The United States Computer Emergency Readiness Team issued Security Tip ST04-014 on avoiding social engineering and phishing attacks.
A social engineering attack is when an attacker uses a human interaction to obtain information about an organization and its computer systems. The attacker appears benign, such as a new employee or maintenance or third party worker. The individual infiltrates the company to obtain information.
A phishing attack uses email or websites to solicit personal information, usually when posing as a trustworthy organization. Phishing attacks usually appear to come from legitimate individuals or organizations, but are scams.
US-CERT urges individuals to be suspicious of unsolicited messages and requests for internal information. It also advises against revealing personal or financial information over the Internet or in email, particularly if an email or website is not verified.
Victims of social engineering or phishing should report the incident within the organization and possibly to law enforcement officials.
The full Security Tip can be accessed here.
