What is Social Engineering?
Social engineering is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or Internet to trick people into revealing sensitive information or getting them to do something that is against typical policies. By this method, social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes. The information obtained is then used to gain illicit access to systems. Social Engineering and Phishing are often used in combination.
What is Phishing?
Phishing works by using a false set of circumstances to get you to disclose sensitive information, such as account passwords, credit or debit card numbers, or Social Security numbers, etc. One of the most common phishing scams involves sending a fraudulent email that claims to be from a well-known company. Phishing and Social Engineering can also be carried out over the phone, in person, through fraudulent pop-up windows, and websites.
How phishing works through email:
1. Mass Email - A criminal will start out sending thousands or millions of emails to different mail accounts designed to look like a messages from a well-known company. The typical phishing email will contain false pretenses intended to lure you into clicking a link or button in the email or calling a phone number. Learn how to spot a fraudulent email below.
2. Phishing Email - In the email, there will be links or buttons that take you to a fraudulent website.
3. Fraudulent Website - The fraudulent website will mirror the appearance of a popular website, usually down to the tiniest detail. The web site will request personal information, such as your credit card number, Social Security number, or account password. It appears as if you are providing information to a trusted company when, in fact, you are supplying it to a criminal. Learn how to spot a fraudulent website below
Questions FNB will never ask you in email.
To help you better identify fake emails, we follow strict rules. We will never ask for the following sensitive information via unencrypted email:
Credit or debit card numbers
Bank account numbers
Driver's license numbers
How do I identify fraudulent email and websites?
Fraudulent email and websites are designed to mislead you and can be difficult to distinguish from the real thing.
Do not click on any link in an email that requests personal information! The best thing to do is to open a new browser and type in the email address for the institution or company directly.
How to identify a phishing email.
There are many subtle signs of fraudulent email.
Sender's Email Address. To give you a false sense of security, the “From" line may include an official-looking email address that may actually be copied from a genuine one. The email address can easily be altered – it’s not an indication of the validity of any email communication.
Generic Email Greeting. A typical phishing email will have a generic greeting, such as “Dear User."
False Sense of Urgency. Most phishing emails try to deceive you with the threat that your account will be in jeopardy if it’s not updated right away. An email that urgently requests you to supply sensitive personal information is typically fraudulent.
Fake Links. Many phishing emails have a link that looks valid, but sends you to a fraudulent site that may or may not have an URL different from the link. Always check where a link is going before you click. Move your mouse over the URL in the email and look at the URL in the browser. Do not click on any link in an email that requests personal information! The best thing to do is to open a new browser and type in the email address for the institution or company directly.
Attachments. Similar to fake links, attachments can be used in phishing emails and are dangerous. Never click on an attachment. It could cause you to download spyware or a virus.
How to spot a fraudulent website.
A phishing email will usually try to direct you to a fraudulent website that mimics the appearance of a popular website or company. The spoofed website will request your personal information, such as credit card number, Social Security number, or account password. You think you are giving information to a trusted company when, in fact, you are supplying it to an online criminal.
Be cautious. Some criminals will insert a fake browser address bar over the real one, making it appear that you’re on a legitimate website. Follow these precautions:
Examples of fake addresses:
The term "https" should precede any web address (or URL) where you enter personal information. The "s" stands for secure. If you don't see "https," you're not in a secure web session, and you should not enter data.
Out-of-place lock icon.
Make sure there is a secure lock icon in the status bar at the bottom of the browser window. Many fake sites will put this icon inside the window to deceive you.