Phishing
Phishing ist ein Social-Engineering-Angriff, bei dem Angreifer durch gefälschte E-Mails, Websites oder Nachrichten Nutzer zur Preisgabe von Zugangsdaten, Zahlungsinformationen oder zur Ausführung von Malware verleiten.
Phishing (from the English word fishing, with the ph added in reference to the hacker scene of the 1980s) is the most common entry point for cyberattacks. According to the BSI Situation Report 2024, over 90% of all successful ransomware attacks begin with a phishing email.
Phishing Variants
Standard Phishing: Mass mailing to many recipients, generic content (“Your account has been locked”)
Spear Phishing: Targeted attack on specific individuals or organizations with personalized content. Significantly higher success rate—the attacker knows the name, position, and context.
Whaling: Spear phishing specifically targeting executives (C-level) – higher privileges, greater damage
Clone Phishing: A copy of a legitimate email with swapped links or attachments
Smishing: Phishing via SMS ("Your package is waiting – please pay customs fees")
Vishing: Phishing via phone call (voice phishing) – including AI-generated voices (deepfake vishing)
QR Code Phishing (Quishing): Malicious QR codes redirect to phishing sites, often bypassing email security filters
CEO Fraud / Business Email Compromise (BEC): Attacker impersonates a CEO and demands urgent wire transfers. FBI 2024: $2.9 billion in losses worldwide due to BEC.
Identification Characteristics
Technical Indicators:
- Domain differs subtly from the genuine one (
paypa1.cominstead ofpaypal.com, ordeutschebank-noreply.de) - No TLS certificate or invalid TLS certificate
- Missing or incorrect DMARC/SPF/DKIM authentication
- Unexpected sender; "Reply-To" differs from "From"
Content indicators:
- Unusual urgency or threats ("Account will be locked in 2 hours!")
- Requests for login credentials, payments, or personal information
- Grammar errors (increasingly rare in AI-generated attacks)
- Unusual attachments (.exe, .zip, .doc with macros, .iso)
What happens after clicking?
Opening a phishing email itself is usually harmless. The danger arises from:
- Clicking a link: Leads to a fake login page → Credentials are stolen, or a drive-by download launches malware
- Opening an attachment: Macro-enabled Office documents load a payload (
WINWORD.EXE → powershell.exe) - Performing an action: Making a transfer, entering credentials, sharing a code
Immediate action if suspicious: Notify the IT department, immediately lock the affected account, reset passwords.
Protective measures
Technical:
- DMARC/DKIM/SPF enforcement – prevents email spoofing of your own domain
- Email security gateway (SEG) with URL rewriting and sandboxing
- Browser-based URL filtering
- MFA: No access even with stolen credentials (phishing-resistant FIDO2 is best)
- [EXTERN] banner in the subject line for external emails
Organizational:
- Regular phishing simulations with immediate feedback (do not punish, reward!)
- Security awareness training – at least annually, preferably ongoing
- Clear reporting process: "Phish Alert Button" in Outlook, confirmation email to the reporting team
- Dual-control principle for payments above a certain amount
- Call-back policy: Always verify identity by phone for critical requests
Further information: AWARE7 Phishing Simulations | Wiki: Recognizing Phishing
