That smartphone in your pocket – or your tablet or laptop – contains significant information about you and your friends and family, including contact numbers, photos and locations. Your mobile devices need to be protected. Take the following security precautions and enjoy the conveniences of technology with peace of mind while you are on the go.
Original Author: Stay Safe Online
Click here to follow the original link
It’s no secret that the technology we use can make us a target for viruses and cyber attacks if not secured properly. When it comes to mobile device use, there is no manual that comes with a phone to teach the user mobile security. In addition, threats are always evolving and adjusting based on our habits. Here are 8 tips to help you keep your devices saffe:
One potential threat is getting your device is stolen, which could give the thief complete access to your personal information. To prevent this, be sure to have a lock on your screen. Whether this is a passcode, pattern, fingerprint or face recognition is up to you and your device’s capabilities.
When enabling a lock screen you’ll have the option to choose how long the phone can be idle before locking. Be sure to choose the shortest amount of time. This will protect you, by automatically enacting the lock screen even if you forget to lock it yourself. It will also save your battery because the screen will go dark after the set amount of time.
Setting strong passwords on your apps will make it harder for a hacker to guess them. It’s also suggested to set a different password for each app. This way if one password is discovered, the hacker won’t have access to all your information.
Not only are personal devices a concern, but professional devices are at risk as well. According to the Verizon Mobile Security Index 2018 Report, only 39% of mobile device users in enterprises change all default passwords and only 38% use strong two-factor authentication on their mobile devices. Having weak passwords can put an entire organization at risk.
Mobile phone operating system updates are intended to improve your experience. This could entail anything from performance to security. Although they happen frequently and users tend to click through quickly or ask the device to remind them in the future, it’s important to stay up to date with these. These updates can protect both iOS and Android devices from newly discovered threats. To check if your phone’s OS is up to date, go to “about phone” or “general” and click “system updates” or “software update.”
The beauty of mobile devices is that we can access the internet anywhere and everywhere we go. One of the first things we do at a restaurant or friend’s house is search for wifi. While free wifi can save us on data, it’s important to be wary of unsecured networks.
To stay safe while using public wifi, be sure to connect to a virtual private network or VPN. Check out a VPN for Android, which allows you to enjoy secure Wi-Fi connection even on public networks. Changing your virtual network will protect your location and keep your information from prying eyes.
When you are downloading apps, be sure to download them from the official app stores and check reviews. Cybercriminals create rogue mobile apps that mimic trusted brands in order to obtain users’ confidential information. To avoid this trap, be sure to look at the number of reviews, last update and contact information of the organization.
Jailbreaking or rooting your phone is when you unlock your phone and remove the safeguard the manufacturers have put in place so you can access anything you want. It may be tempting to jailbreak or root your phone to access app stores other than the official ones, but this puts you at high risk. The apps on these illegitimate stores have not been vetted and can easily hack into your phone and steal your information.
Your smartphone holds a lot of data. If it’s lost or stolen, your emails, contacts, financial information and more can be at risk. To protect your mobile phone data, you can make sure the data in encrypted. Encrypted data is stored in an unreadable form so it can’t be understood.
Most phones have encryption settings you can enable in the security menu. To check if your iOS device is encrypted, go to the settings menu and then click on “Touch ID & Passcode.” It will prompt you to enter your lock screen code. Then scroll to the bottom of the page where it should say “Data Protection is enabled.”
To encrypt an Android, you must first be sure your device is 80% charged, and unroot your phone before continuing. Once these things are done, go to “Security” and choose “Encrypt Phone.” If you don’t charge your device, unroot it or interrupt the encryption process, you may lose all your data. Encryption can take an hour or more.
You’ve probably heard of anti-virus programs for laptops or desktop computers, but your handheld computers can benefit from them, too. These programs can protect against viruses and hacking attempts. Some softwares have a VPN features included as an added bonus.
Smartphones are pocket-sized computers that can hold all your important data and personal information. Keeping these mobile security tips in mind will help you protect your device.
Original Author: Panda Security
Click here to follow the original link
A phishing scam is a type of fraud that can come in many different forms. These scams not only employ various online techniques such as fake emails and pop-up ads but can also include phone calls. The people behind these scams often use fear tactics in order to get their victims to take the bait.
Phishing is essentially an online con game, and phishers are nothing more than tech-savvy con artists and identity thieves. They use spam, malicious websites, email messages, and instant messages to trick people into divulging sensitive information. Banking information, credit card accounts, usernames, and passwords are just some of the information phishers seek to exploit.
