Page 123 - Cyber Defense eMagazine December 2022 Edition
P. 123
accounts. One example involves the deceptively genuine-looking PayPal emails that contain a link to an
imitation website, asking recipients to verify or update their login information there. If they comply with
this request, their data ends up directly in the hands of the scammers. Phishing emails can be produced
very easily and without much effort. Even if only a few recipients bite, the effort pays off for the attackers.
Now: Threats tailored to specifically to the intended victim
Cybercriminals are more sophisticated when it comes to spear phishing, a form of phishing that
specifically targets certain users. Their main target group is company employees, since that is where
most of the money is to be made.
First, the fraudsters take a lot of time to scour social media and other Internet sources for information
about their potential victims. This data can then be used to create emails that are precisely tailored to the
recipient. Disguised as superiors, colleagues, or business partners, the attackers try to trick their victims
with seemingly plausible prompts or cleverly designed lures.
In addition to feigning insider knowledge, hackers rely on psychological tricks to trick their victims. They
skillfully target the recipients' emotions to get them to do what is asked of them without thinking about it.
Here is a small selection of the most important psychological influencing factors:
• Deference to authority: For example, the scammers forge an email in the name of a board
member. In it, the employee is asked to make an urgent payment to a supplier. Large sums of
money can end up in foreign accounts in this way. The chances of recovering these sums are
usually slim.
• Willingness to help: The alleged acquaintance of a colleague contacts the employee about a
problem. The email contains a file attachment, which the employee opens immediately - maybe
the employee had the information needed and can help. The file contains malware that infects
the computer and the system unnoticed.
• Time pressure: In a deadline-critical project, the scammers pretend to be the department head.
They demand that the employee send security-relevant information and urges the employee to
hurry. Since there is no time for a more detailed check, the recipient reveals the requested
information in good faith.
• Curiosity: In the name of the management, the hackers inform the recipient about important
structural and personnel changes in the administration. The mail contains a link that supposedly
leads to an updated organizational chart with the new distribution of responsibilities. If the
employee clicks on the link, he or she plays into the scammers’ hands.
• Fear: The alleged superior asks about an invoice for a service that was not ordered. The
employee is afraid of being suspected of embezzlement and therefore hastily clicks on the link to
the invoice - and thereby opens the door to hackers. Not infrequently, the loophole is also used
as an opportunity to penetrate the entire corporate network.
Cyber Defense eMagazine – December 2022 Edition 123
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.