90% of these attacks occur via email. (Perseus 2020)
Let your business be protected by your employees. Phishing emails are by far the biggest digital threat for German companies. The Federal Office for Security and Information Technology (BSI) clarified this danger in its 2018 management report on IT security. According to the BSI, 70 percent of all successful cyber attacks on small and medium-sized organizations were made via phishing emails.
These statistics quickly illustrate why phishing training for employees is high on IT security experts’ list for the protection of SMEs. Phishing simulations with Perseus are easy and uncomplicated for you and your colleagues. After you have invited your employees to Perseus as an administrator, by entering their professional email addresses, they will automatically participate in our phishing simulation, without any administrative effort on your part or by your employees.
Detecting phishing threats only works if phishing training is based on current and credible hacker campaigns. Our cyber security experts at Perseus are constantly researching the latest and most vicious phishing campaigns. To create our training, we draw our inspiration from these and ensure that your employees experience a real training effect with our phishing simulations.
The quality of our training is so high, because it is based on real phishing emails from criminal hackers, but without the negative consequences, of course. Imagine it as a vaccine. We test your employees with deceptively real phishing emails so that they are prepared in the event of a real cyberattack and react properly.
Test your employees for free.
Phishing describes a technique that allows criminals to gain access to sensitive information or access through various channels, using false information. Although phishing can also be operated via telephone (Vishing), SMS (Smishing) or search engines (with fake websites); in most cases, phishing means an attack via email. Criminals use these fraudulent e-mails to seek confidential corporate information. By pretending to be a person (colleague, boss) or organization (bank, service provider) from the sphere, the fraudsters use the trust of the victim to readily disclose information.
The term, “phishing,” is derived from the word, "fishing." And that's pretty good, because criminal hackers cast their bait via email and thus “catch” access data for online banking, usernames and passwords from email accounts, social networks or online shops.
The criminals de facto carry out identity theft and can use the hijacked access, posing as the person concerned, to order, buy, send messages or to obtain sensitive information with which they subsequently blackmail the victim. Hackers use different strategies in their phishing attacks. These include, for example, mass emails that mistakenly appear as banks, shops or service providers, but also so-called “spear-phishing” attacks that address a targeted victim group (more on this in the types of phishing attacks).
The threats and risks of phishing attacks on German companies are still largely underestimated. According to recent surveys, the majority of German companies with more than 20 employees in 2018 state that they were affected by digital attacks (68%) or probably affected (19%), within the previous two years (Bitkom: Wirtschaftsschutz in der Industrie 2018). Considering the fact that 70% of all successful cyber attacks on medium-sized businesses are made by email, the dangers of phishing are obvious.
Above all, the danger of phishing attacks is that their evolution has been underestimated. For a considerable time, now, fraudulent phishings have not been the obvious spam emails from alleged African princes, who want to generously pay you for a small favor (just a small click is needed).
Modern phishing attacks, especially on companies, are specifically tailored to the targets of the attack. They imitate the sender identity of colleagues, partners, service providers or customers and use psychological pressure to provoke short, simple actions, such as clicks on dangerous links or other defective reactions (opening of malware in the attachment, publication of sensitive data). An angry email is quickly mistaken as an authentic message from the boss or an angry customer, and the hacker is in the system. Criminals’ tricks are becoming more sophisticated and professional. To protect your business, you should be more professional toward cyber security, too.
From CEO fraud to spear phishing
The look and feel of phishing attacks are getting better and more complex. Learn how to detect phishing attacks with our online training. With Perseus phishing training, we try to mimic all new forms of phishing emails, too.
This will give your business effective phishing awareness with a real training effect. In addition to email attacks, for the sake of full coverage, we also list less common types of phishing used occasionally, in combination with email phishing.
One of the most common spear phishing attacks is the CEO Fraud. In this form of phishing, the criminal embezzles by email, presenting himself as a supervisor or even as the boss. Email address, writing style and signature are more or less well-imitated to make the recipient believe that it is a real message from the CEO. Wanting to act quickly in the interests of the supervisor, instructions in the email are followed blindly ("I am on the way; please make the following transfer quickly" or "Customer appointments. Please send Google credentials quickly").
Clone phishing describes an attack in which an email, which the recipient may have previously received (such as from an online shop or service provider), is copied fully and then malware or a malicious link is added. Disguised as an online shop or service provider, the hacker apologizes for sending the email twice, but there would have been a technical problem in the process (activate email address, change password, etc.) that would have to be repeated by the recipient. As soon as the supposedly harmless link is clicked, clone phishing has struck.
Hackers often build domains and templates to imitate websites or email addresses. Thus, the criminals sway their victims with the belief that they have received a message from a credible source. Sometimes these fakes are clumsy and easy to see through. But more and more often they are being carried out with technical finesse, and the phishing emails seem deceptively real and lure ignorant employees into the trap.
