Phishing: The dangers of the digital ocean or why phishing works so well
The term “phishing” (a combination of the words “password” and “fishing”) refers to an attempt to steal sensitive information, such as usernames, passwords, and credit card information, or to induce a transaction or download of malware. Attackers use fraudulent e-mails, text messages, phone calls, or Web sites as a starting point. As fraudsters’ tactics have become more sophisticated, this form of cybercrime has evolved over the years to become a serious threat to individuals and businesses.
Phishing has been around since the early days of the Internet and was first used by fraudsters on AOL’s instant messaging channels in the mid-1990s to steal AOL user data. Since then, the hacking scene has evolved with the development of the Internet, and billions of phishing e-mails are now sent every day. In fact, phishing attacks account for more than one-third of all data breaches. Despite an increase in corporate security awareness training, approximately 1% of employees still click on phishing e-mails, and more than half of these employees reveal their personal information. This makes phishing the most common form of social engineering, based on the simple idea of psychological manipulation and exploiting human error.
Attackers pose as a trusted source (family member, boss, colleague, known service provider) and trick their potential victim into revealing personal information. Typical examples include fake e-mails or text messages that appear to come from a bank, online service, delivery or parcel service, grandchild, or government agency, asking the recipient to enter personal information or complete an urgent transaction. These messages often contain links to fake websites that have been specially created by the scammers and look very similar to the originals. Alternatively, malicious attachments can install malware on the computer when clicked. Recipients, trusting or feeling pressured by the supposedly trustworthy source, often follow the hacker’s instructions without further verification, and the damage is irreversible even if discovered in time.
To trick victims into revealing personal information, attackers use social engineering techniques, often creating fear, urgency, curiosity, compassion, or greed to get people to act before they can rationally assess the situation. Pressure is often applied by suggesting that failure to act will cause significant harm to the victim or their organization.
Examples of phishing e-mails
For example, it may be claimed that
- the account or IT system has been compromised (“Your account has been compromised! Reset your password immediately.”),
- urgent action is required to avert a threat (“Your password has been compromised. Change your password immediately to regain access to your account,),
- an urgent payment for the CEO (“The payment must be made immediately to avoid jeopardizing the company!),
- an overdue bill needs to be paid urgently (“If you don’t pay today, we will take legal action against you!”),
- a package cannot be delivered and needs to be re-delivered (“We were unable to meet you today. Please click here to have the package delivered again,),
- a lottery prize can only be redeemed today. (“You have won! Redeem your €10,000 prize today”),
- etc.
Phishing affects us all!
The impact of phishing attacks can be devastating for individuals and organizations alike.
For individuals, the theft of sensitive information can lead to financial loss and other serious consequences. For example, if credentials are entered on a fake Web site, attackers can use them to try to access other accounts through credential stuffing.
When confidential data or information is stolen from an organization, not only does trust and reputation suffer, but there is usually a massive financial loss as well.
What types of phishing attacks are there?
Mass e-mail phishing
Mass e-mail phishing is a serious problem in today’s digital world. Scammers and attackers send a large number of e-mails at random, hoping that at least some of the recipients will fall for their scam. Hackers go to great lengths to make the e-mails they send appear as authentic as possible, usually combined with an urgent request for action to inspire confidence in their targets and prompt a quick response. Typically, well-known and respected brands, logos, legal information, and corporate branding from companies such as postal and transportation services, telecommunications companies, and banks are misused with the intent of convincing victims that they are customers of these companies, or at least that they are reputable and trustworthy.
In the past, phishing e-mails were created manually by criminals, which was often prone to errors. With the advent of artificial intelligence (AI), more sophisticated phishing e-mails are being created that are not detected by most spam filters and are difficult for even experts to identify. In addition, thousands of mass e-mails are no longer written with a single text, but with a variety of different texts to avoid being identified as mass e-mails.
The spam e-mails sent often appear harmless or even tempting, but their intention is to steal confidential information or to provoke the download of ransomware.
The deception is usually achieved by using spoofed sender addresses or appealing subject lines that make the messages appear to be legitimate requests. Victims often feel safe and click on links or download files without realizing the risks. We have already highlighted examples of phishing e-mails in the section above.
