Neil's musings

Snippets from a computing educator and researcher.

Phishing workshop notes

November 01, 2018 in #workshop
These are some notes related to my phishing workshop at the Milton Keynes Cryptoparty on 1 November.
Cryptoparty logo

Phishing handout

This is the phishing handout I created for the workshop. You can also download a prettier version as a Google Document.

What is phishing?

A cyber-attack on your brain. It's a malicious message designed to fool you into handing over your credentials by directing you to a look-alike website.

How it works

Phishing attacks often pretend to be:

  • Urgent technical support
  • Important message from your bank, credit card, HMRC
  • Lottery winning
  • "Your account is in violation"

They're designed to make you panic and act quickly, without thinking.

The link in the email will take you to a spoof site, where you enter your account details and password. The scammer then steals your money or your identity.

Spear phishing is worse, as the message may contain your name and email address. It may also appear to come from a friend.

How to spot a suspicious web address (URL)

Hostnames are like snail mail addresses: most specific first. You need to read them right to left.

How to read a URL

Spoof sites can put a genuine-looking URL at the front

A suspicious URL

Beware look-alike mis-spellings

Can you tell the difference between PayPal.com , PayPaI.com , and PayPal.com ?

The first one is the genuine PayPal.com. The second one is PayPaI.com , using a capital I instead of a lower-case l. The third uses a Cyrillic (Russian) a instead of a Latin alphabet a.

How to defeat phishing

Think critically: expect messages to be attacks
Legitimate sites won't ask for credentials via email. If you're not expecting a message, think more. Look for bad spelling and grammar, images that are off, and so on.

You're not too small to be a target
Cyber-criminals like going for individuals and small businesses: they often have less security than large companies. Cybercrime is often about volume of attacks and hoping some get lucky.

Check the web address (URL)
Look for the first / character in the middle address. The text immediately to the left is the domain. Don't start with the https:// . If the address has an @ character or lots of numbers in it, be suspicious.

Some phishing sites will turn off the address bar. That alone should make you very suspicious.

Use a spam filter
They will block a lot of phishing email.

Use a password manager
It won't suggest a password if you're not at the genuine site.

Use a different password for each site. Change passwords if you think you've been a victim.

Turn on two-factor authentication
Even if you hand over your password, it may not trigger the second factor.

If you're suspicious, change your password.

Don't view images in email. Be wary of links.
Some phishing emails use scripts embedded in rich-text messages to make attacks harder to spot.

Links will often go to look-alike sites. Go to the site directly (browser history will help).

Downloading images tells spammers the message has been read.

Use site-specific email addresses
In Gmail and Outlook, use a plus sign after your address: cryptoparty+forum@gmail.com or cryptoparty+bank@gmail.com . All these messages will still go into your main cryptoparty@gmail.com inbox. Use a different tag for each site.

Then, when you get an email to cryptoparty+forum@gmail.com that says it's from your bank, you know it's almost certainly a phishing attack.

(You can set up filtering rules for these addresses, if one address gets a lot of spam.)

Phising quizzes

How good are you at spotting phishing emails? A fun way to find out is to try some online quizzes. Here's a couple I found that are quite fun.

Phishing.org is a great site for all things phishing. Well worth a look around.

The Centre for the Protection of National Infrastructure has the downloadable quiz I used on the night.

The National Cyber Security Centre has some good advice for people looking to improve their organisation's anti-phishing resilience.

Acknowledgements

The development of this work was supported by the Institute of Coding at the Open University.


Cover image by unsplash-logoLance Anderson

Share on Google+