Home Page Navigation Contents Contact Sitemap
The term phishing is used to describe the theft of sensitive information, such as Internet users’ log-in details. This term is a new English word created by combining «password» and «fishing».

 

Protect yourself against phishing by …
Info sheet: «Phishing» Information and Prevention
  • never clicking on any link sent to you via e-mail or scanned in
    via QR code to log into any financial institution site
  • never filling in any forms received by e-mail and asking you to enter any log-in information
  • never disclosing any confidential information, such as passwords, during telephone calls
  • always entering the address for a financial institution’s log-in page manually
  • checking the SSL connection
  • contacting your financial institution if you are not quite sure or something is not clear

 

Phishing test

 

Attackers use phishing to try and unlawfully obtain passwords to gain access to confidential information of unsuspecting Internet users. These might for instance involve access data for your e-banking facility or account information of online shops. Perpetrators abuse their victims’ good faith by purporting to be, say, employees of a trustworthy financial institution.

Phishing attacks belong to the «Man in the Middle» category of attacks. With this type of attack, communications run via an unauthorised intermediate point (= man-in-the-middle, attacker) eavesdropping on the diverted data traffic and if necessary manipulating it. In the case of phishing, log-in information intercepted is abused to log into a financial institutions' real web server.

The following illustration shows a diagram of how a phishing attack works.

 

Phishing by way of a Man in the Middle attack

 

There are several other variations (Vishing and QR phishing) in addition to classic e-mail phishing, and these are described in more detail below.

 

Classical Phishing

The attackers’ approach

In classical phishing cases, the attacker tries to lure the would-be victim to a fake website with the help of a fake e-mail, trying to make them enter their log-in information on such a fake website. As the operator of the faked website, the attacker obtains the victim's log-in information that way. Phishers frequently co-operate with spammers, as the latter usually have the required infrastructure at their disposal to send out faked e-mails in very large numbers.

The following illustration shows a faked e-mail used for an attack on the PayPal payment service provider in 2005.

 

Faked e-mail used for an attack on the PayPal payment service provider in 2005

 

The e-mail requests the recipient to click on a link to log into PayPal. The link shown does agree with the actual log-in page address of PayPal (real website). When clicking the link however, a connection to the attacker's website is established (fake website), which looks deceptively similar to the real website. The fake website address is shown in the area highlighted in blue. Microsoft Outlook automatically shows this address if you move your mouse pointer over the link (you therefore don't have to actually click the link).

The following illustration sequence shows the real PayPal website, the fake site and the differences between both sites.

Authentic Website:

Authentic Website

Faked Website:

Faked Website

Differences between faked and authentic website:

Differences between faked and authentic website

Prevention

Surf in the correct manner:

  • Never use a link sent by e-mail to log into any financial institution. The same applies to fields in forms sent by e-mail, asking you to enter your log-in information, which should never be completed. Financial institutions would never send such e-mails!
  • Secure navigation to the login page of a financial institution involves manual entry of their address into the browser address bar.

Check the SSL connection:

 

Variations of the classical manner of phishing

Phishing with Malware

In case of phishing attacks with malware, victims are not diverted to a fake financial institution’s website via fake e-mails. This is done by malware instead (= malicious software, e.g. in the shape of a Trojan), which has taken up residence in the victim’s computer. When accessing the real website, the victim is automatically diverted to the fake website without him noticing.

Prevention: The financial institution's website must be checked for its authenticity. As all financial institutions use secure SSL connections nowadays, the SSL connection therefore needs checking for its correctness.

Click here to find out how you can check a certificate.

 

Pharming

Like classical phishing attacks or phishing with the help of malware, pharming is a type of man-in-the-middle attack. In pharming cases however, the diversion to the fake website is effected by manipulating the so-called Domain Name System (DNS) of an Internet service, which plays a central role when establishing a connection to a web server. The name "pharming" is based on the large server farms attackers using pharming methods have at their disposal, which hold many different fake websites.

Prevention: The financial institution's website must be checked for its authenticity. As all financial institutions use secure SSL connections nowadays, the SSL connection therefore needs checking for its correctness.

Click here to find out how you can check a certificate.

Spear phishing

Spear phishing involves a customised fraud attempt by e-mail. Unlike with classic phishing, where large quantities of e-mails are sent out randomly to a wide public, with spear phishing, recipients are specifically selected and receive e-mails tailored to them individually. Attacks therefore generally target a certain person or organisation and for instance aim to obtain unauthorised access to confidential data. Senders take the guise of a trustworthy person here, often posing as an acquaintance, employee or business partner of the recipient. The e-mail contents look credible and authentic and are frequently not even recognised by spam filters.

The attackers’ approach

One typical example of a spear phishing attack:

  • The attacker researches on the Internet and the website of a company which gives contact details of individual employees.
  • On social media platforms such as Facebook or expert forums, they scour the online profiles of employees known by name to collect information on their activities and their contacts, plus the necessary leverage points for a customised attack.
  • With the help of the information available, they draw up a personalised, authentic-looking message to an employee named on the contact page. In this mail, they will pretend to be something like a network administrator, HR manager or business partner and formulate some kind of request which seems plausible, or lay some alluring bait. For example, the recipient of this e-mail may be asked to open a link on a specific page with their username and password, or to open an Office or PDF attachment.
  • If even just one employee falls for such a spear phishing attempt, attackers can then use their identity in future or introduce an infection to the employee’s computer to obtain personal or internal company data, allowing them to compromise and spy on the computers of other employees, too.

