On this page we provide you with monthly tips from our security team, to help you keep your personal, business and customers' information secure. This month we tell you about social engineering and its most common form of information fraud- phishing.
What is social engineering?
Social engineering refers to techniques, employed by fraudsters, to coerce sensitive information from an individual or to manipulate an individual in performing an action that subverts security. Very often, the sensitive information sought by such attacks comprises of system or bank account passwords, personal customer or employee data or credit card numbers.
There are various techniques employed but one of the most common is phishing.
What is phishing?
Normally instigated via email, phishing attacks comprise of messages that appear to come from a legitimate organisation that require the victim to perform some action that discloses sensitive information. This usually comprises of a warning to the victim that details must be updated on the organisations website or some adverse action will occur (such as the victims account will be shut down). The warning is accompanied by a website link that takes the victim to the purported website. The trick is that the website is not legitimate and, although appears to be valid with appropriate logos and company details, is actually a website designed to capture the sensitive information you would otherwise protect.
How do I protect myself from phishing?
Phishing emails have similar traits that you can use to identify them. Any emails received with the following traits should be treated as suspicious. If you receive such an email, simply forward it to firstname.lastname@example.org and then delete it from your inbox without responding.
- Generic greetings. Phishing emails are usually sent in large batches. To save time, Internet criminals use generic names like "Worldpay Customer" so they don't have to type all recipients' names out and send emails one-by-one. If you don't see your name, be suspicious.
- Forged links. Even if a link has a name you recognize somewhere in it, it doesn't mean it links to the real organization. Roll your mouse over the link and see if it matches what appears in the email. If there is a discrepancy, don't click on the link. Also, websites where it is safe to enter personal information begin with "https" — the "s" stands for secure. If you don't see "https" do not proceed.
- Requests for personal information. The point of sending phishing email is to trick you into providing your personal information. If you receive an email requesting your personal information, it is probably a phishing attempt. Worldpay would NEVER legitimately send an email asking you to enter personal information.
- A sense of urgency. Internet criminals want you to provide your personal information NOW. They do this by making you think something has happened that requires you to act fast. The faster they get your information, the faster they can move on to another victim.