Threats
Users of online services are potential targets for attempts to steal login
credentials and other sensitive information. These threats include scam emails (phishing and
malware) and phone calls attempting to gather information that can be used to gain unauthorized
access or privileged knowledge.
A Note About Username and Password Reuse Across Multiple Sites
At salesforce.com, we recognize that there is no finish line when it comes to having a trusted relationship with our customers. The recent exposure of usernames, email addresses and passwords for accessing a prominent media site included some people who may utilize the same password for their Salesforce accounts (and possibly other online sites). As a courtesy, we have notified those Salesforce users to reset their Salesforce password as a precaution. In addition, here are some recommendations for best practices for access credentials:
- Don’t use the same username and password for all (or even many) of your online accounts.
- Don’t share your passwords with anybody; don’t write them down or send them via email. Salesforce.com support personnel will never ask you for your password.
- Configure strong password policies such as password strength, aging, and re-use. For more information about passwords and your Salesforce configuration, see the Security Best Practices section of our Trust site at:
https://trust.salesforce.com/trust/security/best_practices/
About Wireless Connection Sniffing and Hijacking
Salesforce provides SSL 3.0/TLS 1.0 encryption (“https”) for login and communications between the Salesforce application and the end user’s web browser. This means that even when you login to Salesforce over an unsecured wireless network, your login credentials and business data are protected from hijacking by such tools as Firesheep.
Along with encrypted connections, Salesforce offers a suite of security features that our customers can configure to their needs, see: Salesforce Best Practices - http://www.trust.salesforce.com/trust/security/best_practices/
We also offer a free AppExchange tool that reviews and recommends improvements to your Salesforce security settings: Security Health Check - http://sites.force.com/appexchange/listingDetail?listingId=a0N300000018mjUEAQ
Phishing and Malware
Don’t become a victim of "phishing," in which Internet criminals set up a Web site that mimics a legitimate site, such as the salesforce.com login page. By following the tips below, you can avoid becoming a victim of such a scam:- Always look for the "lock" icon in the bottom-right corner of your browser (see images below).
- Be suspicious of emails that include links to the salesforce.com login page.
Don't click on such links—instead, always log in to salesforce.com in one of two ways:
(1) Enter “ https:///www.salesforce.com/login.jsp” in the address field
(2) Click the Customer Login tab from the salesforce.com home page (www.salesforce.com) - Log in to your Force.com sandbox environment only at the following secure site: https://test.salesforce.com/login.jsp.
|
Spot suspicious emails
Phishing emails try to trick you into revealing information, often by asking you to “verify” or “update” information. Such emails may use the logos of the companies or government agencies they are impersonating to look legitimate.One clue is that such messages often contain poor spelling and grammar. However, as scam artists become more sophisticated, their approaches are becoming more varied and their messages are getting better. Another clue to look out for is links that don’t match the URLs of the companies they claim to come from.
The example below shows some common phishing tactics, but expect anything … as users catch on to one approach, Internet criminals come up with new ones.
|
|
Look out for suspicious links and attachments
Malicious software attacks also come via email, using many of the same tactics as phishing.
These emails include links or attachments that install malicious code—such as programs that capture
keystrokes—on your computer. As users have become wary of attachments with .exe or unknown
extensions, Internet criminals are now using attachments with seemingly innocuous .doc or .pdf
extensions. And most users still readily click on links.
|
Beware of unusual links. |
|
Watch out for links that contain URLs that look similar to real ones; for example “ www.salsforce.com” or “verify-salesforce.com”. |
|
Even if a link looks OK, make sure by entering the company’s URL in the in the address bar yourself. Phishers can make links look like they go to one place while taking you to another site. |
Report suspicious emails
If you receive a suspicious email that involves the salesforce.com brand, submit a report: https://trust.salesforce.com/trust/security/reportsecurityissue/
Suspicious phone calls
Several customers have reported receiving phone calls from persons who misrepresent themselves as employees or agents of salesforce.com. Some of these callers are attempting to steal your salesforce.com credentials—an illegal practice known as “social engineering.”Here’s how it typically works:
- A caller identifies companies that use salesforce.com by searching public job postings, etc.
- The caller contacts the customer’s main switchboard and asks for the person responsible for salesforce.com or the salesforce.com administrator. The caller may claim to offer a “new version of salesforce.com.”
- The caller asks for login credentials to “install improvements” or perform other activities in the customer’s org.
What you need to do:
- Remind your users that salesforce.com employees will not ask for usernames or passwords.
- If one of your users betrays his or her login credentials, you should reset that person’s password immediately and alert us: security@salesforce.com
- If a caller identifies him or herself as a salesforce.com employee and you do not recognize his or her name, ask for a call-back number and email address. Then call our 1-800-NO-SOFTWARE (1-800-667-6389) number to verify whether the caller is a salesforce.com employee.
H1N1 Virus Precautions
The World Health Organization has officially designated the H1N1 virus a pandemic. We thought you might want to know what salesforce.com is doing to ensure employee safety and service continuity.
Salesforce.com has implemented a pandemic preparedness plan, which was created and validated by International SOS, the world’s leading provider of medical assistance, international healthcare, security, and travel services. The plan enables employees to respond effectively and efficiently to a pandemic, using a phased approach, so that essential operations are maintained and transmission of the pandemic virus is reduced among employees, customers, and partners.
Customers seeking more information should request a detailed briefing through their account representative.
The above information regarding the H1N1 pandemic preparedness plan is intended for informational purposes only. Salesforce.com has endeavored to provide information that is accurate as of the dissemination date of this document. The procedures and policies described above may change from time to time.
Recent Phishing Scams
Phishing scams use fraudulent emails to get users to reveal confidential information. Such emails
typically look as though they come from a legitimate organization and may contain links to what appears
to be that organization's site, but actually link to a fake site designed to capture information.
As these scams get more sophisticated, it can be tough knowing whether an email is real or
fake. The best way to avoid being tricked is knowing what to look for: Read our
security letter for actions you can take to prevent phishing.
So don’t fall for phishing ... check out these examples of recent scams:
Click on a date below for details on the latest threats: