- Emails or web links that ask for passwords, Social Security Numbers, credit card numbers or other information. (known as "phishing" scams).
- Email attachments that install "trojan horse" programs onto your computer.
- Scam emails that ask you to send money (usually with some offer of significant return on investment.)
- Unexpected CDs or floppy disks given or sent to you that contain programs designed to infiltrate your computer.
These scams are designed to look as legitimate as possible, often using the names of well-known companies or organizations and compelling "stories" in their deception. Here are some general guidelines to avoid being caught like a "phish".
- Don't open attachments you aren't expecting! If you have any doubt, don't click! If in doubt, send your inquiry to Security@NERSC.gov or call 800 66-NERSC.
- Knowing the sender of an email is not proof that the email is legitimate. The name of the sender is often forged into the email. If you get unexpected email from someone you know and the content seems out of character, contact them to see if it is real.
- If you get a warning about a new virus that doesn't come from a trusted NERSC source, don't forward it --- it's almost certainly a hoax. Report the incident to Security@NERSC.gov or call 800 66-NERSC.
- Don't fall for phishing! NERSC will never ask you for your password via email or on the phone --- neither will any other reputable company. Always look at the URL of the link in the email, make sure it directs you to the site you expect.
- Don't use "free" CDs or other media, including USB memory sticks, unless you are sure they came from a legitimate source. Remember, many computers 'autorun' CDs, so even putting CD into the computer can spread an infection.
- Be cautious when using computers other than your own. Every machine you enter your password on is a possible means by which your password will be stolen. Be especially aware of using shared-use computers in places like university computer labs, cyber cafes, conferences, and hotels. If you have any doubt, change your password when you return or refrain from entering it on untrusted systems.
Some examples of sophisticated social engineering techniques that have been directed at DOE labs include:
- CDs sent by mail that contained the DOE logo and promised information about DOE Policies and Procedures --- and actually contained sophisticated malicious code.
- PDF files that appeared to come from site publications offering the chance to be featured in a site newsletter. They actually exploited an Acrobat vulnerability.
- Attempts to gain password information by contacting employees by email or by phone and pretending to be local help desk personnel.
If you ever suspect that you have been targeted by an attack like this, immediately report it to Security@NERSC.gov or call 800 66-NERSC. Err on the side of caution. If you're ever in doubt about the authenticity of anything you receive and you can't just safely delete it, then ask for help.