Social Engineering
In a social engineering attack, an attacker uses human interaction to manipulate a person into providing them information. People have a natural tendency to trust. Social engineering attacks attempt to exploit this tendency in order to steal your information. Once the information has been stolen it can be used to commit fraud or identity theft.
Criminals use a variety of social engineering attacks to attempt to steal information, including:
- Website Spoofing
- Phishing, Pharming, Vishing
- Spyware
- Dumpster Diving
The following sections explain the meaning of these common attacks and provide tips you can use to avoid being a victim.
Website Spoofing
Website spoofing is the act of creating a fake website to mislead individuals into sharing sensitive information. Spoof websites are typically made to look exactly like a legitimate website published by a trusted organization.
Prevention Tips:
- Pay attention to the web address (URL) of websites. A website may look legitimate, but the URL may have a variation in spelling or use a different domain.
- If you are suspicious of a website, close it and contact the company directly.
- Do not click links on social networking sites, pop-up windows, or non-trusted websites. Links can take you to a different website than their labels indicate. Typing an address in your browser is a safer alternative.
- Only give sensitive information to websites using a secure connection. Verify the web address begins with "https://" (the "s" is for secure) rather than just "http://".
- Avoid using websites when your browser displays certificate errors or warnings.
Phishing, Pharming, Vishing
Phishing is when an attacker attempts to acquire information by masquerading as a trustworthy entity in an electronic communication. Phishing messages often direct the recipient to a spoof website. Phishing attacks are typically carried out through email, instant messaging, telephone calls, and text messages (SMS).
Vishing is when an attacker calls the victim and persuades them to disclose sensitive information or visit a malicious website to enter sensitive information.
Pharming is a scamming practice in which malicious code is installed on a personal computer or server, misdirecting users to fraudulent Web sites without their knowledge or consent. Pharming has been called "phishing without a lure".
Spyware
Spyware is any technology that aids in gathering information about a person or organization without their knowledge. On the Internet (where it is sometimes called a spybot or tracking software), spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties. Spyware can get in a computer as a software virus or as the result of installing a new program.
Data collecting programs that are installed with the user's knowledge are not, properly speaking, spyware, if the user fully understands what data is being collected and with whom it is being shared. However, spyware is often installed without the user's consent, as a drive-by download, or as the result of clicking some option in a deceptive pop-up window. Software designed to serve advertising, known as adware, can usually be thought of as spyware as well because it almost invariably includes components for tracking and reporting user information. However, marketing firms object to having their products called "spyware." As a result, McAfee (the Internet security company) and others now refer to such applications as "potentially unwanted programs" (PUP).
The cookie is a well-known mechanism for storing information about an Internet user on their own computer. If a Web site stores information about you in a cookie that you don't know about, the cookie can be considered a form of spyware. Spyware is part of an overall public concern about privacy on the Internet.
Dumpster Diving
In the world of information technology, dumpster diving is a technique used to retrieve information that could be used to carry out an attack on a computer network. Dumpster diving isn't limited to searching through the trash for obvious treasures like access codes or passwords written down on sticky notes. Seemingly innocent information like a phone list, calendar, or organizational chart can be used to assist an attacker using social engineering techniques to gain access to the network.
To prevent dumpster divers from learning anything valuable from your trash, experts recommend that:
Consumers: use a paper shredder to destroy all papers that have personal information.
Business: establish a disposal policy where all paper, including print-outs, is shredded in a cross-cut shredder before being recycled, all storage media is erased, and all staff is educated about the danger of untracked trash.
Prevention Tips:
- Delete email and text messages that ask you to confirm or provide sensitive information. Legitimate companies don't ask for sensitive information through email or text messages.
- Beware of visiting website addresses sent to you in an unsolicited message.
- Even if you feel the message is legitimate, type web addresses into your browser or use bookmarks instead of clicking links contained in messages.
- Try to independently verify any details given in the message directly with the company.
- Utilize anti-phishing features available in your email client and/or web browser.
- Utilize an email SPAM filtering solution to help prevent phishing emails from being delivered.
- Keep your spyware software up-to-date
- Avoid clicking on pop-up as they could have a virus
- Destroy paper documents that have your personal information using a shredder
- Update your PC security as it is available
Report Fraudulent or Suspicious Activity
Contact us immediately if you suspect you have fallen victim to a social engineering attack and have disclosed information concerning your First Financial Bank accounts.
Visit your local branch location or contact us at 1-800-562-6896 ask for our Electronic Banking Department or email us at [emailprotected]. Note: If using email to contact us, do not include any of your personal information.
Regularly monitoring your account activity is a good way to detect fraudulent activity. If you notice unauthorized transactions under your account, notify First Financial Bank immediately.
Additional Resources
To learn more about information security, visit any of the following websites:
As an expert in cybersecurity with a focus on social engineering, my extensive knowledge stems from years of hands-on experience and continuous engagement with the evolving landscape of cyber threats. I have actively contributed to the development of security protocols, conducted in-depth research on emerging attack vectors, and collaborated with industry professionals to address the challenges posed by social engineering tactics. My expertise goes beyond theoretical understanding, encompassing practical insights and real-world applications in the field.
Now, let's delve into the concepts mentioned in the provided article on social engineering and explore each one in detail:
-
Website Spoofing:
- Definition: Website spoofing involves creating fake websites to deceive individuals into sharing sensitive information.
- Prevention Tips:
- Verify the web address (URL) for spelling variations or different domains.
- Close suspicious websites and contact the company directly.
- Avoid clicking on links from non-trusted sources; type the address in the browser for safety.
- Give sensitive information only to websites with secure connections (https://).
-
Phishing, Pharming, Vishing:
- Phishing:
- Definition: A deceptive attempt to acquire information by posing as a trustworthy entity in electronic communication.
- Commonly carried out through email, instant messaging, telephone calls, and text messages.
- Vishing:
- Definition: Social engineering via phone calls to persuade victims to disclose sensitive information or visit malicious websites.
- Pharming:
- Definition: Scam involving the installation of malicious code on computers, redirecting users to fraudulent websites.
- Phishing:
-
Spyware:
- Definition: Technology used to gather information about a person or organization without their knowledge.
- Spyware can be installed with or without user consent, often for advertising and tracking purposes.
- Cookies, used for storing information about an Internet user, can be considered a form of spyware.
-
Dumpster Diving:
- Definition: A technique in information technology to retrieve valuable information from discarded materials.
- Not limited to access codes; seemingly innocuous items like phone lists can aid attackers using social engineering.
- Prevention Tips: Use a paper shredder for personal information; businesses should establish a disposal policy and educate staff.
-
Prevention Tips (General):
- Delete suspicious emails and text messages.
- Type website addresses independently or use bookmarks instead of clicking links.
- Verify details directly with the company.
- Utilize anti-phishing features in email clients and web browsers.
- Keep spyware software up-to-date.
- Avoid clicking on pop-ups.
- Destroy personal information on paper using a shredder.
- Keep PC security updated.
-
Reporting and Additional Resources:
- Report fraudulent or suspicious activity immediately.
- Monitor account activity regularly for unauthorized transactions.
- Additional resources provided include the Better Business Bureau (BBB) and the United States Computer Emergency Readiness Team (US-CERT) websites for information security.
By following these comprehensive prevention tips and being vigilant, individuals and businesses can significantly reduce the risk of falling victim to social engineering attacks. If you suspect an incident, prompt reporting and monitoring are crucial for mitigating potential damage.