Key Terms & Definitions
We recognize that if you are not sure of what something means, cybersecurity can be confusing. To help you be more comfortable and confident, here are some of the more common scams and terms you may encounter.
Phishing
Phishing is a common trick bad guys use to "fish" for consumers' financial information and password data using fake company emails and web sites. The sites ask consumers to enter current financial and personal information such as user IDs, Social Security numbers, bank or credit card account numbers and ATM passwords.
SMiShing
This is the text, or SMS messaging, counterpart to phishing. In a similar fashion, bad guys text consumers, directing them to counterfeit websites in an attempt to get their personal information.
Spoofing
Spoofing is when your caller ID displays a phone number that is not the actual number of the person calling you. Bad guys may use numbers you may recognize to try to get you to answer the phone. They may trick caller ID to show a company phone number, a number like yours or even your own number. Their goal is to make you think it's legitimate, so you answer the phone, or text, opening the door for their scam.
Slamming and Cramming
These types of fraud both involve unauthorized changes to customers' phone service. Scammers will call and misrepresent themselves to customers and ask questions about their account information.
International Area Code Scam
In this scam, consumers usually receive a message telling them to call a phone number with an 809, 284 or 876 area code in order to collect a prize or find out information about a sick relative. The area code is actually for a number outside the United States, often in Canada or the Caribbean, which charges the customer for placing the call.
Email Viruses, Worms and Malware
Viruses, worms and malware are computer programs that may arrive in an email attachment and can be destructive to computers. Bad guys can hide these things in attachments or web links, activating as soon as the customer opens the file.
Know the Terms
This glossary defines common terms used in fraud and cybersecurity:
APT (Advanced Persistent Threat):
A targeted attack that penetrates a network without detection and maintains access for a period of time, all while monitoring information or stealing resources. APTs may continue for years.
Authentication:
The process of confirming the identity of a user, most often with a username and password.
Black Hat Hacker:
An individual with extensive computer skills used to breach security of companies for malicious purposes.
Botnet:
A large number of compromised computers unknowingly used to create and send spam or viruses, or flood a network with messages such as in a distributed denial of service (DDoS) attack.
Botnet Management:
Command and control tools that allow hacker groups to manage huge numbers of compromised systems.
Brute Force:
Guessing character combinations manually or using software (like scripts or bots) to discover login and password information until the correct one is found.
BYOD (Bring Your Own Device):
Bring-your-own-device is a business practice of permitting employees to use their own devices — computers, smartphones, tablets, or other devices — for work.
Dark Web:
The area of the internet that is hidden from search engines, accessible only via a special web browser. This is the marketplace for illicit items or services.
Data Mining:
A technique used to analyze existing data for enhanced value.
DDoS (Distributed Denial of Service):
A type of attack that makes an online service unavailable by overwhelming it with traffic from multiple compromised systems.
Defense In-Depth:
The approach of using multiple layers of security to maintain protection after failure of a single security component.
Doxing, Doxxing:
Broadcasting personal information about a person or group, usually done by internet vigilantes or hacktivists. The term comes from "dropping dox" using the slang term for .DOCX, the file extension used by Microsoft Word.
Encryption:
Translating data into unreadable code to keep that data private. See Public Key Encryption for more information.
Exfiltrated Data:
Illegal transfer of an organization’s data as the result of a cyberbreach.
Firewall:
A hardware or software system that blocks unauthorized traffic from entering (or leaving) a network.
Firmware:
The foundational software programmed into devices that gives those devices instructions on how to work.
Forensics:
Collects, analyzes and reports on data to use in the detection and prevention of a breach.
Gray Hat Hacker:
Ethically between a black hat and white hat hacker, a gray hat hacker exploits system vulnerabilities, which is technically illegal. They do not hack for criminal purposes, but instead may offer to close the security gap for a fee.
Hacktivist:
Hacker or group that breaches systems for political, rather than monetary, gain.
Illegal Porting:
Porting is transferring a phone number to a different carrier. Bad guys use illegal porting to steal a person's mobile phone number and transfer it to a device they control. They do this in order to intercept text-authentication messages from your bank, credit card issuer or other companies. Once the bad guy has your number, he will get authentication messages like PIN codes and can use them to get access to your accounts.
IMEI:
The International Mobile Equipment Identity is a unique number assigned to every phone to identify that specific device.
Internet Protocol (IP) Address:
A unique number assigned to every device on a network, such as a computer, phone or printer.
IoT (Internet of Things):
Connection of everyday objects with embedded electronics, from smartwatches to pet collars to cars, with each other across modern networks.
