Monday, June 1, 2009

Phishing - Don't Be A Victim

"Phishing" is a form of social engineering. Phishing attacks use email, malicious web sites or even your telephone to solicit sensitive information such as usernames, passwords and credit card details. Whether by telephone or online, phishers masquerade as a trustworthy source, such as your employer, your bank or your credit card company. When the target of these scams responds with the requested information, the attacker can use it to gain access to the victim's accounts. When phishing is done online, a victim may be tricked into opening email attachments that contain malicious software or into visiting innocent looking web sites that are designed to put malware on the victim's computer. Malware is a term used to describe a wide variety of software designed to infect your computer and steal your information.

Attackers may employ a highly targeted phishing attack known as "spear phishing". In spear phishing attack, the emails sent to potential victims contain enough personal or organizational information to make them appear legitimate and genuine. These emails target a smaller pool of potential victims and the likelihood of a victim falling for the scam is greater. The attacks are designed to acquire information which will allow the attacker to gain access to other computer systems or even an entire network.

General Precautions:
  • DO NOT trust unsolicited emails that ask for personal or sensitive information.
  • DO NOT click links in unsolicited email messages.
  • Treat ALL email attachments with caution.
  • Pay attention to the address of a website. Malicious websites may look identical to a legitimate site, but the address may use a variation in spelling or a different domain.
  • NEVER reveal personal or financial information in a response to an email request, no matter who appears to have sent it. Legitimate organizations don't ask for this information via email.
  • NEVER reveal personal information, financial information, or information about your computer credentials at work in a response to a telephone call without verifying the legitimacy of the call.
  • If you receive an email message that appears to be from a legitimate source but is suspicious, call the person or organization listed in the From line before you respond to the message or open any atached files. Do not use any phone number listed in the email. Call a known legitimate number, such as found in Outlook, the phone book, on your account statements, or on the back of your credit card. Area codes in phishing messages can be misleading. Some scammers send an email that appears to be from a legitimate business and ask you to call a phone number to update your account or access a "refund". Because they use internet-based telephony, the area code you call does not necessarily reflect where the scammers really are.