Since phishing scams are designed to appear as if they come from reliable sources, it is smart to know the difference between real and fraudulent messages and how to spot some of the clues that a message may be a scam. Here is a list of five common phishing scams and ways to help protect yourself against falling for them.
1. Email phishing scams
An email phishing scam is a fraudulent email message that appears to be from a person or company known to the victim. It attempts to illegally gather personal and/or financial information from the recipient.
A phishing message typically includes at least one link to a fake website, designed to mimic the site of a legitimate business. The message entices the recipient to provide information that could be used for identity theft or online financial theft.
How to help protect yourself against email phishing scams:
2. Vishing scams
Vishing (voice or VoIP phishing) is the voice version of email phishing. “V” stands for voice, but otherwise, the scam attempt is the same. It is a phone scam in which individuals are tricked or scared into handing over valuable financial or personal information to scammers.
How to help protect yourself against vishing scams:
3. Tech support cold call scams
Tech support cold calls are when a scammer calls a potential victim claiming to be from a reputable security company. They lie and say they found malware on the victim’s computer.
The criminal pretends to offer a solution by getting the user to install a type of remote desktop software. This allows the attacker access to the computer in order to install real malware. In addition to attempting to install malware on the machine, these scammers will often ask for a fee to “fix” the issue.
How to help protect yourself against tech support call scams:
4. Pop-up warning scams
Pop-ups occur when someone is browsing the internet and sees a small graphic or ad appear on their screen. Usually, pop-ups are related to the content being viewed and link to another website with similar content or merchandise related to the content.
Malicious pop-ups can be terribly intrusive, making it difficult for the user to close the pop-up window. These pop-ups may display a message stating that the computer is infected with malware and offer a phone number for help with removing the malware. Often, the cybercriminals make pop-ups look like they come from a trusted source, such as our own Norton products, in hopes of appearing to be legitimate.
How to help protect yourself against pop-up scams:
5. Fake search results scams
Fraudulent companies frequently use paid search ads for their “support services” as if they were legitimate, well-known companies. These paid listings can appear at the top of a search results page, a prime location. These results, which can look like the real thing, can promise support offers that seem too good to be true in hopes of luring in a victim, whose top concern is to fix their computer. Unfortunately, when you click on the ad, malware may begin to download to your device, compromising the security of your information and adding to your computer woes.
How to help protect yourself against fake search results scams
If you think you’ve been the victim of a phishing scam:
Original Author: NortonLifeLock Employee
Click here to follow the original link
Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.
An attack can have devastating results. For individuals, this includes unauthorized purchases, the stealing of funds, or identify theft.
Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.
An organization succumbing to such an attack typically sustains severe financial losses in addition to declining market share, reputation, and consumer trust. Depending on scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering.
The following illustrates a common phishing scam attempt:
Several things can occur by clicking the link. For example:
Email phishing is a numbers game. An attacker sending out thousands of fraudulent messages can net significant information and sums of money, even if only a small percentage of recipients fall for the scam. As seen above, there are some techniques attackers use to increase their success rates.
For one, they will go to great lengths in designing phishing messages to mimic actual emails from a spoofed organization. Using the same phrasing, typefaces, logos, and signatures makes the messages appear legitimate.
In addition, attackers will usually try to push users into action by creating a sense of urgency. For example, as previously shown, an email could threaten account expiration and place the recipient on a timer. Applying such pressure causes the user to be less diligent and more prone to error.
Lastly, links inside messages resemble their legitimate counterparts, but typically have a misspelled domain name or extra subdomains. In the above example, the myuniversity.edu/renewal URL was changed to myuniversity.edurenewal.com. Similarities between the two addresses offer the impression of a secure link, making the recipient less aware that an attack is taking place.
Spear phishing targets a specific person or enterprise, as opposed to random application users. It’s a more in-depth version of phishing that requires special knowledge about an organization, including its power structure.
An attack might play out as follows:
By providing an attacker with valid login credentials, spear phishing is an effective method for executing the first stage of an APT.
Phishing attack protection requires steps be taken by both users and enterprises.
For users, vigilance is key. A spoofed message often contains subtle mistakes that expose its true identity. These can include spelling mistakes or changes to domain names, as seen in the earlier URL example. Users should also stop and think about why they’re even receiving such an email.
