You should take time to become familiar with the important concepts Social Engineering and Phishing to better protect your home or church network. Attackers will try to use these concepts to exploit your computers and steal or damage your data. Increasing your computer security starts with education. We’ll talk about what you can do to improve your computer safety in following topics.
What is Social Engineering?
Social Engineering is a form of psychological manipulation. You may receive a phone call, an email, or an on-site visit from someone who is purportedly there to help you with an unknown (or unforeseen) problem. They are friendly and helpful. If you would just click the link to let them log into your computer remotely or have physical access to your phone closet they can quickly help so that you may resume your regular day. The attacker tries to trick you into revealing your password or even give them direct access to your computer. Once they have this access, they can quietly look over all of the computers on your network for vulnerabilities.
What is Phishing?
Phishing attacks involve email and instant messaging. Phishing messages appear to come from legitimate companies or even your co-workers. They contain requests for you to click a link to log into a website, provide your credit card or social security information, or to wire money to cover an emergency. Once an attacker has your login information, they can check major websites to determine if you use the same password (or few passwords) everywhere.
How do you avoid these attacks?
There is no sure defense against social engineering or phishing. There are, however, several things you can do to decrease your vulnerability to these types of attacks significantly:
- Be suspicious – If you weren’t expecting contact from someone it is ok to be suspicious. When we work for the church, we try to help everyone with a kind heart. Attackers depend on this to better take advantage of your kindness. If you have doubt you should politely decline their request.
- Do not reveal personal information – If you aren’t sure who you are speaking with don’t disclose any personal information. Don’t reveal how many employees you have, when they should be in the office, your church’s network or employee details, what city you were born in, your mother’s maiden name, etc.
- Check a website’s security before you send information – Get in the habit of looking up at the address bar of the website you are visiting. Do you see the security lock icon? If you don’t have the lock (or it says there is a problem), don’t go any further. Verify that you are visiting the correct website before you enter your password!
- Do not click those links! – No reputable company will email you to ask you for your password. If you need to log into a website, you should browse there directly. If you do not recognize an email (or weren’t expecting it) don’t click the links!
- Install and maintain antivirus software – You should budget for antivirus software as the first line of defense against online threats. Symantec Endpoint Protection is an excellent software product for your church computers. It can be installed on every computer and centrally managed from one website. AVG Antivirus is a free solution. Once a month you should check all of the antivirus installations and make sure they are not showing any error conditions. They should also show virus definitions less than a week old.
What do you do if you are compromised by these attacks?
You should take the following actions:
- Report this issue to whoever is responsible for your computers. They can keep an eye out for suspicious activity on the network.
- If you disclosed financial information contact your bank immediately. Close any compromised accounts.
- Change any compromised passwords everywhere it is in use.
- Monitor for signs of identity theft. You can find out more information on preventing identity theft by visiting US-CERT Security Tip (ST05-019).
Reference: US-CERT Security Tip (ST04-014)