Current waves of phishing prove it – cybercriminals are creative.

Now, for example, you also have to be careful of phishing SMS messages: in the name of DHL saying that a package is in the distribution center and that it can be sent on its way for two euros. The recipient is then supposed to pay this amount via a link and is cleverly lured into a subscriber trap.

What is Phishing?

Cybercriminals trick the victim into disclosing something electronically (that doesn't actually belong in someone else's hands). Even if many users recognize obvious phishing attacks after intensive investigation, this type of cybercrime still remains an annoying scourge.

Targeted phishing is becoming the norm

Phishing attacks have evolved beyond flashy grammar, impersonal speech, or other obvious characteristics. Nowadays, targeted phishing, so-called spear phishing , is considered standard criminal practice.

The attackers put a lot of effort into every single email to make them appear as genuine and credible as possible. Obtaining the personalized data for this is easier than you think and much of this information is generated automatically. Sophos has developed effective tips for users and IT on how to deal with phishing emails that go beyond “Dear Customer”:

[mk_ad]

RECOMMENDATIONS FOR EVERY USER:

Do not allow yourself to be influenced by the variety of personal information.

Even a stranger can easily present themselves as an “insider”. A friend of a friend, a former colleague, etc. With a combination of information collected (from previous data theft, social media profiles and old emails, be it as a recipient or sender), even a criminal without much financial support or technical understanding can create a more credible image sound like any “Dear Customer” email.

Urgent calls to action should arouse suspicion.

“A large proportion of email fraud works because the fraudsters gain the trust of the victim or they present themselves as an authority, for example a superior in the company, and then play the trump card of the need to act urgently.”

Michael Veit, security expert at Sophos, summarizes the success factors of targeted phishing.
The urgent task to be completed is often accompanied by flattery, for example why the addressee was chosen for this incredibly important act and no one else. “ Confidential ” and “ intended only for the addressee ” further isolate the victim. As a user, this clear confidentiality should not be viewed as prudent, but should be classified as suspicious.

Do not trust the email sender details.

One might be under the misconception that the scammers go out of their way to avoid encouraging the victim to scrutinize them. But sometimes the opposite is true, with them actively pushing for a call back or response - as part of the scam.

This gives them exactly the opportunity to convince the victim with their lies and falls into their trap. One reason financial institutions place their emergency contact information on the back of bank cards and on the welcome screens of their ATMs is that these sources are far more difficult to manipulate.

Never follow the instructions in an email on how to read it correctly.

“A common ruse used by phishing scammers is to hide malicious content.
Macros, data-stealing software, is one such example. The seemingly harmless email is provided with a preface explaining how it should be viewed “correctly” by changing various settings. Normally these instructions are quite plausible, but the fraudsters lure the recipient so cleverly that the very functions that are supposed to protect them are undermined.”

Veit specifies.

Don't be afraid of a second opinion

The four-eyes principle is not only useful for spelling and grammar, but also for evaluating ominous phishing emails. That's why fraudsters rely on the confidentiality effect to circumvent this control.

[mk_ad]

RECOMMENDATIONS FOR ACTION FOR THE IT DEPARTMENT:

Designate a single point of contact for cybersecurity cases

Many spear phishing attacks are successful because employees are determined to do the right thing in their understanding of helpful customer service. Nobody wants to risk going down in company history as the ex-colleague who told the most important customer “get out”.

Initiating a dedicated reporting location, such as an internal email address like security-report@example.org, gives employees an easy way to ask for security advice. And it's better BEFORE, rather than after, a suspicious email.

Cybersecurity should be a two-way street.

In the 1990s and 2000s, the mantra that cybersecurity was best left to IT was often true, without exception. But this attitude creates a culture in which everything that is not blocked by IT is assumed to be secure.

But even the best-protected websites can be attacked, and if an employee notices something conspicuous, they should be taken seriously and not referred to IT sovereignty. It's better to take precautions rather than aftercare.

Phishing simulations as training camp

Training with phishing emails can support employee participation in the company. There are now explicit training tools (such as Sophos Phish Threat ) that use phishing dummies for practice without harmful consequences. It is important to see it as a tool for improvement and not for control. Because the fraudsters never tire of making new users victims of increasingly sophisticated phishing attacks every day.

Source: Jörg Schindler/Sophos
Article image: Shutterstock / From Rawpixel.com


If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:

📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.

Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!

* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!


Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )