Phishing emails: seeing through the bait
Phishing is a (more or less) sophisticated form of fraud and remains the biggest gateway for criminals to gain access to corporate networks. We want to take a look at some of the stylistic quirks and 'fails' of the phishing world and, more importantly, how to spot these scams in time.
Phishing is a targeted manoeuvre to obtain personal information and/or cause financial or reputational damage. The primary goal is often to trick unsuspecting recipients into revealing confidential information such as passwords, credit card details or personal identification information. Victims are usually directed to fake websites and asked to enter sensitive information. This information is then used by criminals to carry out fraudulent activities, such as stealing money, identity theft, blackmail or infiltrating corporate networks. Sometimes, clicking on a link (e.g. to a fake Zoom call) installs malware directly on the computer.
The tactics are varied. They range from fake emails (or text messages - although this article is limited to email, which is still the most common attack vector) pretending to be from banks, government agencies, trusted service providers, customers, bosses or colleagues, to supposed prize notifications. Phishing aims to trick recipients into taking actions they would not normally take by exploiting their emotional response - be it fear, curiosity or greed.
When phishing gets creative
Phishing emails can be surprisingly creative, but there are some telltale signs. Whether it's poor translations, exaggerated claims (everyone knows the Nigerian prince scam by now) or adventurous stories ("Someone has just tried to log in to your account using your password. We have blocked them, but for your security, please check your account transactions - link here") - the attempts at manipulation can seem quite bizarre. But behind the facade of bizarreness lurks serious danger.
The biggest "fails" - lessons learned from phishing mishaps
Even in the world of Internet fraud, scammers are not infallible. Unintentional spelling mistakes (such as "ß" or "ç" in supposedly Swiss German texts), inconsistent sender and domain addresses, and other slip-ups (such as "Sent from my iPad" suddenly replacing a familiar signature, or texts written in a language other than the company's usual) are telltale signs. These mishaps are not only amusing, but also instructive.
How can I spot a phishing email?
Recognising phishing attempts requires experience and common sense. Look for suspicious sender addresses, especially if they do not match the purported organisation. Be suspicious of any unexpected attachments or links (never click on them!) and check the URL carefully, looking for any typos or inconsistencies. You should also be suspicious of any attempts to create a sense of urgency and threats of consequences such as loss of money, criminal charges or your credit card being cancelled. Phrases such as "Click now, or else..." should always put us on our guard and trigger a healthy dose of scepticism.
AI deception - a new dimension to the threat landscape
Advances in AI technology are taking the sophistication of phishing emails to a new level. AI tools such as ChatGTP are now able to generate human-like text, making traditional phishing attacks more realistic by avoiding spelling and grammatical errors and using a convincingly professional writing style. This makes it even more difficult to distinguish between real and fake messages. In addition, chatbots & co. can create and distribute phishing campaigns much faster than humans ever could on their own, increasing the attack surface enormously. On the other hand, AI can bolster defensive capabilities in a "fight fire with fire" manner. Used correctly, AI tools are particularly suited to detecting AI-assisted phishing attempts. Generative AI models can also make awareness training much more personalised, efficient and effective.
Anti-phishing defences
Spotting phishing emails takes a keen eye and awareness of subtle clues. See also our blog for recommended technical precautions and steps to raise employee awareness. Stay informed, train yourself and your staff regularly on the latest phishing tactics, and rely on security solutions that give you reliable protection. In a world where scams are constantly evolving, vigilance is the key to digital security.
Quellen und weiterführende Informationen:
- Schweizerische Kriminalprävention: Phishing
- Generative AI is making phishing attacks more dangerous (TechTarget Network, 18.12.2023.)
- Das Zwei-Säulenkonzept zur Bekämpfung von Phishing-Attacken (Gastbeitrag terreActive auf aspectra.ch 04.07.2022)
- Fünf kleine und ein grosser Tipp für Sicherheit am Rechner (aspectra.ch 11.02.2020)