calls from unknown phone numbers, never give out personal information over the phone and use a caller ID.

Phishers use a whaling attack to try to harpoon an executive and steal their login credentials. Successful attacks can result in phishers engaging in CEO fraud. CEO fraud is when attackers abuse the compromised email account of a CEO or other executive to authorize fraudulent wire transfers to a financial institution of their choice. Phishers may also leverage that same email account to request W-2 information for all employees so that they can file fake tax returns on their behalf or post that data on the dark web. Whaling attacks work because executives may not participate in security awareness training with their employees. To counter the threats of whaling, organizations should mandate that all company personnel participate in security awareness training on an ongoing basis and consider the use of multi-factor authentication (MFA) in their financial authorization processes so that no one can authorize payments via email alone.

CONTINUE

Collect All 6 Clues to Find the Phisher

In spear phishing, phishers customize their attack emails with the target’s name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they know the sender. The goal is to trick the victim into clicking on a malicious URL or email attachment so that they will hand over their personal data. Given the amount of information needed to craft a convincing attack attempt, it’s no surprise that spear-phishing is commonplace on social media sites where attackers can use multiple data sources to craft a targeted attack email. To protect against spear phishing, organizations should conduct ongoing employee security awareness training that discourages users from publishing sensitive personal or corporate information on social media. Companies should also invest in solutions that analyze inbound emails for known malicious links/email attachments.

YOUR CLUES

Click the fish to catch them

Smishing leverages malicious text messages to trick users into clicking on a malicious link or sharing personal information. Like vishers, smishers pose as various entities to get what they want. Users can help defend against smishing attacks by researching unknown phone numbers thoroughly and by calling the company named in the messages if they have any doubts.

Trench

Island

Lighthouse

CHOOSE YOUR PHISHING LOCATION

COLLECT CLUES

Congrats you have caught the phisher! To prevent yourself from being the victim of a phisher like Marilyn:Access websites by typing the address directly into your Web browserTechnology-based security measures such as firewalls, encryption, anti-virus, spam filters, and strong authentication will NOT prevent social engineering fraud.Don’t click links that you receive in messages from your friends on your social website. Treat links in messages on these sites as you would links in email messages.Don't trust the sender information in an e-mail message.Know the social media account handle for the company you are dealing with to make sure you communicate only with the legitimate account.

Play Again

DAVID EMERSON Past Arrests for Smishing Avid texter Despises all social media Has a calico cat named Maggy Works in computer aided design

MARILYN CARTER Past Arrests for Pharming Expert at website design Loves social media Has a dog named Juniper Works in fashion design

You have caught all the phish. You must now use the clues you discovered along the way to determine who the phisher is. Look at each phisher’s photo and read each of their biographies. Carefully consider your options and click on the picture of the phisher you think was responsible for filling the pond with phish.

HENRY KANT Past Arrests for Whaling Excels at impersonating others Only uses LinkedIn Has dog named Max Works as a website designer

BETTY MONROE Past Arrests for Pharming Known for her well-crafted emails Uses all social media sites Has a golden retriever puppy Works in website design

Congratulations

WALDO THOREAU Past Arrests for Angling Cannot use a smart phone Avid social media user Allergic to all animals Works as an IT technician

JUNE DAVIS Past Arrests for Vishing Loves a long phone chat Uses Instagram frequently Travels too often to have a pet Works in the financial industry