• Presented by
Skye Hagen
Asst Director
Office of Information
Identity Theft and Con Games
• Presentation will include phishing,
pharming and other identity theft attacks.
• It will also include related confidence
games that happen on the Internet.
• If you have any questions during the
presentation, don’t hesitate to ask!
What is Phishing?
• Phishing attacks use social engineering
and technical subterfuge to steal identities.
• The goal is to obtain access to financial
– Credit card numbers
– Accounts and passwords for financial
– Social Security Numbers
Def: Social Engineering
• Social engineering is a collection of
techniques used to manipulate people into
performing actions or divulging confidential
• Usually applies to using trickery for
information gathering or computer system
Social Engineering Techniques
• E-mail
– We see this all the time.
– Sometimes the spam filter catches them,
sometimes it does not.
– Generally sent to a large number of
• Phone calls
– Usually used as for directed attacks.
– Person attempts to gain specific access.
What is Pharming?
• A computer attack that misdirects a user to
a bogus web site.
• Often implemented as software
downloaded from the Internet.
So what’s with the Ph?
Original ‘ph’ word was phreaking.
Not exactly sure of the original meaning.
Maybe a combination of ‘phone’ and ‘freaking’.
It may also refer to the use of various audio
frequencies to manipulate the phone system.
• Term made famous by hackers who manipulated
the phone system to make free calls.
• Most famous, John Draper, aka Captain Crunch.
How does phishing work?
• Attack usually starts with an e-mail.
– User must respond to an event, such as an
account suspension.
– Must follow link in e-mail.
• Does not usually have a phone contact.
– Describes serious consequences to not
– Tries to get you to make a quick decision.
– Example of a phishing e-mail.
Phishing attack
• Once at the fake web site, try to get you to
enter your account and password
• Sites are very realistic.
– Refer back to example phishing attack.
How does pharming work?
• Similar to phishing, it begins with an email.
• Not necessarily an account update style
• May direct you to scandalous pictures, or
inexpensive products.
• Gets you to a web site where malicious
code is downloaded to your system.
• Lots of money!
• Do the math
– Send 100,000 e-mails.
– Get a response rate of 1%.
– That’s 1,000 people that respond!
– That’s 1,000 bank accounts or credit cards
that could be drained or used illegally.
– If each account is drained by $500, that 1/2 a
million dollars!
Phishing Response Rate
• There is no way to measure response rate
to phishing scams.
• Symantec estimates 1% to 10%
depending upon the sophistication of the
• They also estimate a much higher
response rate for phishing than the
response rate for other spam messages.
Identity Theft
• Phishing and pharming are just two ways
that your identity can be stolen.
• Other ways include people impersonating
you to obtain credit.
– Maybe to obtain work, using a stolen SSN.
– Generally to get credit cards for one time use.
– In one case, a person used a stolen identity to
purchase a house!
Other Confidence Games
• Not truly a case of identity theft
• Nigerian e-mail scam
• Trying to establish an American business
presence, and looking for an agent to
forward items to foreign countries.
• Winning a foreign lottery.
• All are advance fee arrangements.
– You pay upfront fees or shipping.
Examples of Confidence Games
• Unique ‘Christian’ confidence game that
was sent to me.
What can you do about this?
• Be careful in all transactions on the
– Know the policies and procedures for the
financial organizations that you deal with.
• How will your bank contact you if they detect
suspicious activity?
• Know how to report suspected identity theft.
What can you do about this?
• Consider using prepaid credit cards for
online purchases.
– Exposure is limited.
– Card not tied in any way to your banking
– Card does not impact your credit rating.
– Visa offers cards directly.
– A number of companies offer branded Visa or
MasterCard prepaid cards.
What can you do about this?
• Consider credit report monitoring.
– Not a be all, end all solution.
– Only identifies when your credit is impacted.
• Will indirectly show credit card activity.
– Does not protect against your accounts being
What can you do about this?
• Use a different password for each financial
account you have.
– Yes, this can be a pain to remember.
– Use a password manager to help manage
your accounts and passwords.
What can you do about this?
• Check out the security arrangements
before signing up for online banking?
– What access controls do they use?
– Look for multiple factor authentication
• Something you know (password)
• Something you posses (token)
• Something you are (fingerprint)
What can you do about this?
• Use anti-virus software, and keep it up to
• Use anti-malware software, and likewise,
keep it up to date.
• Consider using an anti-phishing tool bar
on your web browser.
– Built-in in newer browsers.
What to do it you are a victim?
• Contact your financial institutions.
– Most have help services for identity theft.
• Check your state’s web site.
– Usually the Attorney General or the Secretary
of State.
• Check the web site for the Federal Trade
Test Your Knowledge
• Google with a search of ‘phishing quiz’.
• Try to beat my score, I’ve done two tests,
and I got 9 out of 10 right.
• Kevin Mitnick, The Art of Deception
– Book about using social engineering
techniques to gain access to facilities and
• Wikipedia
– Search for ‘phishing’, ‘pharming’ and
• The Anti-Phishing Working Group
References (cont’d)
• Federal Trade Commission
• State Attorney’s General or state trade
• Your bank’s web site
– Usually contains privacy and security pages
that explain your rights and how the institution
safeguards access.
Thanks for attending!
• Copy of presentation will be available at…
• I have also sent a copy to the QSI people, in
case they are assembling a web site.