Phone call. The number of the bank. You answer it.
A friendly bank employee answers on the other side.
He knows your account balance. He knows your recent activities.
He had noticed suspicious transfers. He asks if he should stop them. You answer in the affirmative and enter a TAN to identify your identity. At that moment, the trap snaps shut.
Our IT security expert Florian Hansemann recently contributed to a Kabel 1 feature on the topic of phishing and social engineering. In this article we would like to give you a short and concise summary of the most important facts.
What is phishing?
Phishing is a type of social engineering in which a person pretends to be a trustworthy communication partner. In the form of fake websites and emails, private data such as passwords are thus obtained.
While the security of IT infrastructure and software continues to increase, humans remain the greatest vulnerability. Why go to the trouble of finding a weak point in the software if the victim will hand over access voluntarily?
To return to the example from the beginning. What do you think happened before? How does the attacker know the victim’s account information? How can he call from the number of the bank? The explanation can be found in phishing and spoofing. Prior to the actual call, a phishing attack occurred via email. The victim’s account credentials were obtained via a confidence-inspiring email. This was the only way to establish the appropriate level of trust in the telephone call. The term spoofing refers to a method of deception. The attacker thus displayed the bank’s phone number.
How can you protect yourself from phishing and spoofing?
But how can you protect yourself from such an attack? The key here is awareness. Be aware that such an attack can occur at any time. Always ask yourself if the other person is really trustworthy.
For calls from the bank, simply make a callback. This is the only way to detect such spoofing of phone numbers. With websites and e-mails, it is always important to ask whether the domain or the full address of the sender are spelled correctly. Never click on suspicious links or attachments in emails.
As a company, there are ways and means to increase employee awareness of phishing attacks. Simply contact us for this without obligation(https://hansesecure.de/security-awareness/).
Click here for the full feature on Kabel 1:
https://www.kabeleins.de/tv/achtung-abzocke/videos/52-auf-diesen-phishing-trick-koennten-auch-sie-reinfallen-ganze-folge