Damian Strobel
Founder and CEO
"Phishing is and was one of the top 3 initial attack vectors. It is therefore important that companies regularly train and sensitize their employees."
What is Phishing?
The word phishing is a combination of the English words for “password” and “fishing/fishing” (Password+Fishing = Phishing). It describes a common tactic used by cybercriminals to achieve a specific goal. This target can - as the name suggests - be a user's access data. But other information such as credit card numbers and the like could also be the target. A (successful) phishing attack is often the beginning of, among other things, ransomware attacks.
In the context of companies, so-called spear phishing attacks are being carried out more and more
frequently. Here, employees of a company are specifically contacted in order to obtain sensitive
information. The attackers pose as trustworthy people in order to deceive employees. The attackers
often use information from social networks to deceive employees.
The more an attacker knows about his target, the more sophisticated attacks of this type
could be. Especially in connection with GenAI/LLM, very real emails can be prepared quickly, which
unfortunately are often not recognized as problems.
The victim clicks on a link, gets ransomware on the (company) computer or enters their access
data on a supposedly trustworthy site.
What types of phishing exercises exist?
Spear phishing
Imagine a hacker not simply casting a net, but targeting a
specific fish with a fishing rod. Spear phishing works in a similar way. Instead
of casting out masses of bait, the perpetrators target a specific person or company.
To do this, they first carry out thorough research: name, address, job, professional
contacts, social media - everything is scrutinized. They then use this information to craft
a message that looks tailor-made. It often looks as if it comes from someone in their own
company that they trust.
The aim? The target person is supposed to do something specific - perhaps disclose
confidential data or click on a link that secretly installs malware. Spear phishing is
particularly treacherous because everything comes across as so genuine and personal. Even
professionals can easily fall into the trap.
Whaling
Cyber criminals are targeting the really big fish in what is known as "whaling". Their targets are top managers and key decision-makers in
companies - the whales in the sea of employees, so to speak. In contrast to
widespread phishing, the perpetrators here use bait that is specifically tailored to CEOs,
CFOs and the like.
They often carry out meticulous research and write deceptively genuine messages.
These come across as supposedly urgent business emails and request, for example, bank
transfers, confidential information or the opening of certain files. Because the targets
have a lot of power and access to sensitive data, successful attacks can really hit the bank
- both financially and in terms of company reputation.
Clone Phishing
Do you know this? You receive an email that somehow looks familiar. No wonder, because this
is exactly what fraudsters use in so-called clone phishing. They
copy a genuine message that
you have already received, almost one-to-one.
The trick is in the detail: the crooks only change minor details. A harmless
attachment is exchanged for a contaminated one or a link is replaced by a nasty
doppelganger. The aim of it all? To foist malware on you or steal your access data.
What makes this scam so treacherous is that the fake emails look extremely
trustworthy. They fit seamlessly into the current mail traffic and appear to come from
someone you are already in contact with. Even for attentive users, it is often difficult to
detect fraud. Nothing screams "watch out, fake!" - and that's exactly what makes clone
phishing so dangerous.
Vishing
Vishing, an abbreviation for “voice phishing,” is a sophisticated form of fraud in which
criminals use
the phone as a tool. Essentially, it's about getting
unsuspecting citizens to reveal useful information or financial data.
The perpetrators pose as representatives of reputable institutions - such as banks,
authorities or well-known companies. Their approach is psychologically clever: they
deliberately create a sense of urgency or concern in order to take their victims by
surprise.
A typical scenario: The caller claims that he is from the house bank and has
discovered an irregularity in the account. In order to solve the “problem”, personal data is
then urgently requested.
What makes vishing particularly dangerous is that it is often carried out in a highly
professional manner. The callers are trained in rhetoric and often have surprisingly
detailed prior knowledge. This gives their cause a false credibility.
The consequences can be significant: anything from identity theft to massive
financial losses is possible. Therefore, increased vigilance for unexpected calls involving
personal information is urgently required.
Smishing
In the world of digital fraud, a new scam has emerged alongside the well-known email
phishing: smishing. The name may sound funny, but the thing is not.
