Users of online services are potential targets for attempts to steal login credentials and other sensitive information. These threats include scam emails (phishing and malware) and phone calls attempting to gather information that can be used to gain unauthorized access or privileged knowledge.
Don't become a victim of "phishing," in which Internet criminals set up a Web site that mimics a legitimate site, such as the salesforce.com login page. By following the tips below, you can avoid becoming a victim of such a scam:
Phishing emails try to trick you into revealing information, often by asking you to "verify" or "update" information. Such emails may use the logos of the companies or government agencies they are impersonating to look legitimate.
One clue is that such messages often contain poor spelling and grammar. However, as scam artists become more sophisticated, their approaches are becoming more varied and their messages are they claim to come from.
The example below shows some common phishing tactics, but expect anything - as users catch on to one approach, Internet criminals come up with new ones.
Malicious software attacks also come via email, using many of the same tactics as phishing. These emails include links or attachments that install malicious code—such as programs that capture keystrokes—on your computer. As users have become wary of attachments with .exe or unknown extensions, Internet criminals are now using attachments with seemingly innocuous .doc or .pdf extensions. And most users still readily click on links.
|Beware of unusual links.|
|Watch out for links that contain URLs that look similar to real ones; for example "www.salsforce.com" or "verify-salesforce.com".|
|Even if a link looks OK, make sure by entering the company's URL in the in the address bar yourself. Phishers can make links look like they go to one place while taking you to another site.|
If you receive a suspicious email that involves the salesforce.com brand, submit a report: https://trust.salesforce.com/trust/security/reportsecurityissue/
Several customers have reported receiving phone calls from persons who misrepresent themselves as employees or agents of salesforce.com. Some of these callers are attempting to steal your salesforce.com credentials - an illegal practice known as "social engineering".
Here's how it typically works:
What you need to do:
Salesforce provides TLS encryption (https) for login and communications between the Salesforce application and the end user's web browser. This means that even when you login to Salesforce over an unsecured wireless network, your login credentials and business data are protected from hijacking by such tools as Firesheep.
Along with encrypted connections, Salesforce offers a suite of security features that our customers can configure to their needs, see: Salesforce Best Practices - http://www.trust.salesforce.com/trust/security/best_practices/
We also offer a free AppExchange tool that reviews and recommends improvements to your Salesforce security settings: Security Health Check - http://sites.force.com/appexchange/listingDetail?listingId=a0N300000018mjUEAQ