How to recognize dangerous phishing emails?

What is phishing?

The word phishing consists of the English words “password”, “harvesting” and “fishing”. Scammers use phishing to try to get confidential data from unsuspecting Internet users. This could be account information from online auctioneers (eg eBay) or access data for internet banking, for example.

Scammers take advantage of their victims’ goodwill by sending emails containing fake sender addresses. In e-mails, for example, the victim is informed that their account information and access data (eg username and password) are no longer secure or up-to-date and must change them using the link provided in the e-mail. However, the link does not lead to the original website of the relevant service provider (for example, the bank), but also to a website set up by the scammer.

A scammer can use the fraudulently obtained data to make bank transfers on behalf of the victim or to bid in an online auction.

Phishing attacks aim to expose personal data

Classic phishing is on the rise, in which victims are scammed into emails to provide sensitive data such as credit card details. But in recent years there have also been a number of voice phishing attacks (see image below) targeting Swiss e-banking customers: phishing emails are sent pretending to use e-banking to protect the financial institution’s e-banking. -Bank accounts set up a new security system. A bank employee will contact the victim by phone to discuss and complete the process. For this purpose, the victim is asked to give his phone number in addition to his personal data.

Victims are then searched by scammers and persuaded to provide the password and the second element of security under the pretext of increasing security.

For example, the victim is asked to enter a code into the card reader and report the result to the attacker. With this information, the scammer can log into his e-banking account and initiate a payment. If the so-called transaction signature is required to trigger the payment, the transaction is repeated, which is likewise requested from the scammer. The phone call is always made professionally and often also in Swiss German.

This is how you protect your data

• If asked to do so by e-mail, do not provide any personal information, but delete the e-mail.

• Immediately end phone calls that ask for passwords, credit card information, or other personal information. No bank asks its customers to enter, verify or update passwords, credit card information or other personal information by phone or e-mail.

• Do not trust unsolicited emails.

• Email addresses from trusted companies are especially popular for fraudulent purposes.

• As explained above, customers who give their password or credit card information to a fraudster should immediately call the e-banking line of the relevant bank.

How to report phishing emails

• Anyone who has been individually victimized and harmed by a phishing attack should first report to the local police station.

• If companies or other large organizations are affected, they can contact the National Cyber ​​Security Contact Point. However, the duty of the contact point is not to initiate a judicial investigation. This is a matter for the Federal Police Department (Fedpol), acting on behalf of the Attorney General. Companies must file a complaint with the cantonal police.

• Local police departments are in contact with Fedpol. If investigations cross national borders, Fedpol will exchange information with the responsible police force abroad.

Is phishing punishable?

• Sending phishing emails alone cannot be penalized.

• The message sent becomes valid under criminal law only when a certain law is violated.

• The following typical criminal offenses are related to phishing emails: forgery of documents (Art. 251 StGB), money laundering (Art. 305bis StGB) or fraudulent abuse of a data processing system (Art. 147 StGB). Second, it means that an attacker has accessed a database, for example, to harm the victim or steal money with the retrieved data.

• Fedpol continually investigates cases that fall within federal jurisdiction. These include, for example, internationally linked economic crimes, terrorism-motivated crimes, or crimes that harm the state. The National Cyber ​​Security Center (NCSC) has been reorganized as cybercrime takes place across cantonal and national borders. The competence center is an operational platform that enables better exchange and coordination between the federal government (Attorney General’s Office, Fedpol, cybersecurity contact point) and cantons (cantonal police, cantonal prosecutors).

Example of a typical phishing email

Fake login for e-banking

The national focal point for cybersecurity warns of a scam in e-banking.

It’s about criminals manipulating the login process for e-banking. Using social engineering*, smartphone users are made to believe that they have to submit the information in the activation letter due to the online banking system being updated. The bank usually sends this letter to the customer when they sign up for e-banking so that a second device can be approved for the mobile authentication method. With this, the phishing scammers aim to seize the color mosaic image that the victim has already scanned with his smartphone for registration.

The hotspot warns that it’s possible for scammers to log in to the victim’s e-banking by activating another smartphone for so-called two-factor authentication. After this point, attackers can log into the e-banking portal at any time and trigger a payment to an account without the victim’s knowledge.

These safety precautions must be followed

Here are the top tips from the National Cyber ​​Security Contact Point when dealing with e-banking:

1. Never forward the information in the activation letter, even to the bank. This is for the client personally. If in doubt, contact the bank directly and ask over the phone.

2. When logging into e-banking on a mobile device (e.g. smartphone or PhotoTAN device), make sure that you actually confirm the login information and that it is not a matter of declaring a payment.

3. Always read the full text on mobile when confirming a payment. To be safe, double-check the amount and the recipient (name, IBAN) before confirming the payment.

Any e-banking contract should be blocked immediately if anyone is concerned that they have already fallen into the attacker’s trap. You can find more information about security in e-banking at www.ebas.ch.