The days when fake login pages and emails were easy to spot are long gone. "Phishing" attacks are becoming increasingly sophisticated. Some even target just one person. In this article, we explain how they work and what can be done to counter them.
In phishing, criminals "fish" for valuable data such as passwords or credit card information. This can be an initial gateway for a larger attack.
For example, victims are sent an email that appears to come from a well-known organization such as their mobile phone provider. A link directs them to a website because certain details supposedly need to be confirmed urgently. In reality, however, the site is operated by criminals who are gradually collecting their virtual prey in this way.
Another goal may be to infiltrate malware that delivers the desired information. This malware can disguise itself as a harmless email attachment or as a download from cloud storage.
In the early days, such emails and websites were still quite easy to recognize - at least for trained eyes. Nowadays, however, they are becoming more and more sophisticated and even come with confidence-inspiring details such as the padlock in the address bar.
Some methods are difficult to recognize, even for experts. For example, JavaScript can be used to fake a different URL in the browser bar. Or a vulnerability in the original page is exploited: In this case, the victims actually end up on a legitimate page, but it passes on their input to the attackers.
What's more, we are no longer talking about emails and websites alone. Attacks are also attempted via text messages or phone calls with a fake callerID ("call ID spoofing"). Today, even voices can be deceptively imitated using suitable tools.
In general, phishing attacks regularly rely on certain psychological tricks:
Last but not least, phishing has become more specialized. In spear phishing, the attack is targeted at a specific company or even an individual person. The term "whaling" is used when a high-ranking manager is targeted. And as experiments suggest, they may even be more susceptible to such attacks. At the same time, these attacks are difficult to detect because they are often prepared in detail over a long period of time.
There are now also services for implementing spear phishing on a large scale. For example, automated or semi-automated information is collected on the web in order to personalize the messages for the respective person.
The consequences of successful attacks can be very different, as these three examples show:
One of the most important protective measures against such attacks: Creating awareness. Studies have shown that such manipulation is significantly less successful if the other party is aware of the scams.
It is recommended that knowledge is not simply imparted. Rather, everyone in the organization should practice recognizing such attack patterns, e.g. through a simulation.
Clear processes are also important: who is allowed to disclose what information to whom and when? Because of course you want to help a customer or colleague in need. But it must still be ensured that the person making the request is actually authorized to do so. A second person may always be required for certain actions. Or confirmation must be obtained via another channel.
And, of course, the organization needs solid basic security. This includes two-factor authentication, for example: in addition to a password, you also need access to your smartphone to log in. Even small things can help, such as clearly marking external emails as such.