For enterprises, a number of steps can be taken to mitigate both phishing and spear phishing attacks:
Original Author: Imperva
Click here to follow the original link
Phishing is the fraudulent use of electronic communications to deceive and take advantage of users. Phishing attacks attempt to gain sensitive, confidential information such as usernames, passwords, credit card information, network credentials, and more. By posing as a legitimate individual or institution via phone or email, cyber attackers use social engineering to manipulate victims into performing specific actions—like clicking on a malicious link or attachment—or willfully divulging confidential information.
Both individuals and organizations are at risk; almost any kind of personal or organizational data can be valuable, whether it be to commit fraud or access an organization’s network. In addition, some phishing scams can target organizational data in order to support espionage efforts or state-backed spying on opposition groups.
Phishing attempts most often begin with an email attempting to obtain sensitive information through some user interaction, such as clicking on a malicious link or downloading an infected attachment.
Phishing scams can also employ phone calls, text messages, and social media tools to trick victims into providing sensitive information.
Some specific types of phishing scams use more targeted methods to attack certain individuals or organizations.
Spear phishing email messages won’t look as random as more general phishing attempts. Attackers will often gather information about their targets to fill emails with more authentic context. Some attackers even hijack business email communications and create highly customized messages.
Attackers are able to view legitimate, previously delivered email messages, make a nearly identical copy of it—or “clone”—and then change an attachment or link to something malicious.
Whaling specifically targets high profile and/or senior executives in an organization. The content of a whaling attempt will often present as a legal communication or other high-level executive business.
Organizations should educate employees to prevent phishing attacks, particularly how to recognize suspicious emails, links, and attachments. Cyber attackers are always refining their techniques, so continued education is imperative.
Some tell-tale signs of a phishing email include:
Additional technical security measures can include:
Original Author: Forcepoint
Click here to follow the original link
Phishing is a method of deceitfully obtaining personal information such as passwords, identity numbers, credit card details and sometimes, indirectly, money. Essentially, it is an online con game, and phishers are nothing more than tech-savvy con artists and identity thieves. Phisher might call you or send e-mails that appear to be from trusted sources such as banks, other financial institutions or legitimate companies. If they used emails, such may direct you to click on a link to a website where you are asked to update your personal information such as passwords, credit card details, social security number or bank account number. This fake website is specifically designed for information theft. One of the most common forms of Phishing is “Spear Phishing”, which is a more targeted version of Phishing where an e-mail is sent to a targeted individual. Spear Phishing often has a high success rate as it bypasses traditional security defences and exploits vulnerable software. Spam, fake websites and other techniques are used to trick people into divulging sensitive information, such as bank and credit card account details. Once they have captured enough victims' information, they either use the stolen information themselves to defraud the victims (e.g., by opening up new accounts using the victim's name or draining the victim's bank accounts) or they sell it on the black market for a profit.
How to spot a phishing attack:
Generic greeting – Phishing emails are usually sent in large batches. Phishers use generic names like "First Generic Bank Customer”. If you do not see your name, be suspicious. Forged links – Even if a link has a name you recognise somewhere in it, it does not mean it links to the real website. Roll your mouse over the link and see if it matches what appears in the email. If it does not match, do not click on it. Requests personal information – The point of sending phishing email is to trick you into providing your personal information. If you receive an email requesting your personal information, it is probably a phishing attempt. Sense of urgency – Cybercriminals wants you to provide your personal information now.
The most effective defence against phishing attacks is prevention. To prevent, or at least cut down, on phishing attacks, you must: Avoid providing personal identifiable information to strangers or unknown websites, replying to unknown numbers, etc. Always type in the full URL of the website. Do not follow links from another website. Send request to hosting company to take down the fraudulent website. Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future. Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organisation, try to verify his or her identity directly with the company. Do not provide personal information or information about your organisation, including its structure or networks, unless you are certain of a person's authority to have the information. Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in emails. Don't send sensitive information over the Internet before checking a website's security. Pay attention to the URL of a website. Malicious websites may look identical to a legitimate website, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). Never use contact information provided on a website connected to the request; instead, check previous statements for contact information. Install and maintain antivirus software, firewalls, and email filters to reduce some of this traffic. Take advantage of any anti-phishing features offered by your email client and web browser. Consider reporting the attack to the police, and file a report with the Cybersecurity Hub Phishing Department
Original Author: South African National Cybersecurity Awareness Portal
Click here to follow the original link
This article looks specifically at how individual users and businesses can use passwords to improve their cyber security.
