March 3, 2014
Criminals use manipulative techniques known as "social engineering" to deceive their victims into revealing sensitive information. Such scams play on emotions like fear and the human tendency to want to help or trust others. A common approach uses fraudulent "phishing" e-mails, as in fishing for information. The scamming e-mail is often designed to look as though it comes from an individual or organization the recipient will recognize, or has an existing relationship with. The message attempts to fool the recipient into revealing sensitive information. The mechanisms used may entice the recipient to (a) click on a link leading to a fraudulent website (although it may appear legitimate), (b) reply to a specific offer or request in the e-mail, or (c) download an infected attachment.
Defending against social engineering attacks is difficult because cyber thieves are creative and constantly coming up with new approaches, but the following guidance can help avoid becoming a social engineering victim.
Think before you click. Be cautious with any message you don't expect or that doesn't make sense. If you get a message from the New York police about a speeding ticket but you have not been driving in NY recently, it's bogus. Delete immediately. Even if you had been driving in NY, ask yourself whether it makes sense that the NY police have your e-mail address. Probably not.
Be wary of offers of something for nothing. These are most likely scams. Won the lottery without entering? A free gift card from a store you don't patronize? Likely bogus.
Check validity with a web search. If you suspect the offer/threat could be real, don't click. Search instead. Many sites list known hoaxes. Reading through these can put your mind at ease.
Carefully scrutinize the destination of links in e-mails and text messages. Hover your mouse/finger over the link to see where it really goes. Clever phishers sometimes include valid links among the malicious links in the e-mail in a further attempt to disguise their intent.
Do not respond to unsolicited requests for sensitive information, whether by e-mail, phone, or text message. If an unsolicited caller starts asking for personal information, it's time to end the call.
Do not submit personal information via website pop-up screens. Legitimate organizations do not ask for personal information via pop-ups.
If you think a request might be valid but can't verify the identity of the requester, then contact the organization making the request yourself so you can be sure of whom you are talking to.