For many years, phishing mails have been one of the most commonly used tools involved in cyber-attacks. Reports about vulnerabilities in connection with targeted attacks have increased considerably in recent months. These are often of a particularly perfidious nature.
Phishing primarily involves a mass phenomenon: Criminals despatch large numbers of e-mails – hoping for a small number of recipients actually falling for it. However, the Bundesamt für Cybersicherheit BACS is witnessing an ever increasing number of targeted attacks. Although committed in smaller numbers and involving larger efforts, they also achieve bigger success rates.
With one new scam, users receive a seemingly innocuous e-mail, purportedly from a bank asking them to update their personal details. Once they click on the link provided, they end up on a deceptively realistic-looking banking website – nothing new so far as far as phishing mails are concerned.
The fake site will ask for details such as name and telephone number. You don’t have to enter any credit card details, passwords or similar information. Many users will not think twice about entering information of this kind, since the details requested don’t look like particularly sensitive information.
But the data collected only form the first step of the attack. Criminals get in touch again, this time by phone, pretending to be a representative of the victim’s bank. When doing so, victims will sometimes even see the correct telephone number of their financial institution displayed on their phone – something also called “call ID spoofing”.
During the conversation, their victim will be addressed by the correct name, and using further personal details such as their residential address, attackers purposefully create trust. This is followed by the purported bank employee quoting their reason for calling, for instance stating it involves a fraudulent transfer. To stop this transaction, you will have to scan in a QR code using your e-banking or mobile banking app. Yet once you scan this QR code, the attacker will now have access to your e-banking account.
This approach utilizes a simple, yet effective principle: Their level of healthy suspicion comes down considerably if their conversation partner has plenty of information about their victims. You can read up on how to protect yourself against such scams in our article on phishing.
