Avoiding Social Engineering Attacks
Short for malicious software, is software designed to infiltrate a computer system without the owner’s informed consent.
Malware includes computer viruses, worms, trojan horses, spyware, dishonest adware, crime ware, most rootkits, and other malicious and unwanted software
- Criminals target victims by scams
- Victim unknowingly installs software by clicking on a link or visiting an infected Internet site
- Fraudsters begin monitoring the accounts
- Victim logs on to their Online Banking
- Fraudsters Collect Login Credentials
- Fraudsters wait for the right time and then, depending on your controls, will either: login after hours or, if you are using a token, will wait until you enter your code. Then, they will hijack the session and send you a message that Online Banking is temporarily unavailable
- Malicious websites (including Social Networking sites)
- P2P Downloads (e.g. LimeWire)
- Ads from popular web sites
Attackers create e-mails and websites designed to look like legitimate businesses, business partners or internal, company branded web sites to deceive you into helping them commit fraud. Phishing emails to a specific company or department are known as Spear Phishing.
Password Harvesting – They are attempting to get you to give up your usernames and passwords. Examples are emails asking you to verify your network account, an email to sign up for employee benefits, or informing you that you have a secure email, etc. Normally gives you a link to click on that takes you to a web form to enter in your credentials and many times looks legitimate.
Software Downloading – They are looking to get you to open up a secret, electronic tunnel to them so they can remote access systems through your computer or programs that will automatically search for and steal company and/or personal information. Asking you to download anti-virus software or open an attached Word, Excel or PDF document are a few examples.
- Delete email and text messages that ask you to confirm or provide sensitive information. Legitimate companies don’t ask for sensitive information through email or text messages.
- Beware of visiting website addresses sent to you in an unsolicited message.
- Even if you feel the message is legitimate, type web addresses into your browser or use bookmarks instead of clicking links contained in messages.
- Try to independently verify any details given in the message directly with the company.
- Utilize anti-phishing features available in your email client and/or web browser.
- Utilize an email SPAM filtering solution to help prevent phishing emails from being delivered.
- Do not open attachments received from unknown senders or unexpected attachments from known senders.
- Be cautious of the amount of personal information you make publicly available through social networking sites and other methods. The more information publicly available about you, the easier it is for attackers to craft more convincing phishing messages.
Attackers send deceptive SMS text messages in order to commit fraud. To help avoid an attack, same rules and guidelines should apply here as they do with any other phishing attempt.
Attackers are looking to gain your trust and give up log in credentials and/or business/personal information over the telephone.
Attackers pretend to be someone they are not, such as a repairman, IT support technician, trusted vendor or new employee. They may drop the name of someone you know in order to further gain your trust. They may also attempt to gain access to computer equipment or gain unrestricted access to your network through a network port in an enclosed office or conference room.
Website spoofing is the act of creating a fake website to mislead individuals into sharing sensitive information. Spoof websites are typically made to look exactly like a legitimate website published by a trusted organization.
- Pay attention to the web address (URL) of websites. A website may look legitimate, but the URL may have a variation in spelling or use a different domain.
- If you are suspicious of a website, close it and contact the company directly.
- Do not click links on social networking sites, pop-up windows, or non-trusted websites. Links can take you to a different website than their labels indicate. Typing an address in your browser is a safer alternative. Only give sensitive information to websites using a secure connection. Verify the web address begins with “https://” (the “s” is for secure) rather than just “http://”.
- Avoid using websites when your browser displays certificate errors or warnings.