Phishing

Attackers use phishing to obtain log-in data from unsus­pecting Internet users, for instance to then access e-banking facil­i­ties or online shops. In the process, the attackers affect a fake iden­tity, so exploiting their vic­tims’ good faith.

Pro­tect your­self against phishing by...

  • never using any links you receive by e-mail, SMS or mes­senger ser­vices, and never scan­ning in any such QR codes to log into your finan­cial insti­tu­tion facility.
  • never filling in any forms received by e-mail and asking you to enter log-in infor­ma­tion.
  • never dis­closing any con­fi­den­tial infor­ma­tion, such as pass­words, during tele­phone calls.
  • always entering the address for your online ser­vice provider or finan­cial institution’s log-in page man­u­ally via the browser address line.
  • checking there is an SSL con­nec­tion (https://, lock symbol) when calling up a log-in page, and ver­i­fying that the Internet address shown in the address bar of your browser actu­ally indi­cates that you have reached the cor­rect page.
  • con­tacting your finan­cial insti­tu­tion if you are not quite sure or some­thing is not com­pletely clear.

A typ­ical phishing attack

1. Con­tact

Crim­i­nals send out faked e-mails pur­porting to be employees of online ser­vice providers or finan­cial insti­tu­tions. The recip­i­ents of such e-mails are for instance informed that their account infor­ma­tion or access data (e. g. user name and pass­word) are no longer safe or up-to-date, and that they should be updated using the link stated in their e-mail.

2. Inter­cepting per­sonal data

A link stated in their e-mail does not how­ever lead to the orig­inal ser­vice provider page, but to a faked web­site, albeit a very authentic looking one. Per­sonal infor­ma­tion entered there, such as pass­words, directly end up in the hands of the per­pe­tra­tors.

3. Gain

Using the stolen infor­ma­tion, the per­pe­tra­tors then, for instance, carry out remit­tances from their victim’s bank account, buy online at their cost or place faked offers with online auc­tion houses.

 

For you to receive phishing mails, fraud­sters have to know your e-mail address first. To reduce this risk and spam received into your inbox gen­er­ally, it helps to follow some simple rules, to be found in our article on spam.

Phishing means the theft of infor­ma­tion which is worthy of pro­tec­tion, for instance Internet user log-in infor­ma­tion.

The term phishing is made up from the words “pass­word” and “fishing”.

 

Info sheet:

Fur­ther infor­ma­tion for anyone inter­ested

Classic phishing

With classing phishing, the attackers are trying to lure their vic­tims to a coun­ter­feit web­site with the help of a faked e-mail and to get them to enter their log-in infor­ma­tion (for instance account number, pass­word) there.

Alter­na­tively or addi­tion­ally, they may also add mail attach­ments con­taining a Trojan. Once this attach­ment is opened, it installs itself in the back­ground, pro­ceeding to cap­ture Internet users’ access details or directing them to fake web­sites.

Impor­tant to know: Finan­cial insti­tu­tions would never send out e-mails like that!

Pre­ven­tion: Never click any links or attach­ments in e-mails, but always enter the finan­cial institution’s address into your browser man­u­ally, and check SSL con­nec­tion and cer­tifi­cate.

Spear phishing and dyna­mite phishing

In con­trast to classic phishing which involves large amounts of e-mails ran­domly sent to a broad public, with spear phishing, recip­i­ents are specif­i­cally chosen and receive e-mails per­son­ally tai­lored to them.

Senders take the guise of a trust­worthy person here, often posing as an acquain­tance, employee or busi­ness partner of the recip­ient. The per­son­alised e-mail con­tents seem cred­ible and authentic and are there­fore not even recog­nised by spam fil­ters at times.

If such per­son­alised e-mails are cre­ated auto­mat­i­cally and sent out en masse, we also call this “dyna­mite phishing”.

Pre­ven­tion: Remain wary of unex­pected e-mails or those with unusual con­tents, even if you think you know the sender. In case of doubt, con­tact the sender via a second channel, for instance by tele­phone.

Smishing (SMS-Phishing)

SMS mes­sages are increas­ingly used for phishing attacks, too. The per­fid­ious thing about “smishing” is that most of the cri­teria suit­able to recog­nise phishing e-mails cannot be used for SMS mes­sages: There is usu­ally no per­sonal form of address. Lan­guage and design of these text mes­sages are too simple and brief to allow any con­clu­sions as to whether they are fake.  And on most mobile devices, it is rather dif­fi­cult or unre­li­able to check the true sender and the link.  Many users are also used to receiving SMS mes­sages to verify their e-banking log-in or before finan­cial trans­ac­tions are car­ried out.

Pre­ven­tion: Never click on any links included in SMS mes­sages, but man­u­ally enter the web­site address of your finan­cial insti­tu­tion which you are familiar with into your browser. Then check there is a secure con­nec­tion (lock symbol, target address). If you receive any unex­pected SMS mes­sages, con­tact your bank via the con­tact infor­ma­tion you know (for instance their offi­cial tele­phone number) and have them con­firm that they actu­ally sent this SMS.

Vishing (voice phishing or phone phishing)

Vishing is the voice- or tele­phone-based ver­sion of phishing. Sim­ilar to classic phishing, a well thought-out story is employed to induce users to dis­close con­fi­den­tial infor­ma­tion, such as their log-in details for their e-banking facility.

Pre­ven­tion: Never let other people know any of your con­fi­den­tial data, such as pass­words. Imme­di­ately ter­mi­nate any phone calls asking you for such details. Con­tact your finan­cial insti­tu­tion only via their offi­cial tele­phone num­bers.

QR Phishing

With QR phishing, attackers simply stick their own QR codes (Quick Response codes) over those dis­played in fre­quently vis­ited places and direct gullible users to a fake URL. This way, it is easily pos­sible to exe­cute scripts or show a faked finan­cial insti­tu­tion log-in page, in par­tic­ular on mobile devices.

Pre­ven­tion: Never use any QR codes to log into any finan­cial insti­tu­tion site. Before scan­ning any QR codes please check whether they have not been cov­ered up by a fake one. Check whether the link points to your desired address.

What else would you like to learn about security when e-banking?

Reg­ister for a course now
and learn more:

Basic courses

This basic course will point out cur­rent threats on the Internet and con­veys mea­sures as to how you can pro­tect your­self by taking some simple mea­sures.

fur­ther infor­ma­tion

Prac­tical courses

Learn and prac­tice the most impor­tant mea­sures for your com­puter and e-banking secu­rity on com­puters pro­vided by us.

fur­ther infor­ma­tion

Send this to a friend