What is Phishing?

What is Phishing?

The term „phishing“ describes the attempt to obtain user information by using fake messages (e.g. in e-mails, social networks or Skype and QR-Codes) or malware (e.g. viruses). Said user information can be for example passwords, bank account or credit card information or transaction numbers (TANs).

Internet frauds use this information for financial gain. They send millions of phishing-mails with very little effort. In these mails recipients get baited into clicking on a harmful link.

How do I recognize Phishing?

To prevent falling for phishing it is important to recognize the structure of web addresses (so called URLs) and check them before clicking on a link.

The information, to which web address a link actually leads to is located differently for each device, software and service (e.g. Skype, WhatsApp, Facebook, Google+, Xing, LinkedIn).

  • On desktop devices (PCs and laptops) the web address usually appears in the status bar or in an information window (also called Tooltip) when you hover with your cursor over the link (without clicking it)
  • On mobile devices (smartphones and tablets) the way to identify the web address depends on the device you are using. In most cases, you need to lightly press the link for about 2 seconds, without actually clicking it.

Note the Who-Area when checking URLs!

The so called “Who-Area” always consists of the last two words before the first singular “/” in a web address (for https://www.uni-due.de/zim/services/sicherheit/ this would be uni-due.de). The Who-Area is the most important area for the recognition of phishing URLs. In technical jargon this is called a domain.

You should note the following issues when checking the Who-Area:

(You can also watch this video Online-Fraud – Recognize and Ward Off Hazards)

The Who-Area contains an IP-address

Should the area between http:// and the third slash “/” be an IP-address, so for example:

    https://95.130.22.98/google.de.secure-login.de/

then in this case the IP-address is the Who-Area. In most cases, this is the message of an online fraud. Do not follow this link.

Address of the expected partner is outside of the Who-Area

Should the address of the expected sender (e.g. uni-due.de) be outside of the Who-Area, it is probably a fraudulent link. This can look something like this:

      http://www.uni-due.de.anmeldung.com/
               (here the Who-Area is anmeldung.com)
      http://anmeldung.com/https://www.uni-due.de/
               (here the Who-Area is also anmeldung.com)

Do not follow this link.

The Who-Area contains typos

Check the Who-Area for typos. So for example:

      http://www.unni-due.de instead of
      http://www.uni-due.de

Do not follow any links with typos!

Who-Area contains similar looking characters

Check the Who-Area for similar looking characters and numbers (e.g. “rn” instead of “m” or “1” instead of “l” or “q” instead of “p”). Example:

      https://www.payqal.de/ instead of
      https://www.paypal.de/

Do not follow this link!

Who-Area contains a slight modification of the trusted Who-Area

If the Who-Area contains a modification of the trusted Who-Area, do not enter any kinds of information! Example:

      https://universitaet-duisburg-essen.de/

These modifications are difficult to spot, since you need to know the correct Who-Area for this. If you are unsure if you are on the real university website, please ask the ZIM-Hotline.

Especially perfidious: Spear-Phishing

Targeted attacks on specific people are called spear-phishing. For this the attacker uses a fake sender address which is the address of a trusted sender to convince a user to click a link or download an attachment.

It is possible that a victim gets targeted specifically, to obtain (SAP) login-data, scientific results or the victims money.

Should you notice such an attack, report it to the ZIM-Hotline and be careful, since someone might be after you.