Phishing

=__//**PHISHING**//__= toc BY: ZACHARY CHANDLER ISTC 301

Description:
//Phishing// is the practice of distributing and publishing e-mail messages and Web sites that are designed to look like those of legitimate businesses, financial institutions, or government agencies in order to deceive Internet users of private information, usually for criminal purposes. This private information may include passwords, credit card numbers, phone numbers, addresses, account numbers, financial information, and usernames.

The most common way this is currently done is by having a person redirected from a legit website to another look alike website where they will be asked to "confirm your account number" or "verify your information". The threat of phising was first recognize in 1986 and was not seen until 1997. Some of the earliest phising methods were used on AOL, to access account and username information and from there credit card info. Now, phising has stemmed and centered primarily around banks, payment services, and social networking sites. Just recently I myself recieved an email from my bank stating that "You should be on the alert for unsolicited emails requesting personal or sensitive information...M&T bank will not send you emails requesting your credit card number, social security number, or other personal information." (Above below) Congress has passed an Anit-Phishing Act of 2004, which most importantly defines phishing as a federal offense, with proposed sentences of up to 5 years in jail and up to 250,000 dollar fine. It also clearly states that the phisher only has to be convicted of the scam,and that success in their scam is not necessary for conviction. However, that bill along with the Anit-Phishing Bill of 2005, did not make it past the committee and were killed. However, there is still a strong piece of law (Chapter 63 Title 18 Part 1 Chapter 4 Of the U.S Code) that states, " Fraud and related activity in connection with identification documents, authentication features, and information" as being illegal.

Phishing is currently the largest method of online spam seen worldwide. The most common ways of phishing come through emails redirecting a user to a false website under the face of the real website. Another is known as link manipulation: for example Wachovia Bank experience this when an alternative website was made up spelling vvachoviabank.com using 2 v's for a w. Once a person went to the real wachovia bank website the bug redirected them to the look alike site with what looked like the same URL. Phishing also occurs over the phone most commonly through false banks. The image below shows the most targeted industries for Phishing fraud during the second quarter of 2010.



There are steadily anti-phishing device being develope each day to stop this fraudulent method of obtaining user information. And most internet browers and email sites have anti-phishing devices built in. Unfortunatley, the growth rate of technology is so rapid that phishers are constantly creating newer and more advanced methods of phishing that these anti-phising devices may not be able to detect. Therefore, in the end the responsibility falls on the user. A user needs to know about phishing and how it can interfere or even endanger their lives, especially for identity and financial information fraud. This goes hand in hand with the digital citizenship included in the ISTE NETS. Students need to know what is out there and how to avoid it and be safe. They must also be personally responsible while using technology. =__**What is the impact of this issue on K-12 schools, educators, and students?**__= K-12 schools and educators need to be aware of phishing so they can monitor students usage of internet for their own protection. Phishing can lead to an access of school information through main school databases or private teacher accounts. An administrator or teacher can just as easily be a victim of phishing as a student and therefore need to know how to protect themselves, so they can therefore teach how to protect their students and thus their school. Social network sites and private gaming sites are what endanger K-12 graders the most. A Large incident occurred recently with myspace, when a computer bug was inserted into the website that redirected users to re-sign in. Once the user re-signed in, that third partly had all of the users information and from there could start their identity theft mischief. On social network sites phishing is effective over 70 percent of the time. Students who use these website frequently for communication could be at high risk if they fall victim to electronic phishing, and with the advancement of smartphones, computers, and other electronic devices the phishing methods are going to continue to become more effective.

=__**Integrating this topic into Daily Instruction:**__= While Phishing is a very advanced and dangerous subject, even young children can accidentaly fall victim to it, this is why I have provide integration into the classroom information for all grades K-12.

**PreK-K**
I am not to sure if children in preK and Kindergarten will fall victim to phishing, but to be safe a teacher can integrate the importance of only using the internet under mom or dads supervision. They can do a brief lesson relating phishing to stealing and how stealing is bad, and never feels good. Also, the teacher should be properly informed about the affects of phishing prior to beginning instruction.

