The Internet is built on anonymity, and that makes it easy for cybercriminals to masquerade as anyone or anything. To avoid becoming thei next victim of a social engineering attack, you must learn to filter through the available clues and make the right decisions. To help you do just that, here are the top 5 reasons that otherwise sensible people fall victim to social engineering attacks.
1. The link or attachment came from someone I know.
Email addresses can be easily faked (spoofed). And if the person's computer is infected, the infection - and not the person - could be sending the message from their computer. Don't determine the legitimacy of a link simply based on its coming from someone you know. If you receive a link from someone unexpectedly, assume it is malicious unless proven otherwise. Ask them if they intended to send it. You can also make judgement calls based on the wording of the email or IM - does it read like something the person you know might be expected to send?
2. The link was posted to a forum that I know and trust.
Anyone who runs a forum also runs a constant battle against spammers. Even the best forum host can have malicious links posted. Forum members whose computers are infected can also have malicious links embedded in any replies to posts that they may make. Don't assume a link is legitimate simply because it's posted in a forum you trust. Before following a link posted to a forum, ask the other members for their own experience with the link or send a message to the forum host asking them to check it out.
3. The link points to a video I really want to see.When it comes to videos, stick to tried and true sites such as YouTube. Attackers commonly disguise trojans as "upgrades" to Flash or Quicktime or some other video codec. If you visit a site and it tells you that you need to update your video player, be suspicious. If you're able to view videos normally on other sites, assume that the site instructing you to update is a malicious website. If you still believe the update requirement is legitimate, visit the update site directly - don't accept the update from the website you are on. Note that if you're a Firefox with NoScript user, you may be receiving the message simply because you need to temporarily allow the site(s) in question.
4. The link is from a breaking news alert from Google / CNN / MSNBC, etc.Like email addresses, breaking news alerts can be easily spoofed. Remember, an email message is nothing but typed words. Anyone can compose an email that reads as if it is from Google, CNN, MSNBC, or any other reputable news outlet. If you receive a breaking news alert and the link points to a site that instructs you to install a viewer or some other software, assume the website is malicious until proven otherwise.
5. The link / attachment came from an official government / law enforcement agency.Unless you have a pre-established email relationship with personnel from government or law enforcement, you'll almost certainly never receive any email from such an agency instructing you to do anything. After all, email can be easily faked and both the government and law enforcement would be anxious to correspond only in an officially acceptable and legally valid manner. In other words, if you get an IRS tax refund notice via email, consider it a scam. If there are lingering doubts, call your local branch of that agency for confirmation.