Spear phishing
Spear phishing is a particularly insidious form of phishing that, unlike mass e-mail phishing, is characterized by targeted attacks on individuals or individual organizations. Since the attack usually targets only one victim or victim organization and the hacker usually has only one attempt, the fraudster, the so-called spearfisher, prepares the attack on his target with detailed research. Typically, spear phishing attacks target well-known personalities (also known as whale phishing), people in exposed positions such as board members, CEOs, or people with knowledge of confidential data (e.g. human resources and legal departments) or people with special authority (e.g. accounting or finance departments).
To increase the likelihood of success, the spear phisher first tries to gather as much information as possible about the target. This is done by searching the Internet, social media, newspapers, and other public sources, and in some cases even tapping into the Darknet or accessing databases that may contain valuable information. The goal of the information gathering is to obtain information about
- A company’s financial condition,
- A company’s service providers,
- Relationship networks between colleagues, employees and customers,
- Bank and account information,
- Personal information about employees, such as illness, vacation, marriage, birth of children, death in the family, promotions, awards.
The goal of the information gathering is to address an employee as credibly as possible. Spear phishers often pretend to be a boss, colleague, vendor, banker, IRS agent, debt collector, lawyer, friend, etc. in order to build trust with their victims. By using the above background and personal information about the target’s environment in the cover letter, the request becomes even more credible to the victim.
These personalized messages often seem so authentic that they can lure even the most cautious users into the trap. This is all the more true as AI has improved the quality of writing by leaps and bounds, making it easy for even foreign cybercriminals to write high-quality cover letters. In the corporate environment, the attack is usually aimed at either data (trade secrets in the context of industrial espionage, customer or financial information) or money. Fraudsters are particularly fond of using two popular spear-phishing methods to steal millions of dollars:
-
Access to employee e-mail accounts: The hacker attempts to gain access to employee e-mail accounts. The goal is to send e-mails in the employee’s name containing fake invoices, asking colleagues to transfer money to fraudulent accounts, and/or requesting sensitive and confidential data. The goal is to abuse the trust of known contacts inside and outside the targeted organizations.
-
Instruction from a purported board member or CEO of a larger company: An attacker poses as a top executive and requests that a subordinate employee in the purchasing, finance, or development department urgently make a large, urgent, and confidential transfer, provide data, or download software (usually malware) from a compromised server. The danger lies in the fact that the employee is afraid to question instructions from “above”, is afraid of sharing confidential information with the wrong colleagues during an audit, or does not want to be held responsible if an urgent business deal fails due to his or her lack of cooperation.
Other forms of phishing
There are many other forms of phishing. Today, phishing scammers use all known communication channels such as SMS or WhatsApp, telephone, QR codes, social media, etc. In addition, hackers continue to professionalize their campaigns and now use combinations of different phishing variants (also known as hybrid phishing).
SMS phishing (Smishing)
SMS phishing is a serious problem that is affecting more and more people. Fake text messages disguised as messages from cell phone providers, banks, utilities, or online retailers quickly turn recipients into victims. People receive messages asking them to update personal information (including credit card information and login credentials), pay a fee to send a package, or pay an outstanding bill for electricity, water, or phone service immediately or face contract termination. These messages often look deceptively authentic and even contain official logos. Criminals use these tactics to gain their victims’ trust and lure them into a trap.
Voice phishing (vishing)
Voice phishing, also known as vishing, is an alarming form of fraud. Unsuspecting victims are called by fake audio messages from supposed institutions that urgently need to update personal information or collect a fee. Using voice-over-IP technology, these calls can be automated and processed in large numbers, and the caller’s identity can be better concealed by spoofing the caller ID.
In these vishing calls, the fraudsters (often as an automated voice) pose as employees of trusted organizations, similar to SMS phishing, and ask for sensitive data such as credit card information or to transfer overdue payments.
Quishing
Another phishing method used to obtain user data is known as “quishing”, a portmanteau of QR code and phishing. It involves using QR codes to redirect users to fake websites that look very similar to their real counterparts. The goal, as with other phishing variants, is to obtain sensitive information (including identity information) from potential victims or to initiate fraudulent payments. QR codes on posters, flyers, and billboards in public places are covered or replaced with manipulated QR codes. The manipulation is usually very difficult to detect, which unfortunately often leads to unwitting victims.
