Phishing attacks: How to avoid them

Emails whose senders conceal their true identity and instead impersonate another person or company are known as phishing. As a rule, the fraudsters copy the design of a well-known and trustworthy brand with the aim of obtaining your sensitive data, such as user name or password. Emails are often sent that look confusingly similar to those from Deutsche Post / DHL, Amazon or PayPal, and the term is based on the classic fishing method. When fishing, bait is laid out to trick the fish into thinking it is a tasty meal. Instead of being able to enjoy the worm, the fish ends up on the hook. Neither the fishing lure nor the phishing email end well if they are successful.

Phishing attacks are becoming a daily occurrence: facts and figures 2022

The annual global damage caused by cybercrime can only be estimated. Cybercrime Magazine estimates that it will be USD 6 trillion in 2021, and the trend is rising. Germany's gross national product in 2021 was around 3.3 trillion US dollars. Cybercrime is not, as often portrayed in Hollywood, carried out by the nerdy hacker in the basement. It is an industry that has more economic power than any other country in the world, with the exception of the USA and China. 320 billion emails are sent worldwide every day (Statista, 2021). According to CyberTalk.org, around 5% of these, or 15 billion emails, are spam. Of these, almost one in three emails is opened. Put simply, anyone who opens 100 emails a day also opens 1-2 spam or phishing emails, and the Anti-Phishing Working Group Inc (APWG), which publishes statistics on a quarterly basis, is particularly concerned with phishing attacks. For the first quarter of 2022, the APWG recorded the highest number of phishing emails ever. The figures show that phishing attacks are a real threat that affects all of us.

Popular victims of phishing attacks: companies and private individuals

Criminal organizations think and act just as economically as legal organizations. For this reason, they target people who can achieve a high return with the least possible effort.

Companies are a popular target for cybercrime

High-yield targets are usually companies. The following story illustrates the danger of phishing in everyday working life: You may have already received an email purporting to be from your boss: "Hello Sven, this is Monika, your CEO. I need you to do something for me urgently. Please get back to me and keep it to yourself". The average German employee receives 26 emails per day, plus messages via Teams or Slack. Between meetings, emails and lunch breaks, an email from the CEO pops up in the mailbox. Without giving it much thought, they reply to the email. Sven doesn't even notice that the boss's name is M0nika and that there are a few grammatical errors in the email from the otherwise correct boss. After the second or third email at the latest, many people realize that this email is a scam. Too many grammatical errors, unusual behavior on the part of the "boss" or statements that indicate that the person is not familiar with the company's procedures often blow the criminals' cover.crypto investments for business customers are still a rarity, especially in Germany. However, as the number of companies investing in cryptocurrencies such as Bitcoin or Ethereum increases, it is very likely that the number of phishing emails aimed at obtaining cryptocurrencies will also increase.

Spear phishing: the great danger for companies

Poorly crafted bulk messages almost always attract attention. Many of them probably end up directly in the spam folder and never reach the recipient. But spear phishing is particularly perfidious. Instead of sending masses of emails, the criminals look for a specific victim and carry out intensive research. They know the names of the employees, know the processes in the company and know who has access to the account. Social media channels are a popular source of information. The CEO of a company posts pictures from vacation? The informed cybercriminal can use this to send a phishing email. It could look like this: "Hello Ms. Müller, as you know, I'm currently on vacation on Sylt. The company Elektro-Paul has just called me, apparently the last bank transfer has not arrived. Could you please send 20,000 euros by instant bank transfer to the following IBAN?"

Private individuals are also victims of phishing

The same applies to private individuals. We are familiar with fake emails from DHL and PayPal. Even the daily email that our Amazon account has been blocked only makes us smile in the morning. But thanks to our social media activities on Twitter, Instagram, LinkedIn and TikTok, criminals can very easily launch targeted phishing attacks. Someone complains to the post office via Twitter about a missing parcel? The right email is already sent. Someone posts on Instagram that their next vacation is just around the corner? An email on behalf of the insurance company may already be in your inbox tomorrow. As soon as the phishing email matches the target's current situation, the likelihood that the message will be responded to increases. Crypto topics are mainly discussed on Twitter, but also on Instagram and in many different forums. Anyone who writes here in their real name or reveals their email makes it easier for criminals to send personalized phishing emails aimed at hacking their own crypto wallet.

Phishing attacks in the financial and crypto sector

An attractive target for phishing attacks is access to financial tools such as current accounts, credit cards or crypto wallets. For this reason, attempts are often made to obtain access data in various ways. Fraudsters repeatedly try to win new customers for a bank or crypto provider by phone or email. During the conversation, attempts are made to obtain the victim's login details. As soon as there is money in the account, it is withdrawn by the fraudster. Alternatively, the fraudsters pretend to be service employees who need to solve a problem that has arisen with the customer. This requires access to the account. There are no limits to creativity. There are always new stories and approaches to trap new victims, and the customer support team at banks and crypto trading venues has seen time and again that this scam really works. Either customers are surprised by an empty account or the criminals have even managed to ensure that the customer has no control over their account at all. BSDEX employees will never ask you for your access data. For security reasons, we also do not carry out screen sharing with our customers.