Passwords, when used correctly, are an extremely simple and effective way to protect data and IT systems from unauthorised access. However, many individuals continue to use passwords in a way which exposes them to risk, and IT policies do not always encourage better user behaviour.
This article summarises some simple ideas for individuals and businesses to improve their use of passwords and prevent them being cracked.
There are a number of methods criminals can employ to crack passwords, including:
These methods help to highlight some basic precautions which users can take to protect themselves.
A key recommendation is to use a strong, non-predictable password. What makes a good password (and what doesn’t) is discussed further below.
It is also important not to use the same password for everything. Different websites have different levels of security - if you use the same password all the time then a criminal could crack this on a low security site and use to access important information on higher security sites.
On average, users use the same password across four different sites. Ideally, you should have a different password for every site and system you access. However, it can be difficult to remember that many passwords in practice.
As a minimum you should use a different password for the most sensitive sites you visit – such as email, online banking, and any other sites that hold confidential or financial information. Alternatively, you could set up a system for passwords, for example using a core password which is complex and then adding letters or numbers to this relevant to the website name.
Other recommendations for individuals include:
The main thing is to avoid using predictable passwords. Passwords should be easy to remember, but hard for somebody else to guess. The National Cyber Security Centre (NCSC) recommends that a good rule is to make sure that somebody who knows you well couldn’t guess your password in 20 attempts.
Passwords that are easily cracked tend to include:
The most common passwords include 123456, password, 12345678, qwerty, 12345 and football.
Strong passwords will:
Very long and complex passwords are often viewed as being the strongest, but this is often not the case in practice. Such passwords are hard to remember and this can lead to people using coping mechanisms (such as writing passwords down or using the same password multiple times) which, ironically, make them more vulnerable to cyber criminals.
The NCSC, in conjunction with Cyber Aware, advise that an easy way to create a secure password is to use three random words – for example coffeetrainfish or walltinshirt. The words you pick can be memorable, but shouldn’t be easy to guess (i.e. onetwothree) or too personal (e.g. pet names, childrens’ names).
It is important for businesses to ensure that their staff use passwords effectively to protect IT systems and data.
However, you need to be careful that IT policies do not lead to users having password overload. The average UK citizen has 22 online passwords which they need to remember, so enforcing passwords where they are not needed should be avoided.
Businesses can also help their staff cope by:
The NCSC no longer recommends requiring users to change passwords frequently, or requiring them to have several different complex passwords. The cost of forcing users to regularly change passwords outweighs any protection it may give – staff often end up using weaker passwords as a result, making only minor changes to previous passwords or having to ask for a password reset more frequently. Instead, the NCSC recommend asking staff to concentrate on:
Other measures which businesses can take to increase security include:
Original Author: ATT
Click here to follow the original link
Research shows that poor password practices account for 63% of data breaches. A password management servicer is a third party solution that helps organizations mitigate this risk by creating a secure, master password for users throughout a network.
The 2016 Verizon DBIR report stated that 63% of data breaches were caused by poor password practices. Nearly 75% of online users depend on a single password across all their accounts. Stealing a user’s credentials is the easiest way for hackers to open the doors to your network, and poor password practices can put savvy attackers one move away from doing just that.
You and your other users may think it’s clever to use a loved one’s birthday or other personal information as a password. But in reality, these passwords can be easily guessed and stolen. Meanwhile, we all know how frustrating it is to constantly create and remember new passwords, and how difficult it is to compel your team to do this when they’re busy handling other key responsibilities.
There are countless articles and tips on how to create the perfect password. But rather than giving this crucial task to each individual user, implement a password manager that does the heavy lifting for you.
A password manager is a third party that creates a master password for users throughout your network. Once users are in the system, they receive personalized access as determined by administrators and the password manager. Using a password manager mitigates the risk of your users trying to keep track of multiple passwords, or creating passwords that will be easily stolen. Password managers enable users to exchange the time spent entering, recalling or changing multiple passwords for a password they can trust.
Unique passwords are stored based on the policy of the password manager—important information to know when choosing which is best for you. However, it’s common for password managers to store this information in a database or in a cloud that can only be accessed by top administrators.
In the nascent stages of password management, all current passwords are entered into the system. If, for example, a user has created a password for his email, that password is stored in the password management system. The next time the user logs into his email, he simply enters the master password, and the password manager automatically pulls up and enters the original email password. When users need to create a new password, they simply use the master password, which in turn automatically generates a unique password that cannot be “guessed” by hackers. Users can enter the master password on their smartphones, home devices or on the go—a major perk for today’s increasingly global workforce. This process can be even simpler if your password manager is installed as a browser plug-in.
