Social Engineering

Social Engineering refers to the practice of trying to trick people into revealing sensitive information like passwords or credit card numbers. Sometimes it's a lot easier to try to get someone to tell you their password than it is to try to figure it out. It involves exploiting trust in one form or another to gain access to information that should normally be protected.

Phishing

The most common form of social engineering in use today is called "Phishing", which uses email masquerading as official correspondence from companies or organizations, but are actually clever (or not-so-clever) fakes designed to trick people into providing sensitive information.

Common agents for phishing scams are banks, credit card companies, eBay, and similar institutions. Well-crafted phishing scams can be difficult to detect, particularly by inexperienced computer users who might miss subtle clues that reveal the scam's true origin.

Never follow a link from an email to a company asking for a password or sensitive information. Most reputable companies have policies that explicitly say they will never do this. These are almost always traps designed to take your password and send it to someone else, who will then use it to log in as you and cause all sorts of trouble. If you have any question about whether an email directing you to a website is legitimate, go to the website on your own (do NOT follow the link; type the URL yourself in your browser's window or use a bookmark), and sign in through the site or contact customer service. And, of course, if it is a company you do not have a relationship or connection with (like eBay if you do not use eBay), don't go there at all.

Best practices: phishing

Be extremely suspicious of any email from a company telling you to go to their site and update or confirm personal information. This is nearly 100% guaranteed to be a phishing scam.
Never click a link to a company asking for information. If you think it might be a legitimite request from a company you do business with or have purchased from, go to the site on your own and log in as YOU normally would. Don't follow any shortcuts provided in the email, they could be booby-trapped.

Trojans and untrusted binaries

A "trojan" is a generic term for a malicious program hidden inside something that appears innocent. A classic example is a program called "Sexy Ladies" that made the rounds at a computer conference in the mid 1980s; passed eagerly from person to person, it had a suggestive icon which, when clicked, would display a pop-up window that said "your hard disk has been erased, sexist pig!"

These days, trojans are more properly fitted into the term "untrusted binaries," which means a binary (or executable) program of usually unknown origin that may do something very different, and usually malicious, from what it is advertised as doing. Many of the security problems in Windows and Internet Explorer are related to the downloading and execiting of malicious - or at least mischevious - ActiveX controls that install spyware, pop-up ads, keystroke loggers, and other malware onto an insecure system, either without the user's knowledge at all, or by masquerading as things like cursor collections, desktop weather pop-ups, browser toolbar tools, search enhancers, and things like that. In addition, many of the "peer-to-peer" file sharing services like Kazaa, Gnutella, Morpheus, and so forth are rife with such programs, masquerading as tools and utilities for cracking or copying copyrighted data (movies, music), but are instead trojans of their own, containing any number of harmful payloads.

Best practices: Trojans and untrusted binaries

NEVER run a program from an unknown or untrusted source.
If you must, run it first in a low-privilege "sandbox" account, so if it "explodes" or does something bad, it does so in a containable area where the damage can be limited. Once you know it's safe, you can move it to your main account and use it there, but test it in a safe area first.

Next: Data Loss