RAAUZELX RUENAAA0693 2131140-UUUU--RUHQCNU.
ZNR UUUUU ZUI RUEWCSE5682 2131429
R 011140Z AUG 06 ZEL
FM CNO WASHINGTON DC//DNS//
TO NAVADMIN
INFO RHMFIUU/CNO WASHINGTON DC//DNS//
RUENAAA/CNO WASHINGTON DC//DNS//
BT
UNCLAS //N03120//
NAVADMIN 216/06
MSGID/GENADMIN/CNO WASHINTON DC/DNS/JUL// SUBJ/PHISHING SCAMS//
REF/A/RMG/DON CIO/061525ZOCT2004// REF/B/RMG/CNO/071651ZDEC2004//
NARR/REF A AND B PROVIDE THE REQUIREMENTS FOR DIGITALLY SIGNING
EMAILS.// RMKS/1. FRAUD AND IDENTITY THEFT ARE BECOMING MORE AND MORE
COMMON EACH DAY. ALTHOUGH THESE KINDS OF CRIMES HAVE BEEN AROUND FOR
YEARS, THE INTERNET NOW ENABLES CRIMINALS ACCESS TO ONLINE METHODS OF
SWINDLING UNSUSPECTING VICTIMS. WHILE YOU MIGHT BE SUSPICIOUS OF EMAIL
FROM UNKNOWN SOURCES, IT CAN BE DIFFICULT TO DISTINGUISH BETWEEN
LEGITIMATE SITES OR EMAIL AND THE "SPOOFED" SITES OR EMAILS CREATED FOR
SNARING THE UNSUSPECTING.
2. RECENT SCAMS HAVE IMPERSONATED RECOGNIZED INTERNET SERVICE PROVIDERS
AND COMPANIES, AS WELL AS NAVY RELATED ORGANIZATIONS, INCLUDING NAVY
FEDERAL CREDIT UNION AND NAVY KNOWLEDGE ONLINE.
PHISHING HAS ALSO IMPERSONATED GOVERNMENT SOURCES SUCH AS NAVY MARINE
CORE INTRANET (NMCI) AND THE VETERANS ADMINISTRATION (VA).
PHISHING SCHEMES USE A NUMBER OF TECHNIQUES TO GET THE USER TO "BITE."
TWO OF THE MOST COMMON SCHEMES ARE: "SPOOFING," WHERE E-MAIL ADDRESSES
AND PAGE CONTENT APPEAR TO BE FROM A VALID SOURCE; AND "SOCIAL
ENGINEERING," WHEN EMAILS, AND OTHER MEANS SUCH AS A PHONE CALL FROM
SOMEONE WHO SEEMS TO KNOW YOU, PLAY UPON HUMAN CURIOSITY TO TRICK THE
USER INTO REVEALING PERSONAL DATA BY CONVINCING OR SCARING THEM INTO THE
DESIRED ACTION, POTENTIALLY DIVULGING CREDIT CARD NUMBERS, BANK
INFORMATION, SOCIAL SECURITY NUMBERS, USER ID'S AND PASSWORDS FOR
PERSONAL GAIN OR TO GAIN ACCESS TO A NETWORK.
COMPANY LOGOS AND LETTERHEADS MAY APPEAR TO BE GENUINE AT FIRST GLANCE,
AND THIS IS HOW UNSUSPECTING USERS ARE USUALLY LURED INTO HELPING THE
PHISHERS ACCOMPLISH THEIR GOALS. A RECENT INCIDENT OF PHISHING APPEARED
TO COME FROM AN OFFICIAL NMCI NAVY ACCOUNT BUT FORTUNATELY THERE WAS NO
COMPROMISE.
3. REFS A AND B REQUIRE NAVY NETWORK USERS TO DIGITALLY SIGN ANY EMAIL
THAT TASKS A USER WITHIN DOD FOR PERSONAL INFORMATION. USE OF THE
DIGITAL SIGNATURE ELIMINATES THE SENDERS ABILITY TO CLAIM AN EMAIL WAS
NOT SENT BY HIM/HER (NON-REPUDIATION) AND ENSURES POSITIVE
IDENTIFICATION OF THE SENDER (AUTHENTICATION). AS A FIRST LINE OF
DEFENSE, USERS SHOULD CHECK TO SEE IF AN EMAIL REQUESTING ANY PERSONAL
INFORMATION HAS BEEN DIGITALLY SIGNED. IF IN DOUBT, PHONE THE PERSON OR
ORGANIZATION THE EMAIL APPEARS TO COME FROM.
4. BE AWARE THAT WHENEVER YOU CLICK ON A LINK IN AN EMAIL OR OPEN AN
ATTACHMENT IT MAY NOT HAVE COME FROM THE PERSON OR ENTITY YOU THINK IT
CAME FROM.  USERS SHOULD AVOID ANSWERING ANY E-MAIL THAT ATTEMPTS TO GET
USERS TO REVEAL PERSONAL INFORMATION AND REPORT ANY SUSPICIOUS
CORRESPONDENCE TO YOUR INFORMATION ASSURANCE MANAGER OR CIO TEAM
IMMEDIATELY. NEVER RELEASE PASSWORD, LOGIN, OR PIN NUMBERS VIA ANY
MEDIUM.
5. RELEASED BY VADM A. E. RONDEAU, DIRECTOR NAVY STAFF.// BT
#0693







NNNN