Advanced DIY Privacy for Every Woman
  • Introduction
  • Before we start
  • 1 - Identify your security risks
  • Security areas to prioritise
  • 2- Document security violations
  • Safety and security strategies
  • Securing a mobile phone or a tablet
  • FAQ on mobile phones
  • Securing your laptop/other connected devices?
  • 3 - Securing your connections
  • 4 - Securing your apps, software and internet services
  • 5 - Browsing the web
  • Social engineering and phishing
  • Internet browser, search engine and passwords
  • IP address, WIFI and emails
  • Social media: what to pay attention to!
  • Facebook, Twitter, Google, Foursquare
  • Apps and internet enabled apps
  • Online banking, billing account and other accounts
  • Protection measures
  • 6 - Documenting privacy violations
  • Voice calls and keeping a diary
  • 7 - Advanced security resources
  • Anti-virus, Firewall and Spyware
  • Secure internet browsing
  • Authentification
  • Encryption
  • Deleting your information
  • 8 - Glossary
  • How we put this guide together
  • Final words
Powered by GitBook
On this page
  • Do not login to websites from a link in an email
  • Avoid using Facebook, Twitter, or Google (**OAuth**) to login to other websites
  • Do not trust emails asking for personal information, survey data, or anything else that could reveal information about you
  • Use HTTPS connections whenever possible
  • How to see the secure https indicators on different browsers
  • Beware of public Wi-Fi

Social engineering and phishing

Previous5 - Browsing the webNextInternet browser, search engine and passwords

Last updated 7 years ago

(Taken from )

Social Engineering involves psychological manipulation of targets to reveal sensitive information. A common example is a hacker calling a customer service or technical support worker at a website: they claim to be an employee or a customer and smooth-talk their way into being given private data about a customer. Another common case is simply contacting a target and pretending to be a representative of a company or service: a hacker can claim to be a utilities worker needing information about your apartment, a healthcare worker asking about your health plan, or a number of other roles to steal your information.

For more see

Example of phishing e-mail

Phishing is a very popular form of social engineering where a hacker will send you a professionally designed email pretending to be a website or service that you trust, including a website link for you to follow. When you click the link, it will take you to a seemingly legitimate website that asks for your password, ATM PIN, or other information. In reality, the website is a fake that collects the private data you mistakenly hand over! If you think there is a chance your bank has really emailed you, you can always securely log into your account directly to check for messages rather than clicking a link in an email.

Do not login to websites from a link in an email

Avoid using Facebook, Twitter, or Google (**OAuth**) to login to other websites

Many websites and services offer the option of logging in with your social media account rather than having to create an account for the website. No passwords are shared using this method but it can make personal details such as email addresses and contact\/friend lists available to a third-party. Although convenient, the security risk is also that if someone gains access to the primary account they then have access to all other services. (How often do you logout of Facebook?) It is safer to create a new account for the site, as long as you use a strong unique password. Never reuse passwords across sites and services.

Do not trust emails asking for personal information, survey data, or anything else that could reveal information about you

...no matter how professional it looks

The vast majority of websites do not need your personal data to provide their services, so be suspicious if they ask for it (besides, who cares what they want? It's not your responsibility to give them anything). If you think the request is legitimate, do not follow their supplied link: you should be able to do whatever you have to do by navigating their website in your browser. If you can't, they clearly have poor security practices and you should be suspicious of them in general!

Use HTTPS connections whenever possible

How to see the secure https indicators on different browsers

In Firefox, there will be a green padlock on the left of the URL address.

In Chrome browser, there will be a green padlock and “https” will also be in green.

Beware of public Wi-Fi

Public domain

As a rule of thumb, if an email link directs you to a login screen, you should be suspicious. It's best to simply go to the website yourself in your browser, login normally, and look for the page the email wanted you to access. An exception is when you reset a password for a site (the website needs to provide a personalised link for you to change your password). In this case just make sure that you explicitly requested a password reset. And use a just to be safe - otherwise your other accounts may be at risk too!

In the, we talked about the value of using the extension. When you connect to a website using HTTPS, your browser ensures the site is not a fake by verifying the site's HTTPS certificate is legitimate. Because fake sites cannot replicate the expected HTTPS certificate, your browser could give you a warning that a fake site is insecure.

Trust your browser! By installing the extension, your browser will try to use HTTPS whenever possible, thus offering an easy first-line of defense against phishing scams.

When you are on a Wi-Fi network, anyone else using that network can watch or intercept your web traffic (even if it's a password-protected network). So an easy phishing scheme could be sitting in a coffee shop and intercepting all requests to Facebook.com so everyone sees a fake phishing site instead, thus collecting as many passwords as possible. The absolute best protection is to use a (VPN) to seamlessly encrypt your web traffic so it cannot be intercepted. A great alternative is to use the to send your browsing over the Tor network, thus anonymising you while encrypting your data (although it will be slower than using your normal browser). If you're on a phone, try to only use your regularly installed apps for using websites rather than logging in through a browser (phone browsers are).

unique password
Anonymity section
HTTPS Everywhere
HTTPS Everywhere
Virtual Private Network
Tor Browser
much less secure
safehubcollective.org
How to: Avoid Phishing Attacks