Data leak at Ledger - Dangerous phishing emails for crypto owners

Various Ledger customers fell victim to a phishing attack in the summer of 2020. Ledger is one of several providers of physical crypto wallets (cold wallets). Hackers did not manage to hack the Ledger devices, but they did manage to access a data leak. Employees of Shopify, which provides the online store for Ledger, gained access to customer data and sold it. Several hundred thousand personal data ended up in foreign hands. A short time later, phishing emails were sent to owners of Ledger devices. One customer lost more than 267,000 US dollars as a result of this procedure, and the company Bitbox, another provider of cold wallets, also experienced a data breach in August 2022. Again, it was not due to an insecure device, but to the email marketing tool. Despite security precautions, the email addresses and names of many customers were stolen. Phishing attacks have not yet been reported.

How to defend yourself against phishing attacks

Multi-factor authentication also protects against data loss

Statistics show that the number of spam messages is increasing every year and so is the risk of having a fraudulent email in your inbox one day that is deceptively genuine and that you cannot (immediately) recognize as a scam. In the worst case scenario, you enter your access data on a fraudulent website. Instead of logging in, the criminals receive your access data. However, this does not necessarily mean that they will gain access to the account in question. Thanks to multi-factor authentication, it is no longer enough to have just one piece of information that identifies you as the owner. As a rule, a TAN or biometric recognition such as a fingerprint is also required. For example, you can only log in to BSDEX if you enter the TAN you receive on your cell phone. Access to the account is only possible if the criminals also manage to obtain the TAN. It is becoming increasingly common, especially in the crypto sector, to include an individual code number in the email. Customers can determine this code number themselves and quickly check whether the number is present and correct in an email. Without access to a company's database, criminals cannot obtain the code number - unless the victim shares it with others.

Pay close attention to the sender of an email

Email addresses always belong to a corresponding domain. Emails from BSDEX, whose website domain is bsdex.de, are always sent from emails ending in @bsdex.de. This also applies to companies such as Amazon, DHL, etc. An email that comes from @amazon.de can usually only have been sent by a real Amazon employee. If the criminals make less effort, do not pay attention to the email address, but instead label the sender's name as the correct email address. An email that you receive from Bernd Meyer is indicated in email programs as sender = Elektro Paul customer support. If you click on the name, the email address is displayed, for example kundensupport@elektro-paul.de. The sender would now be kundensupport@elektro-paul.de. The email, on the other hand, would be arbitrary, for example ekkA63h@firemail.com.Gehen the criminals go one step further, buy a domain that looks confusingly similar to the site to be copied. Instead of elektro-paul.de, the domain is now called elektr0-paul.de, in which case you could even replace the lowercase L with a capital i. No one will be able to tell whether it's l or I. The sender is now identical to the real Elektro Paul, namely "Kundensupport Elektro Paul". The email is kundensupport@elektr0-paul.de. If the criminals also manage to make the design look good, it will be difficult to identify the perpetrators immediately. But rest assured. Unfortunately, it is now even possible to forge the entire email address so that even checking the sender's email does not provide any information about the true sender. If you want to check the sender very carefully, you have to check the mail header. In this way, even those who manage to copy the real email address of a company can be convicted. However, this is technically complex and difficult for a layperson to implement.

Grammatical errors

Phishing emails are usually written by foreign language speakers. There are over 7,000 languages worldwide. With the 13 most spoken languages in the world, you would already reach more than half of the world's population, but hardly anyone speaks that many languages fluently. Cybercrime takes place worldwide. That's why simple translation tools are used to reach as many people as possible. Do you receive an email from a reputable provider and the text contains various grammatical errors? Then someone is probably trying to deceive you. If the message is sent directly in a foreign language, you can probably delete the email straight away. At the moment (September 2022), BSDEX only communicates in German in emails.

Do not click on links in emails, but open the page directly

Phishing emails often refer to an acute problem that is intended to frighten the victim. "Your account has been blocked", "Someone has accessed your account", "Suspicious activity has been detected". All these messages require you to log in directly and check the situation. Play it safe and don't click on the link in the email. Use your browser instead. Ideally, you should have a bookmark for the most important websites to prevent any criminal activity. A Google search will also normally display the original page. This way you can check whether the content of the email is correct. If you still have doubts, it can be helpful to contact support directly. They are usually familiar with the marketing activities and can quickly identify phishing.