Keystroke Logger, Keylogger:
Surveillance software that records every keystroke, including usernames and passwords.
Machine Learning:
An area of artificial intelligence that focuses on computer programs teaching themselves to uncover ever-more complex cyberthreats.
Machine-to-machine (M2M):
Any direct interaction over any network of electronically enabled devices, with no human involvement in the communications loop.
Malware:
A generic term for a number of different types of malicious software. It may be delivered via a virus, an email, or a compromised webpage.
Man-in-the-middle:
An attacker who secretly intercepts and possibly modifies messages between two parties.
Multifactor Authentication (MFA):
A method of verifying a user’s identity that relies on more than one set of security credentials.
One-Time PIN:
A one-time PIN (OTP) is a unique number generated as part of the authentication process to confirm identity before allowing access to an account. You should never share a one-time PIN.
Out of Wallet (sometimes abbreviated as OOW):
Private, personal data used to protect against identity theft as part of a knowledge-based authentication process.
Packet:
A piece of a message transmitted over a packet-switching network. One of the key features of a packet is that it contains the destination address in addition to the data.
Phishing:
Social engineering through emails using known information about the target to acquire other data such as user names, passwords, or financial information.
Penetration (Pen) Test:
An in-depth test to identify and patch vulnerabilities in an organization’s networks and IT.
Phishing:
Social engineering through emails using known information about the target to acquire other data such as user names, passwords, or financial information.
PIN:
Personal Identification Number is a unique number connected to an account user or owner. You should never share a PIN.
Porting:
Porting allows customers to take their phone number with them when they change phone carriers. The law requires carriers to comply with a request to port a number if the person making the request provides accurate information. Many companies will call or text customers to confirm their identity.
Public Key:
The publicly-disclosed component of a pair of cryptographic keys used for asymmetric cryptography.
Public Key Encryption:
Encryption system that uses two mathematical "keys." One, the public key, is known to everyone and used to encrypt a message. The second, the private key, is known only to the recipient and used to decrypt a message.
Ransomware:
A type of malware that restricts access to data and demands that a payment be made to the attacker to restore access.
Robocalls:
A robocall is a phone call initiated by a computerized auto dialer or a call that delivers a pre-recorded message. Some are allowed, including those that you consent to receive, like weather updates from your school district. But some are part of illegal calling schemes that can involve fraud.
Rogue Wi-Fi Hotspot:
An unsecure Wi-Fi network that is often created by bad actors to steal or compromise sensitive data. These networks are easily avoided by using VPNs and end-to-end security.
Secure Website:
Ensure that a website is secure by checking to see whether there is an "s" after the http in the address and a lock icon at the bottom of the screen. The URL or domain name should begin with "https" - the "s" signifying a secure site.
Security Token:
A electronic "key" used to prove an individual's identity to allow access to restricted information or accounts. A security token can be used in addition to or in place of a password.
SIM Card:
A SIM card is a small chip in your phone that acts as the connection between your account and the device. Your phone uses a SIM card to connect with the mobile network. Through the SIM connection, your mobile service provider links the phone to your number and account.
SIM Swap:
A SIM Swap is a scam that bad guys use to hijack your mobile phone number. If successful, this scam will deactivate your device, sending your calls and texts to a device the bad guy has. With that, the bad guy will receive any authentication messages from accounts tied to your phone and can gain access to your accounts, personal data, and financial information.
Short Code:
A special short phone number (typically 4-6 digits) used primarily for text messaging. Short codes are assigned to users and require special registration, making them generally more trustworthy than traditional phone numbers.
Social Engineering:
The old con game of convincing someone they are someone you can trust or believe, to gain your confidence. Then, they will get information from you they can use to scam you or someone else.
Spear Phishing:
An email scam that uses social engineering to steal information or install malicious software on a system.
Two-Factor Authentication:
A method used to improve security by requiring two separate items for access to a resource. These usually include something the user knows (password or PIN), something a user has (access card), or something attached to the user (fingerprint or retina to scan).
Trojan, Trojan Horse:
Malware that appears to be a benign, useful application to encourage users to run the program, which installs a destructive payload.
Username:
The first element of standard "username+password" log-in credentials. To strengthen security, create a unique username for each online and digital account.
White Hat Hacker:
Computer security expert who penetrates networks to warn companies of gaps a malicious attacker could exploit. They are often employed by the companies themselves to test the durability of their systems.
Zero-day Attack, Zero-day Exploit:
A new type of cyberattack that hasn’t been seen before.