"Nobody working for this bank will ever need to ask you what your PIN is. Don't tell ANYBODY your PIN, ever." - That was the most important statement on the envelope which contained my first bank-card that was able to operate ATMs. I still go by that. Even with PCs.

Even back then, when there was no internet around, yet, the bad-guys had invented one of their best weapon. Social engeneering.

It is unbelievable how much people are willing to tell strangers, if they are treated in the right way. No, I am not talking about giving away money for information.

If a caller on the phone is talking enough incomprehensible stuff, we are willing to believe that he really is from the bank's computers-department. And sure, we are willing to help him with our PIN which he needs to fix the problem on their server. And the hesitation we had vanishes quickly after we hear that we can prevent 'data-loss' by doing so.

There are many, very subtle techniques to extract data from people like you and me. The right outfit, or on the telephone even just the right kind of voice will fool us into telling things we would not give away usually.
I received an e-mail which told me that my e-mail adress was being abused, and I should click 'here' to get in contact with the support team at "Support@Waidele.info". If I would fail to do so, "Support@Waidele.info" would deactivate my account.

Well, this was obvious, since I am the only person who is in charge of "Waidele.info". But imagine I had an address like xyz@aol.com or another big provider. I could have been fooled in that moment of surprise. Other scams like this are circulating with bank-accounts, e-bay-accounts, files needed to run windows that should be deleted, and much more.

So: Don't tell your password to anybody. Don't click on links that promise anything. Let them try to deactivate your account. They will only succeed if you help them :)

"I am a signature virus...copy me into your ~/.signature and help me spread"

Have you ever been warned about some very new, high-tech, stealth virus that has infected your friend's friend? Usually these warnings are backed up by some statement from some virus-lab (or IBM, or Microsoft, or...). No real quote, but hey, you believe your friend, don't you? Sometimes you get them from more than one friend.

These virus-warnings are a virus in itself. They propagate by exploiting the user's goodwill and lack of information. The harm that they do is measured in time and bandwith used to write, read and delete the warning. The damage is real!

A wonderfull example of social engeneering in action.

Links

These are copied from one of Sam's posts to [QnA]?:

OUCH:

OUCH! is the first consensus monthly security awareness report for end
users. It shows them what to look for and how to avoid phishing and other
scams plus viruses and other malware -- using the latest attacks as
examples. It also provides pointers to great resources.....
http://www.sans.org/newsletters/ouch/

NewsBites?:

SANS NewsBites? is a weekly high-level executive summary of the most
important news articles that have been published on computer security
during the last week. Each news item is very briefly summarized and
includes a reference on the web for detailed information.....
http://www.sans.org/newsletters/newsbites/

PrivacyBits?:

SANS PrivacyBits? provided a free weekly summary
of news, alerts and other announcements relating to privacy. A brief
summary of each item allows for a quick glance at the issues at hand,
while the included URLs? provide access to more detailed.....
http://www.sans.org/newsletters/privacybits/

Some *nix related items, as well as, windows security stuff is included. I
don't feel it's to OT for us, as we all seem to wear both hats either at
home or work.