Threats

Users of online services are potential targets for attempts to steal login credentials and other sensitive information. These threats include scam emails (phishing and malware) and phone calls (or other social engineering techniques) attempting to gather information that can be used to gain unauthorized access or privileged knowledge.

Xactly does not require the use of Java running within a user’s browser. Find additional information regarding risks related to Java running within a user’s browser.

Username and Password Reuse Across Multiple Sites

At Xactly, we recognize that having a trusted relationship with our customers is a continuous and on-going process. When creating your username and password for the Xactly product suite, please keep in mind best practices for access credentials:

  • Don’t use the same username and password for all (or even many) of your online accounts.
  • Don’t share your passwords with anybody; don’t write them down or send them via email. Xactly support personnel will never ask you for your password.
  • Configure strong password policies such as password strength, aging, and re-use.

Wireless Connection Sniffing and Hijacking

Xactly provides SSL 3.0/TLS 1.2 encryption (https) for login and communications between a product application and a user’s web browser. This means that even when logging in to a product over an unsecured wireless network, your login credentials and business data are protected from hijacking. Along with encrypted connections, Xactly offers a suite of security features that customers can configure to their needs.

Phishing and Malware

“Phishing” is an attack technique whereby Internet criminals set up a web site that mimics a legitimate site, such as login.www.xactlycorp.com. By following the tips below, you can reduce the potential for becoming a victim:

  • Always look for the “lock” icon in the bottom-right corner of your browser
  • Be suspicious of emails that include links to login.www.xactlycorp.com. Don’t click on such links; instead, always log in to a product in one of the following ways:
    • Enter https://login.xactlycorp.com in the browser address field for the product’s production environment.
    • Enter “https://(environment-name).xactlycorp.com/login.php” in the browser address field for the product environment.
    • Click the Customer Login link on the www.xactlycorp.com home page.

Suspicious Emails

Phishing emails try to trick you into revealing information, often by asking you to “verify” or “update” information. Such emails may use the logos of the companies or government agencies they are impersonating to look legitimate. One clue is that these messages often contain poor spelling and grammar. However, as technology criminals become more sophisticated, their approaches are becoming more varied and their attempts are getting better. Another sign to check is a link (or links) that don’t match the URLs of the companies from which they claim to come. Legitimate businesses, such as Xactly, will never ask you for sensitive information via email. If you receive such an email, do not respond or click any links in the email; instead contact Xactly Support to report the issue.

Suspicious Links and Attachments

Malicious software attacks can also come via email, using many of the same tactics as phishing. These emails include links or attachments that install malicious code—including programs that capture keystrokes—on your computer. As users have become wary of attachments with “.exe” or unknown extensions, Internet criminals are now using attachments with seemingly innocuous “.doc” or “.pdf” extensions. To avoid becoming a victim of malicious emails, please adhere to these recommendations:

  • Beware of unusual links
  • Watch out for links that contain URLs that look similar to real ones, for example: “www.xctlycorp.com” or “trust-www.xactlycorp.com”
  • To validate a suspicious link, enter the company’s URL into the browser address field yourself – Phishers can make links look legitimate, even though they take you to a different site
  • If you receive a suspicious email that includes the www.xactlycorp.com brand, please contact Xactly Support to report the issue.

Suspicious Phone Calls (Social Engineering)

Criminals may also try to misrepresent themselves as employees or agents of www.xactlycorp.com. Some of these callers are attempting to steal your www.xactlycorp.com credentials—an illegal practice known as “social engineering.”

How it typically works:

  • A caller identifies companies that use Xactly applications.
  • The caller contacts the customer’s main switchboard and asks for the person responsible for Xactly or the Xactly administrator. The caller may claim to offer a “new version of the application.”
  • The caller asks for login credentials to “install improvements” or perform other activities in the customer’s instance of Xactly.

What you need to do:

  • Remind your users that Xactly employees will never ask for usernames or passwords.
  • If one of your users betrays his or her login credentials, reset that person’s password immediately and notify Xactly Support.
  • If a caller identifies him or herself as an Xactly employee and you do not recognize his or her name, ask for a call-back number and email address. After you get the information, contact Xactly Support to verify whether the caller is an Xactly employee.