The "evil twin" means the imitation of a supposedly harmless public WLAN network. Often this stitch is also referred to as a “Starbucks trap,” as coffee shop networks love to be imitated. The unsuspecting victims connect to the network and give access to the hacker to all the gates to the data on their own device.
For many Internet users, private or professional, the motto has long been: HTTPS URLs and the little padlock on the left of the browser bar indicate a secure and trustworthy website. Unfortunately, this is no longer the case. Hackers take advantage of the trust people have learned to have in these security IDs and use them to send phishing e-mails with supposedly trustworthy URLs. But the supposedly secure address, including HTTPS and a small padlock, can lead to a phishing website, just as well as outdated HTTP addresses.
This term means SMS phishing or phishing via messenger services on a smartphone. It is certain that you have already received commercial messages from phone or other service providers. Hackers also copy this form of modern communication to trick recipients into clicking on a malicious link. This could, for example, disguise itself as a discount voucher or other offer.
Like CEO Fraud, Spear Phishing also refers to a targeted and well-researched cyber attack on a company and its employees. In contrast to the spam phishing emails sent out to many thousands of addresses, spear phishing mail often has only one recipient. The fake sender address, subject, and content were built precisely to get you (or one of your chosen employees) to take the bait.
Hackers often research information ahead of time, about colleagues and their operations on the net, in order to fool the victim regarding the legitimacy of the email. The goal with spear phishing is usually to persuade the recipient to click on a malicious link and/or install malware. Once the malicious software is installed on the company computer, data can be copied, stolen or destroyed and an attempt to blackmail can follow.
Vishing is a very classic variant of phishing. On an actual phone call, criminals want to get corporate data using fake identification (bank clerk, manager, customer service). They use these for further spying attempts and scams or sell the information on the Darknet.
These cyber attacks can be part of our phishing training
This is a very common and successful phishing attack in the private and professional sectors. Criminal hackers copy and imitate the complete presentation of emails from well- known companies and brands (Paypal, T-Online, Amazon etc.), including sender addresses and HTML design. At first glance, these e-mails are hardly distinguishable from the real ones. Many users are familiar with the design and layout of these company emails and would not be likely to fall for bad copies.
But imitating the design templates of big companies with deceitful realism is no longer rocket science and does not even require any programming skills. Criminals simply copy the HTML code of the original corporate emails and reconstruct perfect copies of the originals with free online tools. In these fake company emails, the criminals can then easily accommodate their bad links and the bait is cast. But with the help of Perseus employee training and phishing tests, your employees learn to read the signs of phishing and to act properly.
Most companies regularly advertise jobs and promote them on their own website or on online portals, accessible to applicants, but also to criminals, who hope for a gateway into company systems.
Phishing via a job application email is a deceptive and efficient method. After all, there is no reason to mistrust an email whose sender claims to be applying for an officially advertised job, right? The email of the alleged candidate seems harmless. Salutation and subject is correct. And as usual, there is a CV file attached or a linked document in the email. Such attachments and links can install viruses or Trojans on your computer and are not always detected by anti-virus programs. Phishing training can protect you and your employees from cyber attacks.
Imagine an email in your customer service mailbox, your project management or wherever angry customers and clients are looking for contact with your company. In this email, one of your customers claims that a service has been charged twice and has already been deducted from their account. Of course, your dutiful employees want to rectify such a mistake immediately and investigate the allegations.
As proof of the incorrect charge, the affected customer puts a link in his email, which should refer to documentation from his bank. This link, however, leads your employee to a phishing website where he or she picks up malware. A precautionary training in IT security and cyber security, combined with awareness through phishing tests, could have prevented this bad click.
Criminal hackers use various techniques to induce employees with social engineering to do harmful acts. Out of fear and shame people can be motivated to do many things. A popular example of this type of manipulation and extortion is so-called “sextortion phishing.” In this case, criminals send blackmail emails to a large number of addresses.
In these emails, the senders claim that they have gained control of the victim's webcam and have recorded them during delicate acts. In order to prevent these video recordings from being made public and sent to friends, acquaintances and colleagues, the victim has to transfer money to the blackmailer. The “facts” are rarely true. The extortionist mailings are sent out by chance. Of course, as with any blackmail, the victim does not know if the blackmailer will keep his promise after payment.
Test your employees for free.
What you and your staff learn in Perseus phishing training
There were times when ordinary internet users recognized phishing emails a mile away. There were already several misspellings in the subject line, the remaining body text was hard to understand due to incorrect syntax, and calls to make a referral and click on a strange link were not very seductive. But fraudulent emails from criminal sources are becoming more and more sophisticated and are becoming harder to recognize.
In Perseus cyber security staff training, your employees learn to recognize the obvious and well-hidden signs of phishing e-mails. With our phishing tests, this knowledge is finally solidified in everyday working life.