Administrators do not have to be tech-savvy in order to use and make changes to the password manager. Most interfaces have been designed to be user-friendly, and customer service representatives can guide administrators through changing master passwords or restricting information.
But password creation isn’t all that a password manager does. It’s only the beginning. A password manager can also help your organization:
A password manager minimizes the time and effort of keeping your network safe. If you’re not using a password manager yet, it’s time to explore how this tool can help your users access all the information they need to be productive—without the hassle or responsibility of remembering and creating multiple hacker-proof passwords.
Original Author: OBT
Click here to follow the original link
Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.
Social engineering attacks happen in one or more steps. A perpetrator first investigates the intended victim to gather necessary background information, such as potential points of entry and weak security protocols, needed to proceed with the attack. Then, the attacker moves to gain the victim’s trust and provide stimuli for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources.
What makes social engineering especially dangerous is that it relies on human error, rather than vulnerabilities in software and operating systems. Mistakes made by legitimate users are much less predictable, making them harder to identify and thwart than a malware-based intrusion.
Social engineering attacks come in many different forms and can be performed anywhere where human interaction is involved. The following are the five most common forms of digital social engineering assaults.
As its name implies, baiting attacks use a false promise to pique a victim’s greed or curiosity. They lure users into a trap that steals their personal information or inflicts their systems with malware.
The most reviled form of baiting uses physical media to disperse malware. For example, attackers leave the bait—typically malware-infected flash drives—in conspicuous areas where potential victims are certain to see them (e.g., bathrooms, elevators, the parking lot of a targeted company). The bait has an authentic look to it, such as a label presenting it as the company’s payroll list.
Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting in automatic malware installation on the system.
Baiting scams don’t necessarily have to be carried out in the physical world. Online forms of baiting consist of enticing ads that lead to malicious sites or that encourage users to download a malware-infected application.
Scareware involves victims being bombarded with false alarms and fictitious threats. Users are deceived to think their system is infected with malware, prompting them to install software that has no real benefit (other than for the perpetrator) or is malware itself. Scareware is also referred to as deception software, rogue scanner software and fraudware.
A common scareware example is the legitimate-looking popup banners appearing in your browser while surfing the web, displaying such text such as, “Your computer may be infected with harmful spyware programs.” It either offers to install the tool (often malware-infected) for you, or will direct you to a malicious site where your computer becomes infected.
Scareware is also distributed via spam email that doles out bogus warnings, or makes offers for users to buy worthless/harmful services.
Here an attacker obtains information through a series of cleverly crafted lies. The scam is often initiated by a perpetrator pretending to need sensitive information from a victim so as to perform a critical task.
The attacker usually starts by establishing trust with their victim by impersonating co-workers, police, bank and tax officials, or other persons who have right-to-know authority. The pretexter asks questions that are ostensibly required to confirm the victim’s identity, through which they gather important personal data.
All sorts of pertinent information and records is gathered using this scam, such as social security numbers, personal addresses and phone numbers, phone records, staff vacation dates, bank records and even security information related to a physical plant.
As one of the most popular social engineering attack types, phishing scams are email and text message campaigns aimed at creating a sense of urgency, curiosity or fear in victims. It then prods them into revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malware.
An example is an email sent to users of an online service that alerts them of a policy violation requiring immediate action on their part, such as a required password change. It includes a link to an illegitimate website—nearly identical in appearance to its legitimate version—prompting the unsuspecting user to enter their current credentials and new password. Upon form submittal the information is sent to the attacker.
Given that identical, or near-identical, messages are sent to all users in phishing campaigns, detecting and blocking them are much easier for mail servers having access to threat sharing platforms.
This is a more targeted version of the phishing scam whereby an attacker chooses specific individuals or enterprises. They then tailor their messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous. Spear phishing requires much more effort on behalf of the perpetrator and may take weeks and months to pull off. They’re much harder to detect and have better success rates if done skillfully.
A spear phishing scenario might involve an attacker who, in impersonating an organization’s IT consultant, sends an email to one or more employees. It’s worded and signed exactly as the consultant normally does, thereby deceiving recipients into thinking it’s an authentic message. The message prompts recipients to change their password and provides them with a link that redirects them to a malicious page where the attacker now captures their credentials.
