Cybercriminals are using social engineering to craft emails that appear as though they have been sent from a legitimate organization or known individual. The purpose of these emails is to either gain access to your device or trick you into revealing personal information like credit card numbers or passwords. These emails often entice users to click on a link or open an attachment containing malicious code. This type of social engineering has been termed “phishing,” because - like fishing in a lake - cybercriminals are casting their reels, hoping you take the bait.
Best Practices to Protect Yourself
- Be careful when clicking directly on links in emails, even if the sender appears to be known; attempt to verify web addresses independently. Check out this PC World article for tips on verifying links.
- Exercise caution when opening email attachments. Be particularly wary of ZIP, EXE, or DMG file attachments. As a best practice, NEVER open an attachment from an email.
- Avoid revealing personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
- Be suspicious of unsolicited email messages from individuals asking for sensitive information.
- If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.
- Report spam email with your mail client's Spam/Junk button.
- Pay attention to the URL (address) of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). This is one of the most common ways used to trap people.
- Even for legitimate purposes, be cautious about sending sensitive information over the Internet before checking a website's security. This AVG article has tips for verifying a site’s security.
- Update web browsers regularly to ensure known security holes and vulnerabilities have been patched.
Computers and Other Devices
- Install application and operating system updates regularly. Outdated applications and operating systems are vulnerable and the target of most attacks. Read this Norton Antivirus article on the importance of installing updates.
- Install and maintain anti-virus software, firewalls, and email filters.
- Perform frequent backups of your computer and files and verify those backups regularly. If your system becomes compromised, you can restore it to its previous state.
- The safest practice is to store backups on a separate device that cannot be accessed from a network or the Internet.
If you do become a victim of phishing, having secure passwords may help mitigate the effect the attack will have:
- Never share your username or password with anyone
- Never put your password in easily-visible areas.
- Always use complex passwords - at least 8-10 characters with numbers and special characters/punctuation. Phrases are easier to remember!
- Avoid dictionary words.
- Change your password frequently.
- Never use the same password twice.