With classing phishing, the attackers are trying to lure their victims to a counterfeit website with the help of a faked e-mail and to get them to enter their log-in information (for instance account number, password) there.
Alternatively or additionally, they may also add mail attachments containing a Trojan. Once this attachment is opened, it installs itself in the background, proceeding to capture Internet users’ access details or directing them to fake websites.
Important to know: Financial institutions would never send out e-mails like that!
: Never click any links or attachments in e-mails, but always enter the financial institution’s address into your browser manually, and check SSL connection and certificate
Spear phishing and dynamite phishing
In contrast to classic phishing which involves large amounts of e-mails randomly sent to a broad public, with spear phishing, recipients are specifically chosen and receive e-mails personally tailored to them.
Senders take the guise of a trustworthy person here, often posing as an acquaintance, employee or business partner of the recipient. The personalised e-mail contents seem credible and authentic and are therefore not even recognised by spam filters at times.
If such personalised e-mails are created automatically and sent out en masse, we also call this “dynamite phishing”.
Prevention: Remain wary of unexpected e-mails or those with unusual contents, even if you think you know the sender. In case of doubt, contact the sender via a second channel, for instance by telephone.
SMS messages are increasingly used for phishing attacks, too. The perfidious thing about “smishing” is that most of the criteria suitable to recognise phishing e-mails cannot be used for SMS messages: There is usually no personal form of address. Language and design of these text messages are too simple and brief to allow any conclusions as to whether they are fake. And on most mobile devices, it is rather difficult or unreliable to check the true sender and the link. Many users are also used to receiving SMS messages to verify their e-banking log-in or before financial transactions are carried out.
Prevention: Never click on any links included in SMS messages, but manually enter the website address of your financial institution which you are familiar with into your browser. Then check there is a secure connection (lock symbol, target address). If you receive any unexpected SMS messages, contact your bank via the contact information you know (for instance their official telephone number) and have them confirm that they actually sent this SMS.
Vishing (voice phishing or phone phishing)
Vishing is the voice- or telephone-based version of phishing. Similar to classic phishing, a well thought-out story is employed to induce users to disclose confidential information, such as their log-in details for their e-banking facility.
Prevention: Never let other people know any of your confidential data, such as passwords. Immediately terminate any phone calls asking you for such details. Contact your financial institution only via their official telephone numbers.
With QR phishing, attackers simply stick their own QR codes (Quick Response codes) over those displayed in frequently visited places and direct gullible users to a fake URL. This way, it is easily possible to execute scripts or show a faked financial institution log-in page, in particular on mobile devices.
Prevention: Never use any QR codes to log into any financial institution site. Before scanning any QR codes please check whether they have not been covered up by a fake one. Check whether the link points to your desired address.