accounts. One example involves the deceptively genuine-looking PayPal emails that contain a link to an
            imitation website, asking recipients to verify or update their login information there. If they comply with
            this request, their data ends up directly in the hands of the scammers. Phishing emails can be produced
            very easily and without much effort. Even if only a few recipients bite, the effort pays off for the attackers.




            Now: Threats tailored to specifically to the intended victim

            Cybercriminals  are  more  sophisticated  when  it  comes  to  spear  phishing,  a  form  of  phishing  that
            specifically targets certain users. Their main target group is company employees, since that is where
            most of the money is to be made.

            First, the fraudsters take a lot of time to scour social media and other Internet sources for information
            about their potential victims. This data can then be used to create emails that are precisely tailored to the
            recipient. Disguised as superiors, colleagues, or business partners, the attackers try to trick their victims
            with seemingly plausible prompts or cleverly designed lures.

            In addition to feigning insider knowledge, hackers rely on psychological tricks to trick their victims. They
            skillfully target the recipients' emotions to get them to do what is asked of them without thinking about it.
            Here is a small selection of the most important psychological influencing factors:

               •  Deference to authority: For example, the scammers forge an email in the name of a board
                   member. In it, the employee is asked to make an urgent payment to a supplier. Large sums of
                   money can end up in foreign accounts in this way. The chances of recovering these sums are
                   usually slim.
               •  Willingness to help: The alleged acquaintance of a colleague contacts the employee about a
                   problem. The email contains a file attachment, which the employee opens immediately - maybe
                   the employee had the information needed and can help. The file contains malware that infects
                   the computer and the system unnoticed.
               •  Time pressure: In a deadline-critical project, the scammers pretend to be the department head.
                   They demand that the employee send security-relevant information and urges the employee to
                   hurry.  Since  there  is  no  time  for  a  more  detailed  check,  the  recipient  reveals  the  requested
                   information in good faith.
               •  Curiosity: In the name of the management, the hackers inform the recipient about important
                   structural and personnel changes in the administration. The mail contains a link that supposedly
                   leads  to  an  updated  organizational  chart  with  the  new  distribution  of  responsibilities.  If  the
                   employee clicks on the link, he or she plays into the scammers’ hands.
               •  Fear:  The  alleged  superior  asks  about  an  invoice  for  a  service  that  was  not  ordered.  The
                   employee is afraid of being suspected of embezzlement and therefore hastily clicks on the link to
                   the invoice - and thereby opens the door to hackers. Not infrequently, the loophole is also used
                   as an opportunity to penetrate the entire corporate network.









            Cyber Defense eMagazine – December 2022 Edition                                                                                                                                                                                                         123
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.