How to protect from phishing

Phishing is an online scam, in which Cybercriminals manipulate their victims to share sensitive data.. Everything you need to know about how todetect phishingand prevent incidentsas well current attack tactics you should know:

What is phishing?

The term phishing is derived from “fishing” and describes a scam on the Internet in which the victim’s personal data is “fished” and misused for criminal purposes. Typically, the victims receive a message via an electronic communication medium (e.g. an email) abusing their trust. They then unknowingly reveal access data to other people. Phishing always pursues malicious intentions: The victims are supposed to suffer personal or financial damage – from loss of trust and defamation to economic ruin. At the same time, the personal enrichment of cybercriminals is the focus of the attacks.

When it comes to phishing, cybercriminals rely on different approaches. The typical approach is to send an email that guides the victims to a website with a fake login mask. Here, the victims’ personal data is “phished” and then misused. Many cybercriminals rely on psychological manipulation in the sense of social engineeringin this method. The victims’ emotions, for example curiosity, fear or pressure, are used to manipulate them into actions. Under the pretense that quick action is necessary, they induce their victims to carelessly and thoughtlessly disclose password or account information.

Arten von Schadprogrammen oder Malware

However, you can also more frequently find phishing mails that download malware onto the victims’ computers after a simple click on a link. Once these programs have been executed, they then unknowingly spy on data (spyware) or even encrypt data so the criminals can demand a ransom (ransomware). In this case, too, social engineering play a role, because criminals can reach their goal more easily via manipulating human emotions.

Class vs. mass – What distinguishes spear phishing from the conventional method?

Phishing attacks can also be differentiated by their target audience. In the case of spear phishing, cyber criminals deliberately deceive their victims with the intention of causing personal damage. In the “normal” attack tactic emails are automatically sent to a large number of people. In comparison, spear phishing attacks are targeted at a narrowly defined group of people or even individuals about whom the criminals have obtained precise information in advance.

One of the best-known forms of spear phishing is CEO fraud, in which hackers pose as someone with a leading position and thus influence business processes. In the case of automotive supplier Leoni, the cyber criminals were able to get hold of almost 40 million euros in 2016. The criminals are able to find useful information for their purposes from a wide variety of sources – from publicly accessible social media profiles and professional networks to the company website and personal exchanges, for example at trade fairs. You should, therefore, always be cautious when sharing internal company information as well as private information on the Internet.

Phishing von Kontodaten

Phishing in organisations

Phishing does not only affect private individuals. In many cases, particularly employees of large companies are targeted. This is where the criminals hope for great (financial) opportunities. In a current study report on economic protection, Bitkom (association for IT, telecommunications, and new media) states that almost three quarters of German companies have suffered damage from cyber-crime in the past two years. This is 27% more than in 2017. Such attacks on the economy cause damages of more than 100 billion Euros per year in Germany. The number of undetected cases is likely to be much higher.

Only recently, a ransomware attack on the university hospital in Düsseldorf showed that cyber criminals do not shy away from critical infrastructure facilities, either. The attack brought the entire IT system of the hospital to a halt and even put human lives at risk. According to the Bitkom report, this is not an isolated incident. 80% of critical infrastructure organizations have seen an increase in cyber-crime and phishing. You should thus protect yourself against phishing attacks in both your private and professional life. To do this, you first need to understand what the attacks look like and how they work – and unfortunately, this cannot be linked to a single criterion.

Types of phishing: The most popular channels for attacks

Email

The most frequently used medium for phishing attacks are emails. Attackers hide links to fake websites or attachments in the emails which download malware to the victim’s computer, spy or even encrypt data.

SMS

In the case of smishing cyber criminals use short messages to ask their victims to follow links or call a specific telephonenumber. Here too, the aim is to obtain access data for online servicesby fraud.

Telephone

In recemtyears so-calledvoice phishing (also Vishing ), whereby victims are contacted via the phone has become more common. This tactic isbecoming increasingly easy for hackers to implement using artificial intelligence such as voice assistants.

Websites

Spoofing is the imitation and forgery of existing websites in order to position harmful links and fake login masks on them.This tactic often appears together with phishing messages that guide victims to the fake website.

Socialmedia

Cyber criminals are also moving with the times and are taking advantage of the lively exchange on social networksto send fake messages and thus lure victims into a trap. In the case of Socialmedia phishing oftenfocuses on individuals.

Messengers

In recent years, phishing attacks via messaging servicessuch as MicrosoftTeams or WhatsApp have become increasingly common. With messages that appear to come from real contacts, cyber criminals encourage their victims to act inadvertently.

Dating platforms

In so-called catphishing or or romance scams cyber criminals obtain personal data by pretending to have a personal relationship with the victims on dating sites and by exploiting this alleged connection and the victims’ trust for their usual purposes. A typical example:They threaten to publish intimate photos if a certain ransom is not paid.

How to detect phishing – Signs to be extra suspicious

In all these cases, check the legitimacy of the message first. Even to the trained eye, the attacks cannot always be immediately detected as such. Phishing mails are becoming more and more realistic, the attack tactics more sophisticated. Even though phishing comes in many different forms, there are some characteristics of messages about which you should be particularly skeptical. These include irregularities in

  • the email address of the sender,
  • grammar and spelling,
  • formatting
  • and in how you are addressed in the suspicious message.
Wie User eine Phishing-Mail erkennen

Phishing emails are also often characterized by an overemphasis on urgency or direct calls for action. You should be particularly careful with attachments and links that are supposed to be opened urgently. This is often where malware comes into play.

Protection against phishing: The most important prevention measures

To protect yourself against phishing, you should first make sure that you have taken all technical security precautionson your computer. These include an anti-virus program and a spam filter. Always keep these up to date and install updates in good time. Although technical barriers such as spam filters and antivirus programs already intercept some of the harmful emails and messages, in times of social engineering they are no longer sufficient to provide comprehensive protection against cyber attacks. For example, according to Avanan’s Global Phish Report 2019, a quarter of all phishing emails still made it through Microsoft’s phishing filters and ended up in mailboxes. So, it is important to be vigilant and aware of the dangers. After all, the “human factor” is playing an increasingly important role when it comes to IT security.

You clicked on a phishing mail? How to proceed

Stay calm and follow the process that is common in your organization.

Disconnect your computer from the Internet and electricity.

Report the incident immediately to IT or the helpdesk.

If you have been privately targeted by phishing, you should ideally call in IT experts, as well. You should also lock down accounts that may have been compromised and change passwords.

Awareness building through phishing simulations

In the course of phishing simulations, emails that use the same tactics as real phishing emails are sent to users – without actually posing a security risk, but illustrating what phishing attacks “in the wild” could look like. Like this, you learn immediately which aspects need you need to pay particular attention to. With its awareness platform, SoSafe offers both in-depth e-learning and a phishing simulation that can be individually adapted to your organization. Thus, employees become an additional protective barrier against phishing attacks.

Über SoSafe

Die Awareness-Plattform von SoSafe sensibilisiert und schult Mitarbeitende kontinuierlich im Umgang mit den Themen IT-Sicherheit und Datenschutz. Phishing-Simulationen und interaktive E-Learnings bringen den Mitarbeitenden auf effektive und nachhaltige Art und Weise bei, worauf etwa bei der Nutzung von E-Mails, Passwörtern oder personenbezogenen Daten besonders zu achten ist. Das Unternehmen erhält ein anonymes, aber differenziertes Reporting und kann Awareness-Building so messbar machen – vollkommen DSGVO-konform.