Social engineers manipulate human feelings, such as curiosity or fear, to carry out schemes and draw victims into their traps. Therefore, be wary whenever you feel alarmed by an email, attracted to an offer displayed on a website, or when you come across stray digital media lying about. Being alert can help you protect yourself against most social engineering attacks taking place in the digital realm.
Moreover, the following tips can help improve your vigilance in relation to social engineering hacks.
Social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but when individuals are targeted the criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software–that will give them access to your passwords and bank information as well as giving them control over your computer.
Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is really weak).
Security is all about knowing who and what to trust. It is important to know when and when not to take a person at their word and when the person you are communicating with is who they say they are. The same is true of online interactions and website usage: when do you trust that the website you are using is legitimate or is safe to provide your information?
Ask any security professional and they will tell you that the weakest link in the security chain is the human who accepts a person or scenario at face value. It doesn’t matter how many locks and deadbolts are on your doors and windows, or if have guard dogs, alarm systems, floodlights, fences with barbed wire, and armed security personnel; if you trust the person at the gate who says he is the pizza delivery guy and you let him in without first checking to see if he is legitimate you are completely exposed to whatever risk he represents.
If a criminal manages to hack or socially engineer one person’s email password they have access to that person’s contact list–and because most people use one password everywhere, they probably have access to that person’s social networking contacts as well.
Once the criminal has that email account under their control, they send emails to all the person’s contacts or leave messages on all their friend’s social pages, and possibly on the pages of the person’s friend’s friends.
Phishing attacks are a subset of social engineering strategy that imitate a trusted source and concoct a seemingly logical scenario for handing over login credentials or other sensitive personal data. According to Webroot data, financial institutions represent the vast majority of impersonated companies and, according to Verizon's annual Data Breach Investigations Report, social engineering attacks including phishing and pretexting (see below) are responsible for 93% of successful data breaches.
These social engineering schemes know that if you dangle something people want, many people will take the bait. These schemes are often found on Peer-to-Peer sites offering a download of something like a hot new movie, or music. But the schemes are also found on social networking sites, malicious websites you find through search results, and so on.
Or, the scheme may show up as an amazingly great deal on classified sites, auction sites, etc.. To allay your suspicion, you can see the seller has a good rating (all planned and crafted ahead of time).
People who take the bait may be infected with malicious software that can generate any number of new exploits against themselves and their contacts, may lose their money without receiving their purchased item, and, if they were foolish enough to pay with a check, may find their bank account empty.
Criminals may pretend to be responding to your ’request for help’ from a company while also offering more help. They pick companies that millions of people use such as a software company or bank. If you don’t use the product or service, you will ignore the email, phone call, or message, but if you do happen to use the service, there is a good chance you will respond because you probably do want help with a problem.
For example, even though you know you didn’t originally ask a question you probably a problem with your computer’s operating system and you seize on this opportunity to get it fixed. For free! The moment you respond you have bought the crook’s story, given them your trust and opened yourself up for exploitation.
The representative, who is actually a criminal, will need to ’authenticate you’, have you log into ’their system’ or, have you log into your computer and either give them remote access to your computer so they can ’fix’ it for you, or tell you the commands so you can fix it yourself with their help–where some of the commands they tell you to enter will open a way for the criminal to get back into your computer later.
Some social engineering, is all about creating distrust, or starting conflicts; these are often carried out by people you know and who are angry with you, but it is also done by nasty people just trying to wreak havoc, people who want to first create distrust in your mind about others so they can then step in as a hero and gain your trust, or by extortionists who want to manipulate information and then threaten you with disclosure.
This form of social engineering often begins by gaining access to an email account or another communication account on an IM client, social network, chat, forum, etc. They accomplish this either by hacking, social engineering, or simply guessing really weak passwords.
There are literally thousands of variations to social engineering attacks. The only limit to the number of ways they can socially engineer users through this kind of exploit is the criminal’s imagination. And you may experience multiple forms of exploits in a single attack. Then the criminal is likely to sell your information to others so they too can run their exploits against you, your friends, your friends’ friends, and so on as criminals leverage people’s misplaced trust.
While phishing attacks are rampant, short-lived, and need only a few users to take the bait for a successful campaign, there are methods for protecting yourself. Most don't require much more than simply paying attention to the details in front of you. Keep the following in mind to avoid being phished yourself.
Original Author: Webroot
Click here to follow the original link