Social media phishing
As the number of people using social media increases, so does the amount of time they spend on it. In social media phishing, the messaging functions of well-known Internet platforms such as Tiktok, Instagram, Facebook, LinkedIn, Xing, X (Twitter), etc. are used in the same way as in the other phishing methods mentioned above. The primary goal is to obtain the user’s credentials so that the hijacked account can be used for fraudulent purposes. In addition, the stolen credentials are often used to test and, in the best case, exploit other portals. Therefore, never use the same password and use a password manager.
In addition to pure messaging functions, fraudsters often use forums, comment functions and help forums on social media platforms to pose as an official organization, answer questions and trick users into disclosing their personal user data (also known as “angler phishing”).
Browser phishing
As people become more wary of phishing e-mails, attackers are increasingly using a new approach - links in search engine results. In this case, attackers place phishing links in search engines by placing ads or using search engine optimization (SEO) to get the fake websites into the results list. Again, the goal is to lure potential victims to the fake sites and get them to enter their credentials.
How can you spot phishing e-mails?
Until a few years ago, phishing messages were full of errors, making them easy to spot. However, fraudsters are now taking a more professional approach, thanks in part to advances in artificial intelligence (AI). Spelling and grammatical errors are rarely found. But you should be wary of even well-written text, especially if a message contains links, unexpected attachments, or requests for personal information. The following are some of the techniques used by attackers. Being aware of these techniques, as well as being cautious about what you are asked to do, can help you avoid becoming a victim of a phishing attack:
- Unsolicited messages or messages from unknown senders should be ignored and deleted if there is no good reason to process them. If you do process them, pay even more attention to any subsequent warning messages.
- You should be very wary of threats and urgent requests such as “If you do not confirm your account access, your account will be temporarily suspended…”.
- If messages try to elicit sympathy or ask for help in dealing with the aftermath of a war, natural disaster, or pandemic, caution should be the order of the day, despite a possible need for help. Again, do not click on links or follow requests. Instead, research the request using an Internet search engine and contact the sender directly to offer assistance.
- Be careful with messages that contain spelling and grammar errors.
- Do not click on links or follow instructions in messages with little or no written text, but text as part of images.
- It is especially important to check the sender’s address. Often, fake e-mail addresses or domain names are used that only look strange upon closer inspection, such as an “m” written as an “r” and “n”, or a well-known name used as a subdomain of a domain (e.g., “google.fraudsters.com” is not a Google website, but the website “fraudsters.com”).
- You should be very wary of requests to transfer money or provide sensitive information, especially if you have not recently communicated with the other party.
- Attackers like to target well-known companies whose products and services are widely used. Be especially wary of messages from Amazon, Google, Apple, Microsoft, LinkedIn, Facebook, DHL, and other senders, as well as banks.
- Phishing messages are often sent on behalf of a supposed bank, even though you may not have an account there. Or it may say that a package cannot be delivered due to a missing address, even though no delivery is expected. In such cases, you should assume that it is a phishing message and delete it immediately.
How can I protect myself from phishing attempts?
A combination of technology, education, and increased vigilance is an effective way to combat phishing.
Many organizations rely on spam filters, e-mail security software, antivirus software, or web filters to detect and block suspicious messages and prevent users from clicking on compromised links. However, educating employees about the different types of phishing attacks is also critical. This training helps employees recognize suspicious messages that have bypassed a spam filter and respond appropriately and confidently to fraud attempts. This includes setting up a reporting system to forward phishing attempts to the company’s IT and cybersecurity team. In addition, companies should establish corporate policies that prohibit the transfer of funds or the disclosure of sensitive information based on an e-mail request without a plausibility check through another communication channel.
While individuals may not have the same technical capabilities as businesses, everyone should try to keep up to date with their own Internet security via the Internet. If you are fortunate enough to benefit from corporate training, you should not view it as a chore, but rather as a great opportunity to position yourself for your own personal communications security.
