Social engineering and phishing
Last updated
Last updated
(Taken from safehubcollective.org)
Social Engineering involves psychological manipulation of targets to reveal sensitive information. A common example is a hacker calling a customer service or technical support worker at a website: they claim to be an employee or a customer and smooth-talk their way into being given private data about a customer. Another common case is simply contacting a target and pretending to be a representative of a company or service: a hacker can claim to be a utilities worker needing information about your apartment, a healthcare worker asking about your health plan, or a number of other roles to steal your information.
For more see How to: Avoid Phishing Attacks
Example of phishing e-mail
Phishing is a very popular form of social engineering where a hacker will send you a professionally designed email pretending to be a website or service that you trust, including a website link for you to follow. When you click the link, it will take you to a seemingly legitimate website that asks for your password, ATM PIN, or other information. In reality, the website is a fake that collects the private data you mistakenly hand over! If you think there is a chance your bank has really emailed you, you can always securely log into your account directly to check for messages rather than clicking a link in an email.
As a rule of thumb, if an email link directs you to a login screen, you should be suspicious. It's best to simply go to the website yourself in your browser, login normally, and look for the page the email wanted you to access. An exception is when you reset a password for a site (the website needs to provide a personalised link for you to change your password). In this case just make sure that you explicitly requested a password reset. And use a unique password just to be safe - otherwise your other accounts may be at risk too!
Many websites and services offer the option of logging in with your social media account rather than having to create an account for the website. No passwords are shared using this method but it can make personal details such as email addresses and contact\/friend lists available to a third-party. Although convenient, the security risk is also that if someone gains access to the primary account they then have access to all other services. (How often do you logout of Facebook?) It is safer to create a new account for the site, as long as you use a strong unique password. Never reuse passwords across sites and services.
...no matter how professional it looks
The vast majority of websites do not need your personal data to provide their services, so be suspicious if they ask for it (besides, who cares what they want? It's not your responsibility to give them anything). If you think the request is legitimate, do not follow their supplied link: you should be able to do whatever you have to do by navigating their website in your browser. If you can't, they clearly have poor security practices and you should be suspicious of them in general!
In the Anonymity section, we talked about the value of using the HTTPS Everywhere extension. When you connect to a website using HTTPS, your browser ensures the site is not a fake by verifying the site's HTTPS certificate is legitimate. Because fake sites cannot replicate the expected HTTPS certificate, your browser could give you a warning that a fake site is insecure.
Trust your browser! By installing the HTTPS Everywhere extension, your browser will try to use HTTPS whenever possible, thus offering an easy first-line of defense against phishing scams.
In Firefox, there will be a green padlock on the left of the URL address.
In Chrome browser, there will be a green padlock and “https” will also be in green.
When you are on a Wi-Fi network, anyone else using that network can watch or intercept your web traffic (even if it's a password-protected network). So an easy phishing scheme could be sitting in a coffee shop and intercepting all requests to Facebook.com so everyone sees a fake phishing site instead, thus collecting as many passwords as possible. The absolute best protection is to use a Virtual Private Network (VPN) to seamlessly encrypt your web traffic so it cannot be intercepted. A great alternative is to use the Tor Browser to send your browsing over the Tor network, thus anonymising you while encrypting your data (although it will be slower than using your normal browser). If you're on a phone, try to only use your regularly installed apps for using websites rather than logging in through a browser (phone browsers are much less secure).