Lesson 19 – Phishing attacks: How to avoid them

What is phishing?

Phishing involves emails where senders disguise their true identity, posing as a different person or company. Typically, scammers mimic the design of well-known and trustworthy brands with the goal of obtaining sensitive information such as usernames or passwords. Often, emails are sent that look almost identical to those of Deutsche Post/DHL, Amazon, or PayPal.

How to defend against phishing attacks

1. Multi-factor authentication: This adds a layer of protection against data loss. It requires more than one form of identification, often including a TAN or biometric recognition like a fingerprint.

2. Examine the email sender: Email addresses always belong to a corresponding domain. For example, if you receive an email from BISON, the email’s sender address should correspond to their domain, which is bisonapp.com. Be wary of any emails with a different domain or slightly altered spelling.

3. Grammatical errors: Phishing emails are usually written by non-native speakers. Cybercrime happens all over the world. That’s why simple translation tools are used to reach as many people as possible.
   Have you received an email from a reputable company that contains grammatical errors? Then someone is probably trying to scam you.

4. Email design: Genuine companies invest time to ensure their emails display correctly across devices and browsers. While it‘s not impossible for an email from a reputable company to look strange on your device, especially if you use older or unusual devices, strangely formatted emails can indicate a phishing email. Criminals do not test designs on different devices and browsers. Often, only the company’s logo or footer is inserted, and possibly the footer is copied. If you find the design strange, check the sender’s address as a next step.

5. Anti-virus or spam filter tool: The spam filters of large email providers like Google already recognize many unwanted messages. However, both companies and private individuals can protect themselves even further. Anti-virus tools are suitable for private individuals. These often contain spam filters that work with the installed email program.

6. Salutation consistency: Legitimate companies usually address you by your first or last name. They’re typically very consistent in their communication. Your bank has always addressed you by your last name and suddenly an email begins with “Dear customer”? Criminals usually send phishing emails in bulk. Phishing attacks using stolen data sets with your complete information rarely happen. If you are not addressed personally at the beginning of an email or find any misspellings within the content, be cautious and investigate further.

7. Carefully check sender’s link: On both smartphones and computers, it is possible to preview and check an outgoing link. If there is a link or button in an email, you can hover your computer mouse over the link/button and wait a moment. With a smartphone, pressing and holding on the link is usually sufficient. Instead of opening it directly, a small preview of the link will pop up. This way, you can calmly check whether the URL aligns with sender. Even a slight alteration in the URL, like “mercedes.de” and “merzedes.de”, is a sign of phishing. However, a completely different URL might indicate that the company is working with a certain email provider or URL shortener. For example, links from the URL shortener bitly are often found in an email. If you’re unsure, open the provider’s page directly in your browser.