A healthy dose of skepticism should always be applied to everyday e-mail and Internet use, and the following precautions should be taken when in doubt:
- Do not click on links in e-mails, text messages, WhatsApp messages, or social media messages: when in doubt, type the website you know into the browser window yourself, or find and use the website in a search program.
- An HTTPS-encrypted page is no guarantee of a trustworthy page. Anyone can create HTTPS pages that any browser will trust in seconds. Always look at the URL (Internet address) and check it for accuracy.
Below is a list of sites that can be trusted ✅ and sites that are not secure ❌.
| Domain | Explanation | |
|---|---|---|
| ✅ | paypal.com
|
The original domain of PayPal is paypal.com. |
| ❌ | paypal.black
|
The domain is not paypal.com. |
| ✅ | id.paypal.com
|
id is a sub domain of paypal.com which is owned by PayPal. |
| ❌ | id-paypal.com
|
id-paypal.com is not the domain paypal.com, because - is not a valid separator. Only . is a separator. |
| ✅ | payment.paypal.com
|
payment is a sub domain of paypal.com which is owned by PayPal. |
| ❌ | payment-paypal.com
|
payment-paypal.com is not the domain paypal.com, because - is not a valid separator. Only . is a separator. |
| ✅ | security.paypal.com
|
security is a sub domain of paypal.com which is owned by PayPal. |
| ❌ | paypal.com.security.com
|
This is not paypal.com, this is security.com. The root of a domain is always on the right side, not left side. |
Unlike normal text, which is read from left to right, domains are structured hierarchically. They consist of different levels and are read from right to left. The separation between the parts of a domain is always marked by a period, and the first two parts, read from the right, are important here.
- Do not click on attachments from unknown senders or service providers, or run attached (.exe) programs.
- Keep your operating system and other software up to date, preferably using automatic updates.
- Use a firewall that controls your inbound and outbound traffic and can block an outflow if necessary.
- Use one passwords for only one service, not multiple services. Use a password manager.
- If possible, always enable two-factor authentication (if offered), as this greatly increases your security. Hackers usually do not have access to the second factor and therefore cannot do any damage.
- Only give credit card information to people you trust.
- Never follow instructions in online messages without verifying them.
- It is also easy to spoof the sender number of an SMS or phone call. Just because a familiar number appears on the screen and even matches your address book, doesn’t mean it’s the person you want. So when the police emergency number 110 (or 911) called you, be suspicious at first.
- Note: Banks, government agencies, or legitimate businesses will never ask for confidential information such as PINs, TANs, or passwords, whether by e-mail, messenger, SMS, phone, etc. If in doubt, ask the service provider directly using another means of communication.
- If you receive a call from someone claiming to be a service provider, never give out personal information over the phone, especially if you are not sure who is on the other end of the line. When in doubt, ask for the name of the person you are speaking with and call back using a number in your own records (do not use the number the caller gives you!).
- The same applies to requests from superiors or unusual requests from relatives (grandchildren: “Grandma, please transfer €20,000…”). It’s best to pick up the phone and ask. If necessary, ask a personal question to verify the answer (i.e. one that is not publicly documented). It may seem like a lot of trouble, but it’s better to ask than to send money to a scammer unnecessarily.
- Be wary of gifts or offers that seem too good to be true.
Conclusion
Despite the best efforts of ISPs, hosting companies, operating system vendors, antivirus and antispam filter vendors, etc. to effectively combat phishing, it has become a persistent security threat in our digital world that cannot be ignored. In a game of cat and mouse, attackers are constantly developing new attack methods that must first be detected and to which the user world and its service providers must adapt. Constant technological development plays a particularly important role. In recent years, so-called AI phishing has become increasingly popular, in which generative AI (artificial intelligence) is used to generate customized cover letters for e-mails, text messages, websites, and other texts. In particular, this has professionalized phishing across national and language borders, as AI minimizes spelling and grammatical errors, as well as other typical characteristics of phishing attempts. The speed at which phishing documents are created can also often be greatly accelerated by AI. In addition to text creation, AI can also be used to create believable images, clone voices in voice messages, and other content used in phishing attempts.
It is therefore important that each and every user is vigilant for irregularities and treats messages such as e-mails and SMS with the necessary skepticism. This is the only way to protect yourself and your data.