What if you were surfing the web one day, and came across a page that said:
Would you do it? probably not... but what if it said this:
That's a little more tempting. If you actually gave them your credit card number, they would take a lot more than $38, and your computer was never infected in the first place. These scams are called "Social engineering" and can get very complicated and be very convincing to the unexpecting victim.
Social engineering is the act of tricking people into doing something or giving out confidential information, rather than by using technical hacking techniques. In most cases the attacker never comes face-to-face with the victim.
The most common form of Social engineering you will encounter is called Phishing. Phishing is a technique of fraudulently obtaining private information. It is pronounced like fishing. Typically, the phisher sends an e-mail that appears to come from a legitimate business — a bank, or credit card company — requesting "verification" of information and warning of some dire consequence if it is not provided. The e-mail usually contains a link to a fraudulent web page that seems legitimate — with company logos and content — and has a form requesting everything from a home address to an ATM card's PIN.
For example, 2003 saw the proliferation of a phishing scam in which users received e-mails supposedly from eBay claiming that the user's account was about to be suspended unless a link provided was clicked to update a credit card (information that the genuine eBay already had). Because it is relatively simple to make a Web site resemble a legitimate organization's site by mimicking the programming source, the scam counted on people being tricked into thinking they were being contacted by eBay and subsequently, were going to eBay's site to update their account information. By spamming large groups of people, the "phisher" counted on the e-mail being read by a percentage of people who already had listed credit card numbers with eBay legitimately, who might respond.
Here is an example that was received by the Ouachita County Sheriff's Office.
Here is another example a customer of mine got from "The IRS"
The original email had official looking pictures that made it look very genuine.
Here's one of the most convincing phishing scams I've ever seen. Can you find any red flags in this email?
Did you find any red flags? The English is good, the company logo matches, and the link they want you to click at the bottom matches the link for that bank. The only red flag might be that they are rushing you a little bit to click that link. If it was an emergency they wouldn't send you an email and hope you check your email daily. The only way to see the real red flag would be to view the HTML source code for that email. Something most users will not know even exists, much less know how to view it. The link at the bottom does not take you where it says it does. It's easy to make a link that hides it's real destination. If you don't believe me, use this link to go to facebook.
Clicking the link in the scam email takes you to a site that LOOKS like the USAA site but a quick glance at the address bar in the web browser reveals you are not at usaa.com but usaa.co. There was no M on coM. The .co name is assigned to the Republic of Columbia and is not the same as .com. This site allowed you to enter your info then forwarded it to an attacker. To make matters worse, sometimes banks and other organizations that dont know any better actually send legit email like this. To be sure you are going to the site you think you are, never click links in emails, type it in instead.
Another scam I see frequently is where the attacker guesses or phishes your email account to gain access to your address book. The attacker assumes the people in your address book know you and trust you, so he sends email (from your account) to your friends that say things like "I took a cruise to the UK, now I'm out of money and can't get home. Can you wire $4,000 to bank account #123456789? I'll repay you as soon as I get home. Please hurry they are about to put me in jail!"
It's not just email you have to worry about. Phishers will also call your phone. They will say they are with the bank or some place you trust, and they need some information. Sometimes they can even modify what your caller-id says! caller-id spoofing can be done extremely easy without being a computer genius. There are multiple websites online that assist you in doing this. One way to protect yourself from this is by asking the caller for his phone number to call him back. If they wont give it to you, or give you a number with an unexpected area code, or even a country code, you know it's a scam. They might even tell you their phone system can't receive incoming calls and say it's urgent that you give them your info now.
In a 2003 information security survey, 90% of office workers gave researchers what they claimed was their password in answer to a survey question in exchange for a cheap pen. Similar surveys in later years obtained similar results using chocolates and other cheap lures.
Attackers have been known to call random numbers at a company claiming to be calling back from technical support. Eventually they will hit someone with a legitimate problem, grateful that someone is calling back to help them. The attacker will "help" solve the problem and in the process have the user type commands that give the attacker access or launch malware.
Now let's cover identity theft. I’m sure you’ve heard that term. It’s on the news, your friends talk about it, and your credit card company wants you to pay more for “identity theft protection”. It seems like a lot of people are afraid of it but don’t know what it is. Identity theft is simply when a bad buy pretends to be you. It’s like the opposite of phishing. Instead of the attacker tricking you, they trick your bank or your credit card company, or a car dealer.
What information does a bank require for you to open a new checking account? Name, address, phone number, social security number, maybe a few forgeable documents such as a birth certificate. Most of it can be easily obtained, and the rest is all that keeps you safe from identity theft. That’s why it is so important to protect your social security number.
If the attacker was able to gather enough information on you, he could open a new checking account in your name, then trick your bank into transferring most of your money out of your account and into “your” new account. He had all the information the bank asked for, so there was no way your bank could have known it wasn’t you doing the transaction. You wouldn’t know it until you got your bank statement, or your checks started bouncing.
Then the attacker could go buy a car, making the down payment with your new checking account and taking a loan out for the rest, in your name of course. You wouldn’t know it until you start receiving the loan bills in the mail. How was the car salesman supposed to know the attacker wasn’t who he said he was?
How do you protect yourself from this? Well, you really can’t protect yourself completely. No matter how hard you try, you are still at risk. You have to give your social security number out to get things done sometimes. You have to trust your bank but who is to say that new kid they just hired isn’t selling your information to his friend he met online? You have to say your credit card number over the phone to buy that cool thing you just seen on TV. Can you trust that person you just gave your info to? They didn’t even speak good English!
This doesn’t mean you have to quit buying stuff on TV, it just means you have to be aware this stuff does happen, and knowing how it happens is a major part of protecting yourself. You can’t prevent identity theft but you can make it easier to undo if it happens. Monitor your credit score yearly. There is a law that forces the credit agencies to give you a free credit report every year, but you have to ask for it. Review your credit card statements and make sure you know what every charge is. Investigate any charge you don’t recognize and get to the bottom of it. Knowing how the attacker works will help you imagine what to watch out for.
When’s the last time you saw your credit report? If you have a few more minutes you can see it now at www.annualcreditreport.com
Want to read more? ONGUARDONLINE.GOV is awesome.