In a social engineering attack, an attacker uses human interaction to manipulate a person into providing them information. People have a natural tendency to trust. Social engineering attacks attempt to exploit this tendency in order to steal your information. Once the information has been stolen it can be used to commit fraud or identity theft.
Criminals use a variety of social engineering attacks to attempt to steal information, including:
- Website spoofing
Website spoofing is the act of creating a fake website to mislead individuals into sharing sensitive information. Spoof websites are typically made to look exactly like a legitimate website published by a trusted organization.
- Pay attention to the web address (URL) of websites. A website may look legitimate, but the URL may have a variation in spelling or use a different domain.
- If you are suspicious of a website, close it and contact the company directly.
- Do not click links on social networking sites, pop-up windows, or non-trusted websites. Links can take you to a different website than their labels indicate. Typing an address in your browser is a safer alternative.
- Only give sensitive information to websites using a secure connection. Verify the web address begins with "https://" (the "s" is for secure) rather than just "http://".
Phishing is when an attacker attempts to acquire information by masquerading as a trustworthy entity in an electronic communication. Phishing messages often direct the recipient to a spoof website. Phishing attacks are typically carried out through email, instant messaging, telephone calls, and text messages (SMS).
Here are some questions to ask if you think you have received a phishing attack:
- Do you know the sender of the email? If yes, still be cautious before clicking a link. If no, do not click any links.
- Are there any attachments in the email? If so, is the attachment an executable (a file with the extension .exe, .bat, .com, .vbs, .reg, .msi, .pif, .pl, .php)? If so, do not click on the attachment. Even if the file does not contain one of the above mentioned extensions, be cautious about opening it. Contact the sender to veriliy its contents.
- Does the email request personal information? If so, do not reply.
- Does the email contain grammatical errors? If so, be suspicious.
- If you have a relationship with the company, are they addressing you by name?
- Have you checked the link? Mouse over the link and check the URL. Does it look legitimate or does it look like it will take you to a different website?
- Delete email and text messages that ask you to confirm or provide sensitive information. Legitimate companies don't ask for sensitive information through email or text messages.
- Beware of visiting website addresses sent to you in an unsolicited message.
- Even if you feel the message is legitimate, type web addresses into your browser or use bookmarks instead of clicking links contained in messages.
- Try to independently verify any details given in the message directly with the company.
- Utilize anti-phishing features available in your email client and/or web browser.
- Utilize an email SPAM filtering solution to help prevent phishing emails from being delivered.
Pharming is another scam where a hacker installs malicious code on a personal computer or server. This code then redirects clicks you make on a website to another fraudulent website without your consent or knowledge. Be careful when entering financial information on a website. Look for the key or lock symbol at the bottom of the browser. If the website looks different than when you last visited, be suspicious and don't click unless you are absolutely certain the site is safe.
Unfortunately, phishing emails are not the only way people can try to fool you into providing personal information in an effort to steal your identity or commit fraud. Criminals also use the phone to solicit your personal information. This telephone version of phishing is sometimes called vishing. Vishing relies on "social engineering" techniques to trick you into providing information that others can use to access and use your important accounts. People can also use this information to pretend to be you and open new lines of credit.
To avoid being fooled by a vishing attempt:
- If you receive an email or phone call asking you to call and you suspect it might be a fraudulent request, look up the organization's customer service number and call that number rather than the number provided in the solicitation email or phone call.
- Forward the solicitation email to the customer service or security email address of the organization, asking whether the email is legitimate.
Though vishing and its relative, phishing, are troublesome crimes and sometimes hard to identify, there are things that you can do to protect your identity. Visit the Federal Trade Commission online to learn more.
Just like phishing, smishing uses cell phone text messages to lure consumers in. Often the text will contain an URL or phone number. The phone number often has an automated voice response system. And again just like phishing, the smishing message usually asks for your immediate attention.
In many cases, the smishing message will come from a "5000" number instead of displaying an actual phone number. This usually indicates the SMS message was sent via email to the cell phone, and not sent from another cell phone.
Do not respond to smishing messages.