**Grades: 1-4**
Around first to fourth grade, it is still probably unlikely that children will be members of social networks or financial website for that matter. However, I am sure that by this age they will start becoming comfortable using the internet and therefore should be made aware of these online scams. I see the largest threat for this demographic of students within video games. First to fourth grade is around the time when children may start making up account information for online gaming websites or for paid internet games. If the website gets phished, a vulnerable or uneducated child may re-enter information such as username, password, phone number, or home address that could lead to identity fraud. Or if the information is under their parents credit card, possibly financial problems. In the classroom this could be integrated by demonstration of how a website could ask you to re enter information or put in your personal information, and enforce the fact that this is bad and can lead to trouble. The children can do a quick skit or presentation directed by the teacher of how lying and stealing is wrong and will result in punishment. This goes for internet stealing as well. From here the teacher can talk about phishing and how it is exactly like stealing and lying.

Grades: 4-8
Around grades fourth through eighth, students would probably start creating social networking sites, still have accounts for gaming sites, and have email addresses. This is also the age range where students will start using cellphone (particularly smartphone) which opens a very large vulnerable window to phishing. This is were the intense digital citizenship teaching and technology fraud awareness needs to start being taught. Around this age students will feel invincible against the world, and unfortunately this is not the case. A slip of information to a phisher can seriously lead to damaging side effects not only for that student but the family as well. On this note, phishing awareness should not only be integrated into instruction in the classroom but at home as well. Most middle schools have computer labs and classes in which students learn how to use the internet, word processing websites, and other technology for educational use. This would be the ideal place for children to learn the dangers of the internet so that they can be prepared. A way to integrate this into a computer class would be to have students use a microsoft document or other similar software and make an outline of how phishing occurs electronically. Then the students could make the presentation in front of the class to reiterate not only to themselves but their classmates as well, the dangers that lie in phishing. I also think that having after school seminars or assemblies for both parents and students would be a great method of convey information. Like I said earlier, students are not only going to be using the internet and technology in school. Actually, the majority of their usage will probably be at home. This is why it is so importatnt to reach out not only to students, but to the parents as well. If you see parental participation is low at an assembly maybe send out an email with a video for the parent and child to watch online, and make it so the parent has to reply back to the email stating that they have watched it with their child.

Grades: 9-12
Nowadays, by high school students are pretty comfortable and fluent in technology, often more so than the instructors. However, just because they may know how use technology on a more advanced level does not indicate they are aware of the possible threats that come through technology. Around this demographic financial fraud may become a danger as well. If not directly through a students account, possibly through a parents account. ( Maybe on a shopping website.) Once again, I think the strongest way to have students strongly grasp the dangers out there are to have the research first hand. Have them make presentation on phishing, through various methods. Make this presentation consist of three real life cases where a person was the victim of a phisher and lost a lot of money, private information, or anything else. Also, as mentioned about the grades 5-8 the after school assemblies and emails would be an excellent way to communicate to the parents at home. Since home is where a majority of internet usage happens. Digital citizenship is a huge responsibilities in the world today, and it is something that should be taught in the school system.

=__**Additional Links:**__= Below is an excellent link on avoiding phishing scams, and taking precautions when using electronic media. []

=__** Quiz: **__=
 * __Phising Quiz__**

=__**References:**__= http://www.anti-phishing.info/congress-and-phishing.htm'

Anti Phishing Working Group. (2010) http://www.antiphishing.org/consumer_recs.html

Phising. http://en.wikipedia.org/wiki/Phishing

http://www.microsoft.com/mscorp/safety/technologies/antiphishing/overview.mspx

Tom Jagatic and Nathan Johnson and Markus Jakobsson and Filippo Menczer.[|"Social Phishin] (PDF). //To appear in the CACM (October 2007)// . Retrieved June 3, 2006.

[|"Malicious Website / Malicious Code: MySpace XSS QuickTime Worm"] // W ebsense Security Labs//. Archived from [|the original] on December 5, 2006. Retrieved December 5, 2006.