Social Engineering and Phishing

They're phishing for your personal data. Don't take the bait.

Social engineering and phishing are just two of the hazards you face every time you go online or check your email. We've got some useful information to help keep your personal information safe.

Social engineering is the practice of obtaining confidential information by tricking people instead of breaching computer security. Social engineers typically use the phone or Internet to get people to reveal sensitive information that's used to gain illegal access to systems.

Phishing is using a fraudulent electronic communication to get you to reveal your account passwords, credit or debit card numbers, Social Security number, etc., usually by posing as a trusted entity. Phishing can be done by phone, in person, or through fraudulent pop-up windows and websites. One of the most common phishing scams involves sending a fraudulent email appearing to be from a well-known company. Social engineering and phishing are often used in combination.

HOW PHISHING WORKS:

To protect yourself from phishing, you first have to understand how phishing works. It is usually a three-step process:

  1. Mass email - A criminal will send out emails designed to look like a messages from a well-known company.
  2. Phishing email - The typical phishing email tries to lure you into clicking a link or button in the email or calling a phone number. These will lead you to a fraudulent website or phone line.
  3. Fraudulent Website - The fraudulent website will resemble a popular site, usually down to the tiniest detail. The site will ask for personal information like your credit card number, Social Security number or account password..

SPOTTING A PHISHING SCHEME

There are a few key warning signs that can help you identify a phishing scheme.

The first is ften the email itself. Be aware of the many subtle signs that an email is fraudulent, including:

  • Sender's email address. The "From" line may include an official-looking email address made to mimic a real address, usually simply off by a letter or character.
  • Generic email greeting. A typical phishing email has a generic greeting like Dear User."
  • False sense of urgency. Many phishing emails threaten that your account will be in jeopardy if it's not updated right away.
  • Fake links. Many phishing emails contain a link that looks valid, but sends you to a fraudulent site.

The next sign to look out for is any information that is being requested. Remember that a legitimate company will never ask for the following sensitive information in email -- and that it should never be provided in that channel:

  • Credit or debit card number
  • Social Security number
  • Bank account numbers
  • Driver's license number
  • Email addresses
  • Passwords

Finally, be sure to check out the URL if a link is provided. Some criminals will insert a fake browser address bar over the real one, making you think you're on a legitimate site.

Examples of fake addresses:
http://signin.fnb.com@10.11.35.44/
http://84.17.133.17/update.htm?=https:// www.fnb.com/=cmd_login_access
www.secure-fnb.com

The term "https" should precede any web address (or URL) where you enter personal information. The "s" stands for secure. If you don't see "https," you're not in a secure web session and you shouldn't enter data.

Additionally, make sure there is a secure lock icon in the status bar at the bottom of the browser window. Many fake sites will put this icon inside the window to trick you.

WHAT TO DO IF YOU SUSPECT PHISHING

If you believe an email may be fraudulent, do NOT open it or click on any links or buttons in the email. Delete the email and report it to the company that supposedly sent the communication. Never provide sensitive information via email.

No matter what, always check where a link is going before you click. Move your mouse over the URL in the email and look at the URL in the browser. You can also open a new browser and type in the URL directly, or search for the official website of the sender. If you receive a suspicious email, it is always a good idea to call the sending company directly to ensure the communication is valid and to report any potential fraudulent activity.