Various studies show: Cybercriminals are shamelessly exploiting the Corona pandemic for their own purposes. For example, the number of phishing websites has increased very sharply since the beginning of the pandemic [1]. In particular, emails that contain the term COVID-19 in the subject line are considered especially dangerous.

The targets of the cybercriminals are mostly confidential information, such as access data to e-banking or online stores. The procedure is usually always the same. E-mails indicate that the login or account information is no longer up to date and must be updated using the link attached to the e-mail. The attackers pretend to have a false identity and exploit the good faith of their victims to steal their confidential information.

Alternatively or additionally, such e-mails are often accompanied by attachments containing a Trojan that installs itself automatically when opened and later spies on the victim’s confidential information or even the entire corporate network.

But it is not only by means of e-mails that attempts are made to obtain confidential information or install malware; there are other methods of obtaining coveted data and access. The following is an overview of the most widespread phishing variants.

Classic phishing

In classic phishing, cybercriminals try to lure their victims to fake websites, as described above, with the help of fake e-mails, which are usually sent en masse, and get them to enter confidential information there. Or they try to obtain the desired information by means of malware.

Spear Phishing

The big difference from classic phishing is that in spear phishing, victims are specifically selected and personally contacted. A common scam is that the sender of the email pretends to be a senior employee who has the authority to make wire transfers (to fraudulent companies).

In order to convincingly establish contact, the attackers usually use social engineering techniques and disguise themselves as a trustworthy person the victim knows, such as an employee, business partner or acquaintance. The attacker succeeds in this by spying on his victim in advance on the Internet and social media. Because such emails appear credible and authentic, they are often not detected by spam filters and thus not blocked.

Smishing (SMS-Phishing)

An SMS with the text and a link: “New voicemail: …”. Such SMS messages were sent out en masse this summer and show that short message services such as SMS, MMS, WhatsApp, etc. are increasingly being used for phishing attacks [2].

The perfidious thing about this phishing variant is that most of the criteria for detecting phishing emails (see below) are not applicable to short messages: Often a personal salutation is missing. The language and design of the short messages are too simple and too concise to allow conclusions about a possible fake. And the true sender as well as the link are difficult to verify with most mobile devices.

Vishing (Voice-Phishing)

Vishing is the voice-based or telephone-based variant of phishing. Similar to classic phishing, victims are tricked into revealing confidential information over the phone by means of well-crafted stories.

QR-Phishing

In QR phishing, cybercriminals paste over QR codes (quick response codes) at frequently frequented locations using their own manipulated ones, or they claim in emails that there is an important document ready for collection. To access it, recipients are supposed to scan the QR code contained in the email with their mobile device.

In this way, fake web pages can be displayed, downloads launched and scripts executed on mobile devices.

How do I protect myself from phishing?

The most efficient protection against phishing is knowledge about phishing. Use this knowledge, as well as your common sense, and don’t believe everything you read in emails, text messages, and on websites, and everything you hear on the phone. No reputable company will email you asking you to divulge confidential information, such as login credentials or passwords – even for security reasons!

In addition, the following tips should be taken to heart:

• Never use a link that has been sent to you by e-mail or short message, or that you have scanned via QR code, to log in to an online service.
• Always enter the address to the login page of the online service manually in the address bar of your browser.
• When accessing the login page, make sure that it is a secure connection.
• Handle attachments to e-mails and short messages with the utmost care.
• Never disclose confidential information, even in telephone conversations.

As mentioned above, make sure you have a secure connection. This is made apparent in your browser by the following features:

• The browser displays a lock icon in the address bar.
• The browser displays the correct name of the online service, which is displayed either next to the lock or after you click the lock under “Issued to:”.
• The browser displays the correct domain name in the address bar.

Have you received a phishing email or found a phishing website?
You can report it here:

• Switzerland – www.antiphishing.ch
• Austria – Watchlist Formular
• Germany – Forward Phishing-E-Mail to

Sources

[1] https://de.statista.com/statistik/daten/studie/73876/umfrage/anzahl-der-gemeldeten-phishing-webseiten-weltweit/
[2] https://www.ncsc.admin.ch/ncsc/de/home/aktuell/aktuelle-vorfaelle.html

Author: Dominik Schupp, Senior Research Associate Information Security & Data Protection, Team “eBanking – but secure!” (www.ebas.ch), Lucerne University of Applied Sciences and Arts – Computer Science

«eBanking – aber sicher!»

«eBanking – aber sicher!» ist eine unabhängige Plattform der Hochschule Luzern – Informatik, die Sie dabei unterstützt, Ihre persönliche Informationssicherheit mit Fokus auf E-Banking wahrzunehmen. Auf der Website www.ebas.ch finden Interessierte praxisnahe Informationen rund um das Thema Informationssicherheit und notwendige Massnahmen und Verhaltensregeln für eine sichere Anwendung von E-Banking-Applikationen.