Cyber Security Glossary
In order to be safe on the internet, it is important to have a certain awareness of dangers and basic knowledge, among other factors. However, in the world of cyber security, there are a multitude of terms that are not commonly known. For this reason, we have put together an overview of the most common technical terms and their explanations for you.
During investment scam (also called "cyber trading fraud"), potential investors are lured into paying money online for supposedly lucrative investment deals. Victims are targeted via online advertising, social networks, phone calls or mass e-mails. The design of these (fake) investment platforms is often highly professional and creates the impression of high profits to lure victims into making further payments. In reality, the money paid by victims/investors is not invested, but disappears in the criminal network.
A tech support scam (often in the form of "Microsoft support scam") is a type of phone scam in which the scammer pretends to work for an IT company. Usually, users of Microsoft Windows (rarely also MacOS) are targeted with such calls. Contact with potential victims is made either via an unsolicited phone call by the fraudster (who disguises their number by Call ID spoofing) or the victim is tricked into calling the fraudster, e.g. by prompting the victim to call the "support" via an intimidating pop-up in the web browser.
The criminals usually try to gain remote access to the victim's computer. Once the fraudsters have access, they try to trick the victim into paying for solving alleged "computer problems" or for allegedly necessary security software or updates.
The term “phishing” is a combination of “password” and “fishing” and describes a fraudulent attempt to steal (i.e. “phish”) user data such as login credentials, credit card information, etc.
Hereby, a fraudster mimics to be someone else and often uses forged e-mail addresses or phone numbers to let their (fraudulent) story appear more credible. The goal of a phishing attack is usually to trick you into disclosing sensitive personal or confidential information. This information is then used for further criminal activities, such as impersonation, stealing money etc.
Example: An attacker mimics a bank employee and asks the victim to authorize an “important” transaction or to activate a new device for s Identity (belonging to the attacker) or to handover other sensitive information.
Using this type of fraud involves scammers creating fake profiles on social media and internet dating sites in order to ultimately receive financial benefits from a potential victim by pretending to be in love with the victim.
Caller ID-spoofing is a form of telephone fraud where someone masks their caller ID so that it appears to be coming from a different number. This can be used fraudulently to mislead the call recipient into thinking a call is coming from a specific company or region while in reality, it is originating from a criminal actor.
The term “malware” is a combination of “malicious” and “software” and describes a malicious kind of software that is used to damage an IT system like a computer or a smartphone. Usually, this is done for harmful purposes such as the abuse of a victims’ computer or to gain access to personal information and data.
A password is used to prove one's identity and to grant only allowed user access to an IT system. A password must always be kept secret and a serious company will never ask you for your password via the phone or via e-mail. Also, a user must take care to never enter his password on fake login sites or fraudulent apps, as this would give an attacker knowledge of your password.
A good password shall be comprised of upper and lower case letters, digits and special characters. In most cases the rule of thumb "the longer a password the safer it is" is true. It is a good practice to change it from time to time, in any case after an assumed leak of the password.
Personal Identification Number, which is used by a user to identify themselves.
s Identity is a dedicated smartphone app from Erste Bank and Sparkassen which is used to authorize logins and transactions or orders in George. Further information can be found here.
A TransAction Number is a one-time-code used to confirm for example a transaction.
The "SSID" refers to the name used to identify a WIFI network. Be cautious when using unknown (especially unencrypted) WIFI networks as someone could sniff on or even manipulate the traffic in this network.
A password manager (or password safe) is a computer program that can be used to store passwords, PINs or other secret information in an encrypted form, e.g. for your bank account, e-mail and social media accounts, smartphone PINs, etc. It is a great support for generating various, long and complex passwords and allows a user to safely access all passwords with a single (ideally strong) master password.
Encryption is a method to securely transmit and save confidential data and information. E.g. the access to our websites like sparkasse.at is (TLS-)encrypted and all data between your device and our servers is protected against unauthorized access from outside actors.
The term credentials is often used to describe a pair of user name and the corresponding password. (Acces) credentials must be kept secret and never be shared with someone else. We (and other serious companies) will never ask you for your credentials, neither for passwords, PIN, TAN nor access codes.
A user needs at least two proofs of identity to get access to a system. Example: A password and additionally a TAN.
TLS (Transport Layer Security, often also referred to as SSL) is a technical term for the encryption of network traffic between a user device and a web service/server.
Thanks to TLS, the traffic (data flow) from your computer's browser to our banking server is encrypted. Unauthorized access or manipulation of the traffic is effectively prevented with this method.
An encrypted connection can be recognized by the closed padlock symbol in the address bar of your browser.
The term “domain” describes a unique and selectable name, under which an internet site can be reached. There are so called top level domains like .at or .com under which a domain is located. Major domains of Erste Bank and Sparkasse are sparkasse.at, erstebank.at or george.at.
In short, the domain is the part of the URL that is just in front of the first “/” – and it is the most important part as it tells your browser to which website (and server) it should connect to. The part after the “/” tells the server which page on the server you are actually looking for. Further details can be found in our Security Center.
Attention: A very common fraud attempt is to mimic websites of well-known companies with a similar looking domain name and an imitation of the original design. This is often used in phishing attacks where victims are tricked into entering their login credentials (username, password) on a fraudulent webpage.
Ransomware is a special kind of "malware" (malicious software) that encrypts a victim’s data, often in combination with a ransom note offering the (secret) key that is needed for decryption of the data if the victim pays a ransom to the attacker. Often ransomware criminals also exfiltrate data and threaten to leak or sell the stolen data, increasing the potential damage for the victim.
Computer programs which are heavily displaying (often unwanted) advertisements. Adware is often unconsciously installed together with other software. Therefore, keep an eye on what software is installed on your computer or smartphone.
Malvertising is a combination of “malware” and “advertising” and describes mainly two fraud techniques that make use of (online) advertising:
1) Attackers can make use of paid ads in search engines results to promote and distribute malware. Example: If you search for “download office” in a search engine and you are presented with an ad that offers a malicious app for download. Therefore, take care when clicking on banners or paid search ads as these could also originate from a malicious actor.
2) The injection of malware (e.g. via malicious JavaScript) into online advertising banners or ad networks. This way a legit website that loads ads from an ad network can be abused to deliver malware to its visitors without even knowing it.
The security goal “Availability” ensures that services, systems, data etc. are available for usage.
The security goal “Integrity” ensures that services, systems, data, etc. are trustable, authentic, unchanged and contain the right information.
The security goal “Confidentiality” ensures that services, systems, data, etc. are accessed (e.g. read, manipulated) only by people who are allowed to do so.
A flaw in an IT system could for example be caused by implementation errors. A security flaw leads to a risk of the vulnerbility being exploited. It’s important to install (security) updates since these usually close known vulnerabilities.
Unwanted messages, mostly consisting of advertisments. Spam messages can also be used by an attacker to spread malware or to perform phishing attacks.
A targeted version of phishing. Here, the attacker spends more time researching before performing the attack on a rather small or targeted group of people. Example: CEO-Fraud.
A software that extracts information about a user or a device, while trying to stay hidden.
Example: a browser extension that claims to notify you of soccer results while in reality collecting and sending your browser history to an internet-advertising company.
The term trojan describes a special kind of malware that often is hidden within seemingly legit software. In short, it is a piece of software that enables unauthorized, often unknown interception of network traffic, spying on personal data or even remotely operating a computer or smartphone.
Attention: Only install software that you really need and take care that it comes from trusted sources.
Authentication is the process of verifying one’s identity. Users identify themselves e.g. via a document such as a passport or with a combination of a (unique) username and a password, PIN or TAN.