Info: None of the above signs is certain to indicate a phishing email. Also, good spear phishing emails can bypass all of these signs. Modern cyber attacks via e-mail can be so deceitful that only regular phishing training can really prepare for it. Ideally, if in doubt, you and your staff will be able to use an email scanner, as included in Perseus. Just forward the suspicious email to the scanner and find out in a few minutes whether it is harmless or dangerous.
Phishing awareness protects you from the nasty tricks of hackers
Every week, cyber criminals are developing other nets and tricks to fool their victims. The phishing attacks listed here are not exhaustive and the most dangerous attacks can change quickly. Of course, these well-known phishing attacks target a large number of recipients and act on the "shotgun principle."
Even more dangerous phishing attacks for businesses are spear phishing attacks (see above), which are meticulously formulated to fool the employees of select companies.
Beginning in 2019, verbraucherzentrale.de has again increasingly warned against fake update mails from Amazon. The emails are an amazingly good copy of the authentic update emails from the online store. Customer service requires recipients to verify their own data within a short timeframe (48 hours), ironically, for security reasons.
The subsequently linked input form is a trap. At this point the victims put their access information directly into the hands of the hackers.
A very similar tactic to Amazon is operated under the masquerade of Paypal. An on-the-spot authentic Paypal email alerts the phishing victim that access to their account has been restricted and requires immediate verification. Of course, this alleged verification leads to the voluntary handing over of their own access data to the hackers.
Even Apple users are increasingly being taken at this time, with alleged support emails in the focus. Again, services and access are allegedly blocked until the Apple user has verified his identity by entering his data. The phishing email and phishing site have the inconspicuous Apple design.
Also, more phishing emails will be sent again in 2019 in the name of the Sparkasse. Content of the mailings is alleged improvements in security for payments and other services. Victims are asked by email in Sparkassen-Design to enter their data in a phishing form for review.
What can be done if the hackers attack? Find out here.
Have you or your coworkers received a phishing message and already inadvertently clicked on a link or file attachment? Then it is important to act quickly! The experts at Perseus tell you what to do next.
How do you protect yourself from such attacks in the future? With Perseus, the online cyber security service for small and medium-sized businesses.
That depends. Opening a plain text email, via email program or in your browser, is safe as long as you don't click on any harmful links or attachments. It becomes more difficult with emails written in HTML code. A click on a visible or invisible graphic is enough to install malware in the background.
Clicking a link in a phishing e-mail can have dangerous consequences, although victims are usually asked to enter personal information on the linked phishing websites. However, even without entering personal information, hidden code or hidden Trojans may be found in the site's code that may be installed unnoticed on the system. If you suspect that you have come to such a phishing website, you should urgently check to make sure your anti-virus software, your browser and the operating system are all up-to-date.
Perseus cybersecurity experts recommend the use of intelligent security software as included in our security package. As a user of Perseus, in case of doubt, you can always contact our emergency service. You will be helped, here, around the clock.
If you've opened the attachment of a phishing email, you've almost certainly installed malware on your computer. The impact that malware can cause to your systems varies from case to case, whether it's a virus or a Trojan. To be safe, stop using the infected computer until it's cleared of the malware. In some cases, this can be done by good antivirus software.
Often, however, only the help of an expert, such as those mediated through the Perseus emergency service, can successfully deal with it. Perseus also provides you with IT forensics, which determines in retrospect whether data has already been stolen from the computer, an important piece of information for taking direct action.
If you have saved on phishing training and your company has become a victim of a cyber attack, you should act calmly and prudently. Unfortunately, there is no blanket solution for every attack. In the end, it depends, for example, on what kind of phishing it is and how much time has elapsed since the attack. For example, if you were the victim of a fake verification request from an online service (Amazon, Paypal, etc.), you should log in, immediately change passwords, and see if any changes have been made to the account. If necessary, contact support to let the provider know about what is going on, so they can assist you.
Even in the case of "successful" spear phishing, measures are dependent on the damage that has occurred. Malware should be professionally removed and a criminal complaint made. Specialists, as provided by Perseus in the context of their all around protection in the event of an emergency, ensure that any necessary evidence is secured and that day-to-day business can be resumed quickly.
Whether or not there is liability for operational phishing damage is not guaranteed and cannot be answered as a flat rate. In many cases, such as the release of proprietary access data via phishing sites, a court will in many cases decide based on the negligent behavior of the victims, which means a bank or an online service is unlikely to be held responsible. But such negligence by individual employees of a company can and should be avoided through online training and regular phishing tests.
Cyber insurance or the Perseus Cyber Letter of Protection provide reliable protection against cyber attack damage to the company in many cases. But especially when combined with such insurance, Perseus protection makes sense. Whether the DSGVO examination or the obligation to prove to the insurance, on-line training and sensitization measures with Perseus are a testimony of the measures taken and in case where proof is needed, retrievable at any time.