Phishing
This material was developed with funding from the
National Science Foundation under Grant # DUE 1601612
PLAY
Next
Phishing Mystery
Back
Restart
A phisher has been up to no good and he has released phishes into the sea. Your mission is to catch each type of phish to learn more about it.
?
Along the way you will collect clues.
Then use your expertise to determine who the phisher is.
To begin enter your name below.
ENTER
NAME
CLUE
CLOSE
Social media offers a number of ways for criminals to trick people such as via faking URLs, spoofing websites, posts, and tweets, and persuading people to divulge sensitive information or download malware through instant messaging. Angler phishing is the practice of masquerading as a customer service account on social media, hoping to reach a disgruntled consumer to trying to lure them into handing over access to their personal data or account credentials.
To protect against angler phishing attacks, organizations should identify their social media accounts, ensure they have strong passwords and are regularly changed, use verified accounts, and continually monitor for fraudulent accounts.
You found a clue!
Click to see the clue.
As users become wiser to traditional phishing scams, phishers are resorting to pharming. This method of phishing uses cache poisoning of the domain name system called a DNS cache poisoning attack. The pharmer targets a DNS server and changes the IP address associated with a website name, thereby allowing an attacker to redirect users to a spoofed malicious website of their choice, even if the victim enters the correct site name.
To protect against pharming attacks, organizations should encourage employees to enter in login credentials only on HTTPS-protected sites. Companies should also implement anti-virus software on all corporate devices and update it on a regular basis.
You found all 6 clues!
Vishing is a type of phishing attack that relies on placing a phone call rather than sending an email. An attacker can perpetrate this type of attack by setting up a Voice over Internet Protocol (VoIP) server to mimic various entities in order to steal sensitive data and/or funds. Vishing attacks have taken on various forms, but their goal is the same as most other phishing attacks: to acquire login credentials to be used to steal money.
To protect against vishing attacks, users should avoid answering calls from unknown phone numbers, never give out personal information over the phone and use a caller ID.
Phishers use a whaling attack to try to harpoon an executive and steal their login credentials. Successful attacks can result in phishers engaging in CEO fraud. CEO fraud is when attackers abuse the compromised email account of a CEO or other executive to authorize fraudulent wire transfers to a financial institution of their choice. Phishers may also leverage that same email account to request W-2 information for all employees so that they can file fake tax returns on their behalf or post that data on the dark web.
Whaling attacks work because executives may not participate in security awareness training with their employees. To counter the threats of whaling, organizations should mandate that all company personnel participate in security awareness training on an ongoing basis and consider the use of multi-factor authentication (MFA) in their financial authorization processes so that no one can authorize payments via email alone.
CONTINUE
Collect All 6 Clues to Find the Phisher
In spear phishing, phishers customize their attack emails with the target’s name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they know the sender. The goal is to trick the victim into clicking on a malicious URL or email attachment so that they will hand over their personal data. Given the amount of information needed to craft a convincing attack attempt, it’s no surprise that spear-phishing is commonplace on social media sites where attackers can use multiple data sources to craft a targeted attack email.
To protect against spear phishing, organizations should conduct ongoing employee security awareness training that discourages users from publishing sensitive personal or corporate information on social media. Companies should also invest in solutions that analyze inbound emails for known malicious links/email attachments.
YOUR
CLUES
Click the fish to catch them
Smishing leverages malicious text messages to trick users into clicking on a malicious link or sharing personal information. Like vishers, smishers pose as various entities to get what they want.
Users can help defend against smishing attacks by researching unknown phone numbers thoroughly and by calling the company named in the messages if they have any doubts.
Trench
Island
Lighthouse
CHOOSE YOUR PHISHING LOCATION
COLLECT
CLUES
Congrats you have caught the phisher! To prevent yourself from being the victim of a phisher like Marilyn:Access websites by typing the address directly into your Web browserTechnology-based security measures such as firewalls, encryption, anti-virus, spam filters, and strong authentication will NOT prevent social engineering fraud.Don’t click links that you receive in messages from your friends on your social website. Treat links in messages on these sites as you would links in email messages.Don't trust the sender information in an e-mail message.Know the social media account handle for the company you are dealing with to make sure you communicate only with the legitimate account.
Play Again
DAVID EMERSON
Past Arrests for Smishing
Avid texter
Despises all social media
Has a calico cat named Maggy
Works in computer aided design
MARILYN CARTER
Past Arrests for Pharming
Expert at website design
Loves social media
Has a dog named Juniper
Works in fashion design
You have caught all the phish. You must now use the clues you discovered along the way to determine who the phisher is. Look at each phisher’s photo and read each of their biographies. Carefully consider your options and click on the picture of the phisher you think was responsible for filling the pond with phish.
HENRY KANT
Past Arrests for Whaling
Excels at impersonating others
Only uses LinkedIn
Has dog named Max
Works as a website designer
BETTY MONROE
Past Arrests for Pharming
Known for her well-crafted emails
Uses all social media sites
Has a golden retriever puppy
Works in website design
Congratulations
WALDO THOREAU
Past Arrests for Angling
Cannot use a smart phone
Avid social media user
Allergic to all animals
Works as an IT technician
JUNE DAVIS
Past Arrests for Vishing
Loves a long phone chat
Uses Instagram frequently
Travels too often to have a pet
Works in the financial industry