Instructions
You can make a copy of this presentation by downloading it:
“File” → “Download” → “Microsoft Powerpoint (.pptx)”
Or copy it to your Google Drive: “File” → “Make a copy” → “Entire presentation”
Text is by A1M Solutions, licensed CC-BY (Creative Commons Attribution 4.0 International).
Slide template is “Cute Pets” by Jimena Catalina of Slides Carnival, also licensed CC-BY.
You can modify and share this presentation as long as you retain the credits in the last slide.
A1M does not guarantee that the advice in this presentation is accurate or comprehensive; use your own judgment.
1
Phishing!
Research-based advice from cute animals
2
What?
An attacker trying to trick you
into giving them
your username and password
or other valuable info
through deception
(often using fake websites)
3
Why?
It’s the easiest way for an attacker to get access to something they shouldn’t:
4
Some reasons why people do this
5
5
Steal money from your bank accounts (or redirect deposits)
Blackmail for money: install ransomware on company systems
4
6
Get more access: trick people you know into entering passwords
Trick people into sending money: you or people you know
Launder money: buy stuff with stolen money from your account
1
2
3
Find info to sell: identity, credit card numbers, hacked email accounts
Not just generic car warranty scams
6
Everyone can be tricked
7
“All that's needed is one victim in just the right circumstances and the right state of mind.”�– Michał Zalewski
“Had my CC details phished recently by fake-UPS text message that arrived at the perfect moment when I was both focusing on something else and expecting a package, so did things on autopilot.” – Matt Stuchlik
“Facebook and Google, together, were scammed out of more than $100 million...A Lithuanian hacker… [sent] each company a series of fake invoices while impersonating a large Asian-based manufacturer they used as a vendor.” – Hashed Out
8
They appeal to your responsibilities
9
Real examples
A call from my bank’s phone number about fraud detection
You can be tricked, but you can reduce the damage
11
Let’s look at the research
12
Let’s look at the research
13
14
Time-based One-Time Password
Common types of MFA/2FA, from okay to best
Type a code sent to your phone number by SMS or call
Type a code generated somewhere else (like Google Authenticator)
SMS or Call
Security Key
Small hardware device that auto-types a code
Approve a new login from another device where you’re logged in
On-Device Prompt
PIV card
Also a type of security key!
RSA token
Small hardware device similar to TOTP
Copy-paste a code sent to your email
WebAuthn
Can use biometrics, like your fingerprint or face
Set up two-factor authentication on work and personal accounts
So even if attackers get your password, they’re not in!
They have to trick you to also type your code, and they have to immediately use it.
15
In particular:
Protect your email with two-factor
It’s the key to access to everything, via password reset emails.
16
Use unique passwords
So even if they get one, it’s not easy to get everything
Use a password manager to keep track!
17
18
Avoid training people to just click
Let people know ahead of time (on Slack or a meeting) to expect certain emails
Received something that looks weird?
Or got a weird phone call?
(even a little bit weird)
Ask about it in [insert place here]
When something happens…
19
If you think you maybe got tricked
It’s ok, ask somebody for help right away
(within one hour)
20
21
A friend who might be targeted due to visibility
A loved one experiencing cognitive or memory decline
Anyone!
(everyone can be tricked)
Help your family and friends set up two-factor authentication on their email and social accounts
It’s tough, but incident response is less fun
22
Questions?
Recommended: check out how login.gov does usability-tested 2FA!
Credits: Text is by A1M Solutions, licensed CC-BY (Creative Commons Attribution). Slide template is “Cute Pets” by Jimena Catalina of Slides Carnival, licensed CC-BY.
23