Design of the email looks strange

Sending a visually high-quality HTML email that looks good on all devices is very time-consuming. Many companies have email marketing managers for this task. Every browser and every email client has a different technical structure. Real companies take the time to overcome these technical hurdles in order to provide their customers with a good customer experience. It's not impossible for an email from a reputable company to look strange on your device, especially if you're using older or unusual devices. But oddly formatted emails can indicate a phishing email. Criminals do not test the design on different devices and browsers. They often simply insert the logo of a company and possibly copy the footer. If the design seems strange to you, check the sender's email in the next step, for example.

Anti-virus tool or spam filter tool

The spam filters of major email providers such as Yahoo and Google already recognize many unwanted messages. However, both companies and private individuals can protect themselves even further. Anti-virus tools are suitable for private individuals. These often contain spam filters that work together with the installed email program. Professional B2B providers that specialize in email security are particularly suitable for companies. Some providers can detect phishing attacks very well thanks to suitable algorithms. In particular, phishing emails sent in the name of the CEO can be avoided very easily.

No or incorrect individual salutation

Many companies where you are a customer know your name. For this reason, you are addressed by your first and last name in many emails. Companies are usually very consistent in their communication. Your bank has always addressed you by your surname and suddenly an email says "Dear customer"? Criminals usually send phishing emails in bulk. Phishing attacks that are based on stolen data records and contain your complete data are much rarer. Pay more attention if you are not addressed personally. Incorrect spelling in particular should lead to increased attention.

The sender exerts time pressure

Pressure is a popular means of forcing people to make unwanted decisions. Panic words such as "Now", "Immediately", "Last chance", "Immediately", "On the spot" or "Unusual", "Blocking", "Termination", "External access", make the recipient feel uncomfortable and can lead to a hasty reaction. But it is precisely at such moments that a calm and considered reaction should follow. Check the sender, check the spelling, check the link. If necessary, open the website of the alleged sender manually in your browser and check the information in the email.

Check the sender link carefully

It is possible to check an outgoing link both on the smartphone and on the computer. If there is a link or button in an email, you can hover over the link/button with your computer mouse and wait a moment. You will either see the link that a click would take you to at the bottom left or directly next to the mouse. With a smartphone, a longer press on the link is usually sufficient. Instead of opening directly, a small preview appears, including the link. This allows you to check at your leisure whether the URL matches the specified sender. A slight deviation in the URL, such as "mercedes.de" and "merzedes.de", is an indication of phishing. However, a complete deviation in the URL can also indicate that the company is working with a specific email provider or URL shortener. For example, links from the URL shortener bitly are often found in an email. If you are unsure, open the provider's page directly in your browser.

Does the receiving email address match the account?

One email for serious matters and one email for advertising and irrelevant internet accounts. This is how many people do it. Having more than one email address is not uncommon. You are logged into your bank with your Google mail address, but receive an email to your Yahoo address. This is very unusual because companies will always use the same email address unless you proactively make a change. Always check which address the email went to.

Awareness training: creating awareness and sensitizing ourselves

You're always smarter afterwards. Nobody who works in an IT security department and has just witnessed a virus spreading to all the company's devices wants to hear this sentence. Nor does a boss want to hear this sentence after the finance department has reacted to a phishing attack and transferred 40 million euros. This is why companies should regularly raise awareness of the risk. A frequently used method is the internal phishing attack. For example, companies send a CEO fraud email to the entire company. A few days later, they report on the test and show how many employees responded to the phishing attack. You will be surprised at the number of victims who, without prior awareness training, did not even know that such attacks existed.

Conclusion: The biggest IT security problem is people. Be vigilant and pay attention to your data too

There is often discussion about how secure a company's IT is. However, the biggest security gap is often located in front of the computer. By raising awareness of cybercrime, you can quickly identify many scams and stay safe in the digital world. Of course, an email without an individual salutation does not automatically have to be spam. Even a somewhat strange-looking URL can simply have technical reasons. But by checking just a little information, you can quickly identify potentially dangerous emails and easily increase the security of your data. This way, you not only protect your access to your BSDEX account, but to all online accesses that you have. This also keeps your crypto wallet in your hands in the future.

Sources

https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021/https://de.wikipedia.org/wiki/Liste_der_L%C3%A4nder_nach_Bruttoinlandsprodukthttps://www.cybertalk.org/2022/03/30/top-15-phishing-attack-statistics-and-they-might-scare-you/  https://docs.apwg.org/reports/apwg_trends_report_q1_2022.pdf?_ga=2.163774207.1531246799.1663225619-4666965.1663225619&_gl=1*39e0a3*_ga*NDY2Njk2NS4xNjYzMjI1NjE5*_ga_55RF0RHXSR*MTY2MzIyNTYxOC4xLjEuMTY2MzIyNjExOS4wLjAuMA..https://de.statista.com/statistik/daten/studie/150407/umfrage/die-zehn-meistgesprochenen-sprachen-weltweit/https://de.cointelegraph.com/news/ledger-faces-class-action-from-phishing-scam-victimshttps://shiftcrypto.ch/blog/datenleck-der-activecampaign-marketing-plattform/