Don't Get Caught by Phishing
Published, July 1, 2008
Phishing is a criminal activity in which an adversary attempts to fraudulently acquire sensitive information by impersonating a trustworthy person or organization. Examples of such practices include manipulated emails that appear to be from the Department of the Navy, Navy Federal Credit Union, Navy Knowledge Online or other recognizable contacts.
The ultimate goal is to extract information in order to evade existing security measures and gain access to secure information and data or to personal accounts. The following email message is an example of an actual phishing attempt.
-----Original Message-----
From: Bank of America Alert
Sent: Saturday, June 28, 2008 1:08 AM
Subject: Bank of America Alert: Verify Your Online Account
Importance: High
myfraudprotection.bankofamerica.com/Images/Header_tsp.gif
Unauthorized Access
Dear Valued Online Banking Customer,
In the last few days, our Online banking security Team observed multiple logons to your account, from Different Blacklisted I.P addresses, therefore we are Issuing this security warning. Your Online Banking Access has been Blocked, to prevent further unauthorized access for your safety, we have decided to put an extra verification process to ensure your identity and your account security.
Please click on the link below to activate and secure you online banking. this System Maintenance is for your safety and protect your internet banking against unknown users which leads to several losses of our customers funds recently. Bank of America works hard to safeguard your account and personal information. That's why from time to time we may ask you to verify your identity online. This verification process will only take a few moments.
//www.bankofamerica/sitekey/securitygrade//www.herbalicious.com/vti_log/log/www.
.bankofamericacom/online/sitekeya/index.html
Sincerely,
Bank of America Online Banking
Because your reply will not be transmitted via secure email, the email address that generated this alert will not accept replies. If you would like to contact Bank of America with questions or comments, please sign in to Online Banking and visit the customer service section.
Bank of America, N.A. Member FDIC. Equal Housing Lender © 2008 Bank of America Corporation. All rights reserved
Preventive measures include digital signatures and user education and reporting.
DON network users are required to digitally sign any email requiring message integrity and non-repudiation. Any message that tasks or requests a DON user to provide personal or otherwise sensitive information should be digitally signed. If a digital signature is not present and the sender is unknown, recipients should verify the authenticity through other methods (e.g., placing a phone call and requesting a digital signature). If the sender’s identity still cannot be verified, the message should not be opened and the incident should immediately be reported to the user’s information assurance manager (IAM) and/or help desk.
In addition, users should avoid answering any email that attempts to collect personally identifiable information (PII) and other critical information unless the email has been authenticated. Opening email attachments or clicking on hyperlinks from unknown or unexpected sources, including but not limited to email from .mil and .gov sources, could cause a system malfunction, slow computer performance and, ultimately, cause hardship.
Reporting Spam and Phishing:
The following provides NMCI/Homeport guidance with regards to reporting spam and phishing email messages received by NMCI Outlook users:
Spam is unsolicited advertisements sent to an email address. Phishing is a request for personal information under the disguise of an advertisement, official-looking email or website. The Exchange servers have anti-spam filters to keep spam and phishing to a minimum. When you receive a spam or suspected phishing message, create a new message or forward the entire message, including the original header information, for investigation and to effectively block future messages from the sender.
Prerequisites:
Turn off your Outlook reading pane. Click View, select Reading Pane, then click Off. Note: Do not allow Outlook to automatically open your email because it could put your computer at risk to spam, phishing and viruses.
Solution:
Report suspect email by attaching the message as a file:
- Without opening the message, single-click the message from the list of messages in your inbox.
- Click Edit and then select Copy.
- Click File, select New and then click Mail Message to open a new mail message.
- Right-click in the blank content area and select Paste from the pop-up menu.
- Type SPAM in the subject line.
- In the To field, type the email address NMCI_SPAM@nmci-isf.com for Navy users or usmc_anti-spam@nmci.usmc.mil for Marine Corps users.
- Click Send.
Report suspect email by forwarding the message:
- Set the Forward settings.
- Click Tools, then select Options.
- Select the Preferences tab. Click email Options.
- Change the field When forwarding a message to:
- Forward as an attachment for Outlook 2000; or
- Attach original message for Outlook 2003.
- Click OK twice to save and close the Options windows.
- Without opening the message, single-click the message from your Inbox.
- Click Actions, then select Forward.
- Type SPAM in the subject line.
- In the To field, type the email address NMCI_SPAM@nmci-isf.com for Navy users or usmc_anti-spam@nmci.usmc.mil for Marine Corps users.
- Click Send.
The following list of resources provides additional details, definitions, examples, preventive tips and training.
Phishing resources:
For the requirement to digitally sign emails, see Naval message:
DTG 061525Z OCT 04: DON Public Key Infrastructure (PKI) Implementation Guidance Update.
Visit the
Onguard Online website for related awareness information, training videos and games.
Visit these Federal Trade Commission Links:
Identity Thief Goes "Phishing" for Consumers' Credit Information
How Not to Get Hooked by a Phishing Scam
For those with an AKO/DKO account, view the
July newsletter.
Also visit the
Wikipedia and
Webopedia websites for more information.