Phishing
A technique used to gain personal information for purposes of identity theft, using fraudulent e-mail messages that appear to come from a legitimate retailer, bank, organization, or government agency. Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card or bank account details. These emails can look authentic with company logos and banners copied from Web sites.
Identity theft
One of the fastest-growing types of financial fraud. Without stealing your wallet, a crook can steal your financial identity with as little information as your social security number. Identity theft involves crooks’ assuming your identity by applying for credit, running up huge bills and stiffing creditors – all in your name.
Social engineering
Using human interaction (social skills) to obtain or compromise sensitive information about an individual or an organization. This social engineering could be used to gather personal information on you or other family members. An attacker may seem unassuming and respectable. They may even offer “credentials” to support their identity. By asking seemingly harmless questions, they may be able to piece together enough information to steal your identity or to infiltrate your computer.
Avoiding Social Engineering and Phishing Attacks
Phishing is a form of social engineering. Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. For example, an attacker may send email seemingly from a reputable credit card company or financial institution such as Montgomery Bank. In this email they will request account information, often suggesting that there is a problem. When users respond with the requested information, attackers can use it to gain access to the accounts. It is important to note: MONTGOMERY BANK WILL NEVER ASK FOR PERSONAL INFORMATION IN AN EMAIL OR PHONE CALL TO YOU!
Phishing attacks may also appear to come from other types of organizations, such as charities. Attackers often take advantage of current events and certain times of the year.
- natural disasters (i.e., Hurricane Katrina, Indonesian tsunami, Joplin tornado)
- epidemics and health scares (i.e., H1N1)
- economic concerns (i.e., IRS scams)
- major political elections
- holidays
How do you avoid being a victim?
Do not give sensitive information to anyone unless you are absolutely sure that they are indeed who they claim to be and that they should have access to the information.
Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company. Do not provide personal information unless you are absolutely certain of a person’s authority to have the information. Do not reveal personal or financial information in an email and do not respond to email solicitations for this information. This includes following links sent in email. Don’t send sensitive information over the Internet before checking a website’s security (see Protecting Your Privacy for more information). Pay attention to the URL of a website. Malicious websites may look identical to a legitimate site, but the URL may use a slight variation in spelling or a different domain (i.e., .com vs. .net). If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.
Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).
Device Protection
Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic over your personal computers. (see Understanding Firewalls, Understanding Anti-Virus Software, and Reducing Spam for more information). Take advantage of any anti-phishing features offered by your email client and web browser.
What do you do if you think you are a victim?
If you believe your personal financial accounts may be compromised, contact your financial institution such as Montgomery Bank immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account. Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
Watch for other signs of identity theft (see Preventing and Responding to Identity Theft for more information).
Consider reporting the attack to the police, and file a report with the Federal Trade Commission (http://www.ftc.gov/).
Used with permission and available at http://www.us-cert.gov/, the United States Computer Emergency Readiness Team, a service of the U.S. Department of Homeland Security.