Phishing describes the attempt to steal identities and passwords via the Internet by sending fake e-mails or text messages. Internet users are lured by cybercriminals to fake websites of banks, online stores, or other online services by means of deceptively real fake e-mails in order to get hold of their user IDs and passwords. The scammed data is used, for example, for account looting or hacker attacks on companies.
What is phishing?
Phishing is derived from the English word “fishing”. The aim is to illegally “fish” access data from Internet users and use it for criminal activities to the detriment of the user. Access data for online banking is often the focus of phishing attacks. But also identifiers and passwords of mail accounts, online stores, or social networks are often the targets of phishing.
The scammed access data enables the phisher to take over the identity of his victim on the respective Internet platform. This enables him to inflict financial damage on the victim, damage his reputation, or order goods under someone else’s name.
Methods used for phishing
The most common method used for phishing is based on mass sending of emails with fake content. The e-mails are designed to look as close as possible to the original e-mails from banks, online stores, or other Internet platforms in terms of design, sender address, and customer address.
The recipient is prompted in the e-mail to click on a link contained in the e-mail and enter his or her access data there. The link leads to a fake login page of the attacker. This page is a deceptive imitation of the original page of the Internet platform.
If the recipient believes the e-mail to be genuine and enters his or her data on the fake website, the phisher is in possession of his or her access data and can use it for his or her own purposes. Since the fake e-mails are sent in large quantities, individual users fall into the attackers’ trap time and again, despite the fact that this type of attack is well known and protective measures are in place.
What is spear phishing?
Spear phishing is a special form of phishing. In the analogy of fishing, this is a targeted attempt to catch a single fish with a harpoon instead of dozens or hundreds of fish with a net.
Spear phishing is a targeted phishing attack on a narrowly defined user group about which the attacker obtains information in advance. The target of a spear phishing attack can be, for example, the employees of a company’s HR department, who receive an e-mail with a fake application for a current job posting of the company.
Protection against phishing attacks
In order to protect against phishing, in addition to various technical protective measures, a healthy caution is required when dealing with e-mails and entering access data on the Internet.
It is generally not advisable to click on links contained in e-mails and enter personal data on the pages accessed. Login pages should always be opened directly via the address line of the browser. The identity of the opened page should also be checked in the address bar. There, it can be verified whether the page called up uses a valid certificate of the respective provider.
It is often possible to recognize phishing e-mails directly from their content. In most cases, a personal address with a name or other customer data is missing. Poorly made phishing mails are also conspicuous by their lack of spelling and the urgency of the address. If you are not sure whether an e-mail you have received is a phishing e-mail, you can search the Internet for the text passages it contains. Often the search hits show directly that the content originates from a known phishing mail.
Technical protective measures against phishing
The risk of phishing attacks can be additionally minimized by technical measures. Many virus programs, but also e-mail programs, are able to recognize phishing e-mails on the basis of certain characteristics and to warn against them.
In addition, the HTML display of e-mails in mail programs can be switched off or selected so that only content from familiar sources is displayed. In addition to mail programs, modern browsers recognize many phishing websites and warn directly when they are called up.