Phishing Dark Waters

An essential anti-phishing desk reference for anyone with an
email address

Phishing Dark Waters addresses the growing and continuing
scourge of phishing emails, and provides actionable defensive
techniques and tools to help you steer clear of malicious emails.
Phishing is analyzed from the viewpoint of human decision-making
and the impact of deliberate influence and manipulation on the
recipient. With expert guidance, this book provides insight into
the financial, corporate espionage, nation state, and identity
theft goals of the attackers, and teaches you how to spot a spoofed
e-mail or cloned website. Included are detailed examples of high
profile breaches at Target, RSA, Coca Cola, and the AP, as well as
an examination of sample scams including the Nigerian 419,
financial themes, and post high-profile event attacks. Learn how to
protect yourself and your organization using anti-phishing tools,
and how to create your own phish to use as part of a security
awareness program.

Phishing is a social engineering technique through email that
deceives users into taking an action that is not in their best
interest, but usually with the goal of disclosing information or
installing malware on the victim's computer. Phishing Dark
Waters explains the phishing process and techniques, and the
defenses available to keep scammers at bay.

• Learn what a phish is, and the deceptive ways they've been
  used

• Understand decision-making, and the sneaky ways phishers reel
  you in

• Recognize different types of phish, and know what to do when
  you catch one

• Use phishing as part of your security awareness program for
  heightened protection

Attempts to deal with the growing number of phishing incidents
include legislation, user training, public awareness, and technical
security, but phishing still exploits the natural way humans
respond to certain situations. Phishing Dark Waters is an
indispensible guide to recognizing and blocking the phish, keeping
you, your organization, and your finances safe.

Auteur

CHRISTOPHER HADNAGY, author of Social Engineering: The Art of Human Hacking, specializes in the human aspects of technology. With more than 14 years of experience in technology, he is CEO of Social-Engineer, Inc. and a frequent speaker at major security conferences. MICHELE FINCHER possesses more than 20 years experience as a behavioral scientist, researcher, and information security professional. She is a senior penetration tester and Chief Influencing Officer at Social-Engineer, Inc.

Résumé
An essential anti-phishing desk reference for anyone with an email address Phishing Dark Waters addresses the growing and continuing scourge of phishing emails, and provides actionable defensive techniques and tools to help you steer clear of malicious emails. Phishing is analyzed from the viewpoint of human decision-making and the impact of deliberate influence and manipulation on the recipient. With expert guidance, this book provides insight into the financial, corporate espionage, nation state, and identity theft goals of the attackers, and teaches you how to spot a spoofed e-mail or cloned website. Included are detailed examples of high profile breaches at Target, RSA, Coca Cola, and the AP, as well as an examination of sample scams including the Nigerian 419, financial themes, and post high-profile event attacks. Learn how to protect yourself and your organization using anti-phishing tools, and how to create your own phish to use as part of a security awareness program.

Phishing is a social engineering technique through email that deceives users into taking an action that is not in their best interest, but usually with the goal of disclosing information or installing malware on the victim's computer. Phishing Dark Waters explains the phishing process and techniques, and the defenses available to keep scammers at bay.

• Learn what a phish is, and the deceptive ways they've been used
• Understand decision-making, and the sneaky ways phishers reel you in
• Recognize different types of phish, and know what to do when you catch one
• Use phishing as part of your security awareness program for heightened protection
  Attempts to deal with the growing number of phishing incidents include legislation, user training, public awareness, and technical security, but phishing still exploits the natural way humans respond to certain situations. Phishing Dark Waters is an indispensible guide to recognizing and blocking the phish, keeping you, your organization, and your finances safe.

Contenu
Foreword xxiii Introduction xxvii

Chapter 1 An Introduction to the Wild World of Phishing 1

Phishing 101 2

How People Phish 4

Examples 7

High-Profi le Breaches 7

Phish in Their Natural Habitat 10

Phish with Bigger Teeth 22

Spear Phishing 27

Summary 29

Chapter 2 The Psychological Principles of Decision-Making 33

Decision-Making: Small Bits 34

Cognitive Bias 35

Physiological States 37

External Factors 38

The Bottom Line About Decision-Making 39

It Seemed Like a Good Idea at the Time 40

How Phishers Bait the Hook 41

Introducing the Amygdala 44

The Guild of Hijacked Amygdalas 45

Putting a Leash on the Amygdala 48

Wash, Rinse, Repeat 49

Summary 50

Chapter 3 Influence and Manipulation 53

Why the Difference Matters to Us 55

How Do I Tell the Difference? 56

How Will We Build Rapport with Our Targets? 56

How Will Our Targets Feel After They Discover They've Been Tested? 56

What Is Our Intent? 57

But the Bad Guys Will Use Manipulation . . . 57

Lies, All Lies 58

P Is for Punishment 59

Principles of Influence 61

Reciprocity 61

Obligation 62

Concession 63

Scarcity 63

Authority 64

Consistency and Commitment 65

Liking 66

Social Proof 67

More Fun with Influence 67

Our Social Nature 67

Physiological Response 68

Psychological Response 69

Things to Know About Manipulation 70

Summary 71

Chapter 4 Lessons in Protection 75

Lesson One: Critical Thinking 76

How Can Attackers Bypass This Method? 77

Lesson Two: Learn to Hover 77

What If I Already Clicked the Link and I Think It's Dangerous? 80

How Can Attackers Bypass This Method? 81

Lesson Three: URL Deciphering 82

How Can Attackers Bypass This Method? 85

Lesson Four: Analyzing E-mail Headers 85

How Can Attackers Bypass This Method? 90

Lesson Five: Sandboxing 90

How Can Attackers Bypass This Method? 91

The Wall of Sheep, or a Net of Bad Ideas 92

Copy and Paste Your Troubles Away 92

Sharing Is Caring 93

My Mobile Is Secure 94

A Good Antivirus Program Will Save You 94

Summary 95

Chapter 5 Plan Your Phishing Trip: Creating the Enterprise Phishing Program 97

The Basic Recipe 99

Why? 99

What's the Theme? 102

The Big, Fat, Not-So-Legal Section 105

Developing the Program 107

Setting a Baseline 108

Setting the Difficulty Level 109

Writing the Phish 121

Tracking and Statistics 122

Reporting 125

Phish, Educate, Repeat 127

Summary 128

Chapter 6 The Good, the Bad, and the Ugly: Policies and More 131

Oh, the Feels: Emotion and Policies 132

The Definition 132

The Bad 133

Making It Good 133

The Boss Is Exempt 133

The Definition 134

The Bad 134

Making It Good 134

I'll Just Patch One of the Holes 135

The Definition 135

The Bad 136

Making It Good 136

Phish Just Enough to Hate It 136

The Definition 137

The Bad 137

Making It Good 138

If You Spot a Phish, Call This Number 138

The Definition 139

The Bad 139

Making It Good 140

The Bad Guys Take Mondays Off 140

The Definition 141

The Bad 141

Making It Good 141 If You Can't See It, You Are Safe 142&l...