Smishing uses good old SMS to trick
unsuspecting cell phone users. The perpetrators disguise themselves as reputable senders -
your bank, a parcel service or an authority. Their messages usually sound urgent: “Your
account will be blocked!”, “Package undeliverable!” or “Confirm your details!”.
What makes the matter tricky is that SMS messages are often more trusted than emails.
They are short, come directly to your cell phone and stimulate the impulse to react quickly.
That's exactly what the scammers rely on.
If you click on the link provided, you end up on deceptively real fake pages. Or you
are asked to send sensitive information back via SMS. In both cases, the goal is the same:
to get your personal data.
The consequences can be devastating: identity theft, accounts raided or access to
your online accounts. In times when smartphones are our constant companion, smishing is
becoming a serious threat to our digital security.
Conclusion: Stay alert, even with harmless text messages. If in doubt, it is better
to ask the alleged sender again - but please use the official contact channels, not the
number in the suspicious SMS.
Phishing during Red Teaming exercises
Phishing exercises are an important part of red team testing.
Security experts simulate realistic attacks to uncover vulnerabilities in a company. The goal: to
find out how well employees react to phishing emails and whether the security precautions are
effective.
As part of a red team test, the phishing exercises are often further refined. The
attackers adapt their tactics to the specific circumstances of the company and specifically exploit
vulnerabilities. For example, they can use social engineering techniques to manipulate employees and
obtain sensitive data.
The results of a red team test provide information about how well the
company is prepared against cyber attacks. Based on these findings, targeted measures can then be
taken to improve security and minimize the attack surface.
Things get particularly perfidious when the Red Team uses so-called subdomain takeovers to design the phishing emails in such a way that the fake login portals appear as if they were really hosted by the company. In our practice, the most impressive phishing attack was one in which we used a takeover from vpn.company.com. One by one, employees entered their login data into this "new" VPN portal upon request. This is why Argos eASM is searching for domain takeovers non-stop!
Most common initial vector: social engineering/phishing
Social engineering/phishing still occupies first place as an initial vector for cyber attacks. Attackers often steal important access data or manage to convince the victim to click on a specific link that ensures that a backdoor is installed. Or even worse - that the victim himself installs the backdoor by opening attachments.
Dangerous trend related to phishing: Generative AI/LLM
Cybercriminals are increasingly using generative AI models to create phishing emails. If you feed these models with existing data, personal data, already known leaked passwords, possibly current problems with the company and select the right victim, an email can be automatically created whose attachment is very likely to be opened by the victim.
The problem here is that it is very difficult to remove the human factor from the equation. While you should train employees and minimize the risk of someone becoming careless and falling for phishing, it's important to remember that there will always be someone who falls for the bait. Accordingly, it is just as important to regularly strengthen and check the internal network and to carry out network segmentation.
Request a phishing exercise
Services complementing phishing
Continuous monitoring
Our eASM platform "Argos" is able to monitor your entire external infrastructure non-stop - so you and we can quickly identify potential problems. The platform looks for and reports anomalies to us.
Penetration testing
Penetration tests are used to search for security gaps in particularly important applications in a very focused manner.
Darknet Intelligence
Too often we are part of highly complex technical penetration tests, but these do not prevent employee data from being leaked on the Internet for the portal being tested. As a customer you should know about it!
What clients say about us
„I've been really impressed with DSecured. The results they delivered exceeded our expectations. They found a wide range of IT problems and severe vulnerabilities and always communicated clearly. Working with them has been straightforward and reassuring.“
„The security of our customers’ data is our top priority. Thanks to DSecured, we were able to improve the resilience of our systems and realize how important the topic of "Shadow IT" is. The commitment of the team and their skills made the crucial difference for us.“
„DSecured was able to discover a surprising number of previously undetected security gaps in our infrastructure. The Argos platform as well as classic penetration tests were used for this. We really appreciated the honest advice on the subject of IT security and automation and would like to thank Mr. Strobel for this.“
„Mr. Strobel and his team regularly carry out penetration tests against our automation platform - and always find what they are looking for. The results are presented clearly and reproducibly. Communication has so far taken place via short channels, for example via Slack. We can definitely recommend DSecured.“