SECURITY AWARENESS FOR CUSTOMERS

The following will outline important information related to security awareness. Social engineering is the act of manipulating people into performing actions or divulging confidential information, usually related to trickery or deception for the purpose of fraud, information gathering, or computer system access. In most cases the attacker never comes face-to-face with the victim. Social engineers find that it is much easier to trick someone into giving out a password than to spend the effort to hack into your computer. You should know that no one from the bank will ever call you, email you, or contact you online to ask you to provide your password. Common social engineering techniques include but are not limited to:

Pretexting involves an invented scenario to persuade a victim to release information. For example, the attacker may pretend to be calling from your bank or a government agency, and may even provide you with confidential information such as your social security number or date of birth. The purpose of the contact is to get you to release further confidential information, such as your bank account information. The caller may pretend to be from the IRS or the FDIC, etc., and use a very authoritative voice and an earnest tone. Federal and some state laws make pretexting of bank records a crime.

Phishing often involves an email that appears to come from a legitimate business – a bank, or the FDIC – and requests “verification” of information, with a warning of serious consequences for failure to comply (i.e. “Your account will be closed if you do not follow these instructions”). The email usually contains a link to a fraudulent web page where the victim will be asked to provide confidential information.

Spear phishing often involves an email that appears to come from a supervisor, co-worker, or tech support. Whaling attacks often target CEOs, presidents, and other senior executives of a company, whose email addresses may be on their own company’s website.>/p>

Vishing (IVR or phone phishing) may involve receiving a telephone call from a legitimate-sounding copy of a bank’s automated response system, which advises victims to call a fraudulent number to “verify” confidential information.

Spoofing involves a deception where the attacker manipulates caller ID or the email address so that it looks legitimate (i.e., caller ID reads “FDIC”). Websites are also spoofed, for the purposes of obtaining login credentials. A link from a phishing email may direct the victim to a spoofed website.

Typo-squatting (or cybersquatting) involves a spoof of a website, usually with one letter omitted or changed (i.e., www.micosoft.com instead of www.microsoft.com). Victims are directed to the spoofed sites by mistyping the address into the browser, or by clicking a link in a scam email.

Baiting involves leaving media (such as a CD-ROM, USB flash drive, or floppy disk) infected with malware (malicious software) in a public location like a bathroom, parking lot, sidewalk, etc., as a Trojan Horse. The disk may feature a corporate logo and a label designed to spark curiosity (“secret pictures”). By inserting the media into the computer, the victim would unknowingly install malware or a virus.

Quid pro quo (which means “something for something”) may involve an attacker contacting you to pretend to be from tech support. They may even help you solve a problem with the internet, or a printer or software, but will then ask you to type commands into the system that will give the attacker access to your computer, or, they will ask you to reveal your login credentials or password, pretending that they need this information in order to solve your problem. You could also be contacted and offered a small prize of some kind, in exchange for your password.