Prevention

  • The best protection consists of knowing how to recognise a typical spear phishing attempt. Any request by an employee or superior to send confidential information, unusual requests by a business partner or links containing unknown URLs demand utmost caution. The same goes for seemingly attractive e-mail attachments with suggestive file names such as “wages_2018.xls” or “press statement job cuts.pdf”.
  • If you are unsure of any e-mail you receive, you should contact the sender via an alternative channel, e.g. by telephone. If a financial institution is involved, only ever contact this via their official telephone number, which can for instance be found on your account statements.
  • If you are involved in social networking, you should avoid being too open about yourself. You should be particularly careful when posting on publicly accessible accounts like Facebook, Twitter or Instagram. Further information on this issue can be found here.
  • Always use up-to-date antivirus software, and make sure to install operating system, browser, program and app updates as soon as possible.

Vishing (Voice Phishing or Phone Phishing)

Vishing is the voice- or telephone-based variation of phishing. The term «vishing» stands for «voice phishing» or «phishing via VoIP» and is the term used to denote organized data capture via telephone. Similar to classic phishing, well thought-out stories are used to induce users to divulge confidential information such as e-banking access data. Both preparations for the attack and the actual data theft itself can be undertaken by telephone. Vishing is therefore a typical Social Engineering attack.

The attackers’ approach

The following approaches by attackers have come to light so far:

  • Attackers use an automated process to call various telephone numbers. In case someone answers the call, a voice message is played. This makes victims believe that this call originates from a trustworthy organization, for instance a financial institution. During this call, victims are asked to disclose information such as account numbers, PINs and TANs.
    Fraudster also exploit low-cost Internet telephony in this approach.
  • In addition to automated telephone calls employing voice messages, there is also a personal version, where attackers call victims themselves. Similar to automated calls, recipients are led to believe that this call originates with a trustworthy organization, for instance a financial institution. On some kind of pretext (e. g. improved security, problems with their account), victims are induced to disclose secret information such as passwords, PINs or TANs.
    Such telephone calls can be very professionally organized and are often even made in Swiss-German language.
  • With a different variation of this kind of attack, fraudsters send out e-mails using a pretext to ask their victims to dial a certain telephone number provided. Victims will for instance receive a fake message showing the financial institution as its sender, and advising them of credit card abuses. To prevent the situation getting worse, the recipient is asked to call as soon as possible. Should victims then comply with this request and call the number given, they will either hear an automated message or directly speak to the attacker, both times asking them to authenticate themselves: e. g. the credit card number purportedly at risk has to be given orally or entered via the telephone key pad.
    This type of attack is particularly dangerous because it abuses the advice given by many financial institutions not to react to any e-mails, but to use the telephone to contact them.

Prevention

  • Never disclose any personal data such as passwords to any other person! Immediately terminate any phone calls if you are asked for such details.
  • Only ever contact your financial institution via their official telephone number, which can for instance be found on your account statements.

QR Phishing

QR codes (Quick Response codes) can often be found on products, advertising or movie posters, printed catalogues or in newspapers and magazines. They serve to point users towards additional sources of information on the Internet. As the contents of QR codes cannot readily be decoded by humans, this code has to be scanned in first, e. g. using a smartphone. Users cannot usually see before scanning in a QR code what kind of information is coded into them. Criminals know how to exploit this.

The attackers’ approach

Attackers generally proceed as follows: They simply stick their own QR codes over those displayed in frequently visited places and then lead gullible users to a fake URL. This way, it is easily possible to execute scripts or show a faked financial institution log-in page, especially on mobile devices. It is particularly on such mobile devices that many users find it difficult to distinguish authentic from faked URLs. Depending on the mobile operation system used, there is sometimes hardly any information on any downloads started either.

Prevention

  • Before scanning any QR codes please check whether they have not been covered up by a fake one.
  • If possible, use a QR code scanner (app) which displays the decoded contents first and asks you whether you would actually like to visit a link or execute a certain action. If possible, check whether the link points to the desired address.
  • Never use any QR codes to log into any financial institution site.

 

For you to receive phishing mails, fraudsters have to know your e-mail address first. To reduce this risk and spam received into your inbox generally, it helps to follow some simple rules, to be found in our Info Sheet on spam and phishing mails.

 

antiphishing.ch Banner

 

Aargauische KantonalbankBaloise Bank SoBaBanca del Ceresio SABanca del SempioneBancaStatoBank CoopBank LinthBanque CIC (Suisse)Basellandschaftliche KantonalbankBasler KantonalbankFreiburger KantonalbankBanque Cantonale du JuraBanque Cantonale NeuchâteloiseBanque Cantonale VaudoiseBerner KantonalbankBanca Popolare di Sondrio (SUISSE)cash zweiplusClientisCornèr Bank AGGlarner KantonalbankGraubündner KantonalbankHypothekarbank LenzburgJulius BaerLiechtensteinische Landesbank AGLuzerner KantonalbankMigros BankNidwaldner KantonalbankObwaldner KantonalbankPiguet GallandPostFinanceSchaffhauser KantonalbankSchwyzer KantonalbankTriba Partner Bank AGUBSUrner KantonalbankValiant Bank AGVontobel AGVP BankWalliser KantonalbankZuger KantonalbankZürcher Kantonalbank