Phishing, Vishing, Smishing

Phishing

By means of phishing, the criminals lure victims into providing their passwords and other personal information.

Fraudsters try to obtain confidential data from unsuspecting users. This could involve access credentials for email accounts, online auction sites or credit card details. The fraudsters take advantage of their victims' good faith and helpfulness by sending them emails with false sender addresses. The emails tell the victims that their account details and access credentials (e.g. username and password) are no longer secure or up-to-date, for instance, and need to be changed using the link provided in the email. However, the link does not lead to the genuine page of the respective service provider, rather to the fraudster's apparently identical web page.

Specific measures

As soon as you realise that you have entered your password on a phishing site, change this password for all services where you use it.
If you provided credit card details, contact your credit card company immediately to have the card blocked.
If it is an email password reset all passwords for internet service providers that are linked to this account.

Preventive measures

Wherever possible, use two-factor authentication. This offers an additional layer of protection to prevent your account from being hacked.
No bank or credit card company will ever send you an email requesting that you change your password or verify your credit card details.
Never divulge personal data such as passwords or credit card details on a website that you have accessed by clicking on a link in an email or text message.
Bear in mind that email sender IDs can easily be spoofed.
Be sceptical if you receive emails that require action from you and otherwise threaten with consequences (loss of money, criminal charges or legal proceedings, account or card blocking, missed opportunity, misfortune).

Effects and risks

With the data thus obtained, credit card payments can be made or offers can be placed at an online auction.
With stolen email login data, fraudsters get full access to the email account. The attackers are able to extract and analyse all data and, for example, send fraudulent and counterfeit emails to contacts in the address book in the name of the victim.
If the attackers have access to your email account, they can take control of all services which use this address as a login and which have a password reset function.

Further Information

You will find further information on our website:
Hacked account – what next?
Protect your account

Vishing

Another way of obtaining sensitive data is so-called vishing (short for voice phishing). Vishing uses verbal scams, usually over the phone, to trick people into doing things they believe are in their best interests.

It is often difficult to spot vishing attempts. For instance, callers can spoof the caller ID at will. This makes it difficult to identify the caller if, for example, a known or trustworthy number is displayed. Victims often do not realise that the person on the other end of the phone is conning them until after they have handed over their credentials. However, there are some warning signs that can help you spot potential scams.

In many cases, the callers are self-appointed experts or authorities in their fields. They masquerade as computer technicians, bankers, police officers, or even victims themselves.
The callers exert pressure.
The callers ask for confidential information over the phone.

Specific measures

End dubious phone calls immediately.
Never give a caller sensitive information such as credit card details or passwords.
Do not open any websites or install any programs even if the caller urges you to do so.
Do not open any attachments or links in emails sent to you by the caller before, during or after the call.
Never give someone who calls you remote access to your computer.

Preventive measures

Remember that the caller ID can easily be spoofed.
Be sceptical if you are asked over the phone to disclose confidential information or to do something.
No bank or credit card company will ever ask you over the phone to change your password or verify your credit card details.

Effects and risks

With the data thus obtained, credit card payments can be made, for example, or bids can be placed in online auctions.
If attackers have access credentials or account information, they can take control of all services which use this information as a login and have a password reset function.

Further Information

Explanations on the manipulation of telephone numbers, so-called spoofing, can be found on the website of Swiss Crime Prevention:
Spoofing: When the emergency number 117 shows up on the display (in German)

Smishing

Data can also be stolen via text message. Smishing is a form of phishing, also known as SMS phishing, that uses convincing phishing SMS/text messages to trick potential victims into clicking on a link and sending personal information to the fraudster.

Smishing messages typically appear to be from a trustworthy sender, e.g. a well-known retailer or logistics company. These messages can be disguised as a parcel notification, for instance. A link in the message usually takes the recipient to a website created by the fraudsters on which the person is asked to enter personal data or credit card details.

Specific measures

Ignore parcel notifications that demand the payment of a fee.
If in doubt, and if you really are expecting a parcel, contact the relevant parcel delivery company and ask.
Only use the official app of the parcel service provider.
If you are unsure about the sender of a text message, do not click on any links and do not reply to the message.
Even if prompted to do so, do not download any apps.

Preventive measures

No bank or credit card company will ever ask you via text message to change your password or verify your credit card details.
Do not answer calls from a phone number that you do not recognise.
Do not install any software that is offered outside the operating systems' official stores.

Effects and risks

When a malicious app is downloaded, there is a risk of personal (authentication) data being mined or even of the entire device being locked.
Payment data can be misused, e.g. if you have to enter your Apple ID on a fake page to download a seemingly urgent app, or if a link leads to a fake payment page.

Further Information

Smishing – Text messages that can cause long-term damage (in German)