Social EngineeringPhishing, Baiting, Ransonware and more

What is Social Engineering?

• Social Engineering: the manipulation of people into performing actions or divulging confidential information• Phishing/Vishing• Baiting• Ransomware• Malware

Phishing and Vishing

• Phishing: the attempt to acquire personal information by masquerading as a trustworthy identity in an electronic communication

• Vishing: the criminal practice of using social engineering over the telephone

• Smishing: Text messages asking for personal information

• These methods of social engineering are used to gain personal information such as passwords, usernames, and credit card information.

Baiting and Quid Pro Quo

• Baiting: the use of infected• physical media (disks, flashdrives,• CD-ROMs) to lure victims into • inserting the infected equipment• into their company computers • thus giving the hacker access • to private information. • Quid Pro Quo (something for something): Hackers call random

numbers at a company claiming to be calling back from technical support. Eventually someone will respond because they had filed a complaint earlier and while the hacker “helps” he/she will steal valuable information.

Spotting Phishing Scams

• The next slide is an example of a phishing scam from a bank. Many Phishing scams have become more sophisticated and may use businesses you’re associated with to get your information. There are various ways to identify an e-mail as a scam. These warning signs are labeled in the picture and will be explained. It is important to be aware of these methods in order to avoid infecting TVA computers when checking your personal e-mail.

Spotting a Phishing Scam

Spotting Phishing Scams

• A- Spoof e-mails may include a forged e-mail address in the “From” line. Some may actually be real e-mail addresses that have been forged.

• B- Many spoof e-mails will begin with a general greeting such as “Dear Washington Mutual Customer” instead of using your actual identification.

• C- Urgency is often implied claiming your account may have been accessed by an unauthorized third party

• D- Many spoof e-mails will try to deceive you with the threat that you account is in jeopardy and if you fail to verify or confirm your personal information your account will be suspended.

• E- Keep in mind that while many emails may contain links to use to verify information these links may be forged as well

• F- Requests that you enter sensitive personal information such as a user ID, password, or bank account number by clicking on a link or completing a form within the e-mail are clear indicators of a scam. TVA will NEVER ask for personal information through e-mail.

More on Prevention• Never trust e-mails or text messages • from people you do not know• Listen closely to phone calls.• Does it sound legitimate? IT • personnel will not need your • password or other personal information• in order to fix any of your issues.• Protect your computer by constantly• updating your antivirus protection• Never insert any hardware not• approved by TVA into the systems • (flash drives, chargers, ect)• Use unique passwords• Change passwords frequently

Safe Internet Practice

• Many times phishing attempts may direct you to a fake website for in order to gain information. Also, you may encounter a fake website while using a search system like Google. There are multiple ways to identify websites as potentially fake or dangerous. An example picture is provided on the next slide.

Fake Websites• G – Legitimate websites maintain current certificates for

secure pages. To authenticate the sites secure web page follow these steps:• Look at the padlock in the lower right corner of your browser• Look at the address window above, the letters https:// should

appear in front of the address of the forms screen.• On the secure web page click on the file menu and go to

properties• Click on the button at the bottom of the screen called

certificates – it should include the web address with which the security certificate was issued and the validity dates

What if its too late?

• If you have accidently infected your hardware with a virus or you feel your computer has been hacked while at work contact there are multiple steps to take.’• Contact IT cyber security immediately• Run your virus protection to wipe out any viruses• Change your password

• Call IT Cyber Security at: 423-555-5555