Security Alerts

As a valued salesforce.com customer, the security of your Salesforce data is our number-one priority. As online scams proliferate on the Internet, we want to remind our users to be vigilant in protecting their Salesforce user names and passwords.

If you have any concerns or doubts about an email that appears to be from salesforce.com, please forward the email to us at security@salesforce.com.

Quick Links:

Security Alert: Fraudulent "Salesforce" Phone Calls
Beware of Fraudulent Emails (Phishing)
Salesforce Login Page
Protect Your Password 
 

8/28/08 Security Alert: Fraudulent "Salesforce" Phone Calls

Salesforce.com will never ask you for your login credentials on the phone.

Several customers have reported receiving phone calls from persons who misrepresent themselves as employees or agents of salesforce.com. To date, these customers have all been in the US, with the calls apparently originating from outside the US. Some of these callers are attempting to steal your Salesforce credentials-- a deceptive, but unfortunately common unlawful practice known as "social engineering."


Here's how it typically works:

  • A caller identifes companies that use Salesforce by searching public job postings, etc.
  • A caller contacts a customer main switchboard asking for the person responsible for Salesforce or the Salesforce administrator. The person often claims to be offering a new "version 2.0" or a new version of Salesforce.
  • A caller asks for login credentials.
What you need to do:
  • Remind your users that salesforce.com employees will not ask for credentials over the phone.
  • If you receive a phone call that matches this description, please contact security@salesforce.com
  • If one of your users betrays his or her login credentials, you should reset that person's password immediately and alert us at security@salesforce.com
  • If a caller identifies him or herself as a salesforce.com employee, and you do not recognize his or her name, ask for a call-back number and email address. Then verify whether the caller is a salesforce.com employee.

There is no higher priority for us than the security of your data. Please let us know if you have any other questions about this matter by contacting us at security@salesforce.com.

 

 

Beware of Fraudulent Emails (Phishing)


warning Email fraud is an increasingly common danger for unsuspecting online consumers and business users today.


One of the most popular scams is the growing practice of "phishing." With phishing, the perpetrator uses email to lure you to fake Web sites (designed to look legitimate), where you're asked to disclose confidential personal information, like your Salesforce user name and password.

Phishing scams are becoming more sophisticated and sometimes even include a phone component. In this latest twist, criminals include a telephone number in their emails rather than a Web site address. When a victim calls the number, a person or an automated system asks for your personal and/or account information.


Salesforce.com will never contact you by email or phone asking you to reveal your user name and password.

If you receive a suspicious email or phone call asking for this or other sensitive information about your account, contact us at security@salesforce.com.


You can protect yourself against phishing attacks by learning to identify suspicious emails.

Be suspicious of emails that use urgent requests or scare tactics to entice you to respond. Contact us at security@salesforce.com if you doubt the authenticity of an email that appears to come from salesforce.com.

  • Be wary even if the email or site uses some of salesforce.com's images and logos. Many fraudulent sites use copyrighted images taken from the Web.
  • Never enter confidential information into forms embedded within email messages.
  • Do not respond to email requests for passwords, credit card numbers, or other sensitive data. Salesforce.com and other legitimate companies never request private data via email (or phone).
  • Never open attachments sent to you by someone you don't know.

 

Salesforce Login Page


Spoofing is the practice of setting up a Web site that parodies a legitimate site for the specific purpose of deceiving people into providing confidential information. These sites are typically accessed by an embedded link in an email and often request user IDs and passwords. You can avoid becoming a victim of online fraud by always logging in to Salesforce through our secure site.

  • Be suspicious of emails that include links to the Salesforce log-in page.
  • If you are not sure that the page you clicked to is the legitimate Salesforce log-in page, launch a new browser and get to the page by either typing:
  • Log in to your Force.com Sandbox environment only at the following secure site: https://test.salesforce.com/login.jsp
  • Log in to the Winter '08 Pre Release environment only at the following secure site: https://prerelwww.pre.salesforce.com/login.jsp
  • Look for the "lock" icon in the bottom-right corner of your browser to ensure you have a secure connection to our site.

 

Protect Your Password


lock If using a public computer or terminal, always log out when you complete an online session. Keep your passwords private. Remember, anyone who knows your password may access your Salesforce account.
  • Avoid using the same password for multiple online accounts.
  • Never share your password with anyone ever.
  • Never reply to an email requesting your user name, password, or other sensitive information.
  • Use a unique password for each online account.
  • Use a strong password of at least eight characters that would be difficult to guess, even for someone who knows you well.
  • Use a combination of uppercase and lowercase letters, numbers, and symbols, and avoid using words from the dictionary.
  • Change your password frequently.