05.07.2022 - At the NCSC, the number of reports received last week was significantly lower, which is mainly due to the decrease in fake extortion emails. Noticeable were phishing attempts in which no link was sent, but in which a callback was requested, as well as phishing text messages containing a personalised link that can be deactivated after use. The two different approaches show that attackers are willing to invest more time and effort in their phishing campaigns.
Phishing is usually a mass business. The attackers register a website that looks similar to that of a well-known company and then send the link to thousands of recipients. This is done in the hope that one or two people will respond and provide their details. In the last two weeks, several cases have been reported to the NCSC, showing that phishing attacks are becoming more targeted. The cybercriminals are making a much greater effort to obtain passwords and credit card details.
Phishing following a phone call
One example phishing attempt started with an email without a phishing link, but which had an invoice attached from a company, in this example a company supposedly from France called "Paiement Techmania LLC". The invoice claims that a payment of CHF 540 has been received for the renewal of an antivirus subscription. In case of problems with the payment, the recipient should call the telephone number given. Since the invoice is fictitious and they have therefore never transferred any money, it is very likely that they will call the number given in order to resolve the supposed error.
In this case, however, no one answered the phone. Instead, a few hours later, the victim's call was returned from a similar number. The caller stated that he would cancel the order and refund the money that had supposedly been paid. To this end, the purported seller sent an email, but this time with a link to a phishing website.
The attacker uses the phone call to try to build up additional trust and induce the victim to make an ill-considered move. The fraudulent link reaches only a limited number of people, as it only goes to people who have taken the invoice seriously and have called back. In this way, the attackers reduce the likelihood that the link will be quickly reported to the security authorities and the phishing site then taken down.
Phishing text messages with real names
The phishers also try to protect their phishing pages with another method. Here, the attackers use personalised links which can be deactivated after use – i.e. after the victim has clicked on the link.
Initially, in an text message containing a phishing link, the recipient is addressed with their correct name.
As soon as the victim clicks on the phishing link, they receive a personalised login screen showing the correct name and phone number. Interestingly, the next step is to provide the email address – which the phishers apparently do not have.
Only after entering the email address does the website appear where the credit card details are then phished.
It is not possible to assess whether the additional effort made by the phishers described here is actually worth it. However, the NCSC certainly tries to take such websites down as quickly as possible, thanks to the active help of those who report them.
- Do not trust any unsolicited emails and text messages that you receive.
- Do not allow yourself to be put under pressure and take enough time to clarify the matter.
- When making enquiries, do not use the telephone number or email address in the message that you have received. Instead look for the number or email address on the company's official website.
- Report phishing links directly to reports@antiphishing.ch or at www.antiphishing.ch. If you are unsure whether an email is a case of phishing, you can always forward it for analysis via the NCSC reporting form.
Current statistics
Last week's reports by category:
Last modification 05.07.2022
