The  phishing  is a method by which a user's personal information is obtained through fictitious websites, email or other messages. This information is mainly used for illegal purposes. The term is derived from the word "fishing" and refers to bait and fishing for informational purposes.

​

Phishers create authentic-looking websites to increase user trust. Specific and general emails are then used to entice users to visit the fraudulent provider's site. You can cause a message to be displayed warning users of a suspected attack. For authentication and to activate the security system, the user is expected to enter his personal data. These are often intercepted by malware such as a Trojan horse. On malicious websites, malware will be installed automatically when you visit the site to  control and monitor  subsequent user actions. A frequent goal of phishers is to obtain usernames and passwords for online banking or credit card information, and then use them to steal. In the man-in-the-middle technique, the attacker gains access to the user's server and then forwards it to fake websites. This is the most demanding type of phishing, since  you can't see any changes on the local machine.

​

Phishing methods in attacks

​

There are a few ways to disguise phishing attacks.

• Email

A camouflage through emails is done by writing emails  HTML . The user is linked to invisible spoofed addresses even though the original website was displayed in the link text. Also, normally  the sender's email address is spoofed  to make it more similar to the original.

• Websites

Fake websites are often characterized by the fact that these fake names and designations are similar to those of the imitated company. This means that the website will be  difficult to identify as a fraud. An imitation of the original domain is usually done by using identical letters in the URL (I as uppercase i, l as lowercase L). This means that the user thinks that he is visiting the authentic website, but in reality  it is addressed to a fake.

• SMS

A confirmation of a permanent contract is sent via SMS. To opt out of this contract, a link is named that the user is supposed to click. Through this visit, the malware is released.

​

Protection

Since HTML or scripts are often used in email messages, you can disable it to protect yourself against phishing attacks. Also, some antivirus programs can detect phishing emails, so  we recommend the use of these. However, they should always be up to date. Financial institutions are increasingly using certificates  SSL  with Extended Validation. These allow you to open an additional field in the address line, alternately indicating the owner of the domain and the certification body. The address bar is sometimes shown in green, to direct the user's eye to it, to make sure it is correct. Other programs can also recognize phishing emails based on  typical criteria. Another means of protection for online banking is the smart card signature-protected HBCI process. This type of online banking does not require the introduction of TANs. The iTAN method can also be applied. However, this is ineffective against man-in-the-middle attacks.

Consequences

A successful phishing attack can have  devastating consequences. On the one hand, it can be charged to the account of the interested party. In addition, contracts can be concluded on behalf of the user. Another possibility is that the user identification is used to  Criminal activities.

​

RELEVANCE

Usually all suspected phishing sites  are excluded from the search engine's index, so as not to put search engines at risk. Website operators are at risk of unknowingly linking to malware or phishing sites. Therefore, it is advisable to routinely scan the website for internal outbound links. If you link to such a website, it may happen that the search engine associates the website with sites of  spam  and the site is excluded from the index.

​

More information (Only in English)