Phishing: Fraudulent e-mail messages and Web sites
The most common form of social engineering is the phishing scam. Phishing scams employ fraudulent e-mail messages or Web sites that try to fool you into divulging personal information.

For example, you might receive an e-mail message that appears to come from your bank or other financial institution that asks you to update your account information. The e-mail message provides a link that appears to go to a legitimate site, but really takes you to a spoofed or fake Web site. If you enter your login, password, or other sensitive information, a criminal could use it to steal your identity.

Phishing e-mail messages often include misspellings, poor use of grammar, threats, and exaggerations. For more information about phishing, see LINK TO SCAMS.

If you think you might already be a victim, see What to do if you've responded to a phishing scam.

Spear phishing: Focused attacks that seem to come from people you know
Spear phishing is any highly targeted e-mail scam; but they usually are employed in a business environment. Spear phishers send e-mail messages that appears genuine to all the employees or members within a certain company, government agency, organization, or group.

The message might look like it comes from your employer, or from a colleague who might send an e-mail message to everyone in the company, such as the head of human resources or IT. It might include requests for user names or passwords or might contain malicious software, like a trojan or a virus.

Spear phishing is a more sophisticated type of social engineering than phishing, but the techniques you can use to avoid being fooled are the same. For more information, see Spear phishing: Highly targeted e-mail scams. To help avoid trojans and viruses, use antivirus software.

BACK