Monday, March 30, 2015

How To Avoid Phishing And Social Engineering Attacks On The Internet

We often talk about all of the security precautions that we need to take in order to safely navigate the Internet. Using Anti-virus software, updating your Operating System, applying the latest versions of Java and flash, etc. will all help keep you safe and secure. None of these, however, will protect you from a well executed Phishing or Social Engineering attack.

What is a Social Engineering Attack? This type of attack is non-technical. Social engineering is the art of manipulating people so they give up confidential information. The types of information these "bad guys" are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information. They often breach your computer to secretly install malicious software that will give them access to your information, as well as, control over your computer. It is much easier to trick someone into providing a password than it is to "hack" it - particularly if it is a complex one. The weakest link in any security is always a trusting individual. Suppose you get an email from a friend. If a "bad guy" manages to hack or socially engineer one person’s email password, they now have access to that person’s contact list. Since, many people use one password everywhere (a bad practice), they probably have access to that person’s social networking (Facebook) contacts, as well. Once the "bad guy" has that account under their control, he/she can now send fraudulent email to all of the person’s contacts or leave messages on their friend’s social pages.

The email may contain a link or a picture that you feel compelled to click because you think it came from a friend. Once you click, a payload of malware is installed on your device, giving the sender control of your computer.

What is a Phishing Attack? Phishing is a another form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution that requests account information - often suggesting that there is a problem. Many of these requests look authentic and official, but closer inspection often reveals misspelled words. When users respond with the requested information, attackers then use it to gain access to their account. Phishing also comes in the form of fraudulent Charity Organizations or Impersonation of a legitimate group. These most often occur when natural disasters are in the news.

How can you avoid being duped?

  • Be suspicious of unsolicited phone calls or emails from individuals asking personal information. If an unknown individual claims to be from a legitimate organization, verify his or her identity with the company, directly. Do not answer the email and hang up on the caller.
  • Don't send sensitive information over the Internet unless you know that the website is secure. Look for the https in your browser's address bar. Beware of open public WIFI - these are never secure.
  • Look closely at the URL (address) of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or have different domain (e.g., .com vs. .net vs. .org).
  • If you are unsure whether an email request is legitimate, check it online or by calling the company directly. Do not use the contact info in the email. Check them out using the Anti-Phishing Working Group (
  • Delete all requests for financial information or passwords. These are all scams.
  • If you receive email from a foreign lottery or sweepstakes, money from an unknown relative, or requests to transfer funds from a foreign country, it is a scam.
  • Ignore requests for help. Legitimate companies and organizations do not contact you to provide help. If you did not specifically request assistance from the sender, consider any offer of help, a scam. Similarly, if you receive an email request for help from a charity or organization that you don't have a relationship with, delete it.

If you feel that you have been exploited, consider reporting the attack to the police, and file a report with the Federal Trade Commission (