Term used among hackers and security professionals for techniques that rely on weaknesses in people rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system's security.
Dumpster Diving- A huge amount of information can be collected through company dumpsters and trash.
Examples include: Company phone books, organizational charts, memos, company policy manuals, system manuals, printouts of sensitive data or login names and passwords, printouts of source code, disks and tapes, company letterhead and memo forms, and outdated hardware.
Impersonation- A repairman, trusted third party, fellow employee, anyone in uniform.
Example: the hacker will study a real individual in an organization and wait until that person is out of town to impersonate him, dressed in corporate uniform, fake ID…
• E-mails that offer friendships, diversion, gifts and various free pictures and information take advantage of the anonymity and camaraderie of the Internet to plant malicious code.
• He or she (the victim) is motivated to open the message because it appears to: • Offer useful information, such as security notices or verification of a purchase • Promise a diversion, such as jokes, gossip, cartoons or photographs. • Give away something for nothing, such as music, videos or software downloads.
Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
Don't send or provide sensitive information over the Internet, over the phone, or in person before checking authenticity.
Pay attention to the URL of a web site. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
If you are unsure whether an email or “snail mail” request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a web site connected to the request.