15-3: A typical phishing e-mail. REMEMBER Most legitimate Web sites never ask you for your personal information by e-mail or instant message. After all, why would they need to? They already have your information. Powerhouses like eBay don't take chances on losing user information: They back it up several times over in their own databases. And, I'm sorry, but you probably didn't win a contest. (Did you even enter one?) Being anti-social isn't such a bad thing I spend most of this chapter - and most of my programming career - examining the technical ways in which your online security can be violated. However, studies have shown that hackers often don't need complex algorithms and supercomputers; all they need is a telephone and a friendly voice. In an increasingly popular attack called social engineering, hackers call up their would-be victims and cajole the needed information out of them. Sometimes they say they're from your Internet Service Provider (ISP) and that they need your password or your Internet will be disconnected. Other times they claim they're calling on behalf of the bank or a popular site such as eBay. Whatever the guise, the end game is always the same: Convince you to divulge your personal information to a stranger who sounds friendly and authoritative. What makes social engineering scary is that the best computer tools aren't going to protect you. What makes it scarier is that even if you are aware of this attack and know not to fall for it, your private information can still be socially engineered out of those you entrust to protect your information. That's because hackers don't just play the ISP or the bank in this sick charade; sometimes they call your ISP or bank and play you. In this scenario, the hacker doesn't play the friendly, authoritative company official. He plays the angry, exasperated user whose password is being rejected online. The hope is that if he acts frustrated enough, the company will divulge or reset your password even though the hacker can't properly verify his (your!) identity. The best way to protect yourself against social engineering is to be aware of the scheme and to ensure that the companies who hold the keys to your identity, such as your ISP and your bank, are also aware. Confirm that your ISP's and bank's policies forbid employees from divulging your information over the phone or by e-mail to people who can't authenticate themselves, no matter how frustrated or angry they get.   If you get an e-mail asking for your personal information, delete it. If you want to be sure you're doing the right thing, contact the company by using the contact information you find in Table 15-1 or on its Web site. (And get there by typing in the company address, of course - don't click the e-mail link!) Table 15-1: Companies Most Frequently Targeted by Phishers Company Name Contact Info to Report a Scam America Online (AOL) abuse@aol.com   Citibank emailspoof@citigroup.com   eBay spoof@ebay.com   PayPal spoof@paypal.com   SunTrust abuse@suntrust.com   U.S. Bank faud_help@usbank.com