Exercise Section

  1. What is social engineering?
    Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques
  2. What are the types of social engineering?
    There are mainly 7 types of social engineering:
    - Pretexting
    - Diversion theft
    - Phishing
    - IVR or phone phishing
    - Baiting
    - Quid pro quo
    - common confidence tricksters or fraudsters

  3. State how link manipulation is used in phishing and give a suggestion to prevent it.
     
    For example, http://www.s260f.example.com/, it seems to direct you to the example section of the s260f website; actually this URL points to the "s260f" (i.e. phishing) section of the example website.
     
    Another example is given a link http://s260f.example.com/Resources, appears to take you to an article entitled "Resources"; clicking on it will in fact take you to another article.
     
    The suggestion to prevent it is that you can preview and verify where the link is going to take you in the lower left hand corner of most browsers.
  4. What phishers might do when you reveal personal information to them?
    They can
    •    prevent you from accessing your own accounts
    •    run up charges on your account
    •    open new accounts and sign utility or loan contracts in your name
    •    use a false ID and commit crimes using your personal information
  5. How to prevent phishing?

    Three ways to prevent phishing:
    1. Social responses:
    • For public - modify their browsing habits. E.g. Company's genuine website can be typed into the address bar of the browser.
    • For companies - provide a way for the consumer to validate that the E-mail is legitimate, such as visual or audio personalization of e-mail, etc.
    • For Industries - Some organizations to fight phishing such as PhishTank, APWG, etc.

    2. Technical responses: 
    • Implement good quality anti-virus, spyware detection applications, content filtering at the Internet gateway.
    • Browser security upgrades, such as distinctive display of potentially deceptive content and providing a warning when a potentially unsafe link is selected.
    • Two-factor authentication is to have a device identifier, such as a checksum of all available machine information.
     
    3. Legal responses:
    • The Anti-Phishing Act of 2005, put forth by Sen. Patrick Leahy.