Stealing information by faking it via email is one of the most common and dangerous forms of attack for businesses.
1. Everyone is talking about phishing: what does it mean?
In a phishing attack, criminals attempt to obtain confidential company information using fraudulent emails, fake websites and other methods. Often, the fraudsters pretend to be a person or organization from a closer environment – for example, a common bank or a distant relative. They exploit the victim’s trust in this way so that he or she willingly discloses the information.
In addition to the classic e-mail, there is also phishing via SMS or telephone. A supposed service provider calls and asks you to give him access to your computer to solve an allegedly urgent problem.
2. How dangerous is such a phishing attack and what exactly does it target?
Such attacks can be quite dangerous. A survey conducted by the German Insurance Association revealed that 59% of successful cyberattacks on small and medium-sized businesses are carried out via email.
It’s hard to tell what the actual target behind an attack is until you apprehend the perpetrator. In most cases, the goal is to obtain data that the criminal can use to enrich himself. This can happen directly, but also indirectly.
For example, if the perpetrator steals complete credit card information or bank data, it is easy for him to use it to transfer money or make purchases online. But good money can also be made on trading sites on the dark web with access data for a company’s computer system. In rare cases, this information is deliberately stolen to destroy a competitor’s reputation or to spy on company secrets. This should not be underestimated either, since Germany has many thought leaders and hidden global market leaders, so-called hidden champions, among small and medium-sized companies. Their data is highly interesting for industrial espionage reasons.
3. How exactly do criminals get their victims to disclose the desired data?
In phishing, fraudsters cleverly use various psychological strategies to get their victims to divulge the desired information. Fear can be a driving factor, for example the fear of not being able to work any longer. But curiosity (“We have a surprise for you.”), social pressure (“All colleagues have participated in the campaign.”) or profit motive (“Log in and receive a voucher for 50 euros.”) can also be effective mechanisms to obtain the desired data. Depending on his or her personality, every employee is susceptible to different forms of cyberattacks. Therefore, do not allow yourself to be pressured and sufficiently verify the identity of e-mail senders and callers.
4. Is there a practical example of how to deal with a phishing attack?
A good example of a successful phishing scam is a supposed e-mail from a popular bank. The victim is asked to log into their customer account as soon as possible and confirm their identity, otherwise the company account will be blocked. If the victim is actually a customer of the bank and therefore believes the email to be genuine, he clicks on a link that leads to a fake website of the financial institution. There, they enter their access data and other information, which the criminals can then easily access. The e-mails and websites are often designed to be deceptively genuine: The design, name of the sender, salutation and signature correspond to those of the company – only a close examination of the sender and Internet address leads to the conclusion that a fraud has taken place.