Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen

Current Threat

68% of data breaches
involve a human factor.

No patch, no firewall protects if an employee clicks under time pressure. This page explains how phishing works - and how to protect yourself.

Start Phishing Simulation Read the basics
Verizon DBIR 2024 $4.5 M avg. loss 3 second decision
E-Mail Threat Scanner
0 Threats0 Safe
Warte auf eingehende E-Mails...
0/6 E-Mails analysiert
0% Threat-Rate
of data breaches involve a human factor (Verizon DBIR 2024)
Average cost per incident
Click-rate reduction with training
Decision time under pressure

Basics

What is Phishing?

Phishing is a social engineering attack in which attackers impersonate legitimate organisations or individuals to trick victims into revealing sensitive data, clicking malicious links or performing actions. The term derives from "fishing" - with humans as the catch.

What makes phishing so dangerous: it attacks people, not technology. No patch, no firewall and no antivirus fully protects if an employee under stress or time pressure clicks a link. This is why security awareness is just as important as technical countermeasures.

Phishing Types Overview

Email Phishing

Mass attacks via email with spoofed senders. The goal is to steal credentials, infect with malware or initiate payment fraud. Typical indicators: urgent calls to action, spoofed sender addresses, manipulated links.

Spear Phishing

Targeted attack on individuals or departments with personalised content from OSINT research. Much higher success rate than mass phishing - up to 70% click rate versus 3% for generic campaigns (Proofpoint State of the Phish 2025).

Whaling

Spear phishing specifically targeting executives (CEO, CFO, CISO). Attackers impersonate business partners, lawyers or authorities. Common goal: CEO fraud (Business Email Compromise) with wire transfer requests - average loss per incident according to FBI IC3: USD 125,000.

Smishing

Phishing via SMS with links to fake websites or malicious downloads. Parcel notifications, bank alerts and supposed authority messages are common lures. Particularly dangerous as mobile browsers often do not show the full URL.

Vishing

Voice phishing over the phone. Attackers pose as IT support, a bank, tax authority or Microsoft employees. Through social manipulation they obtain credentials or remote access. Combining with a prior email significantly increases credibility.

QR Code Phishing (Quishing)

QR codes in emails or print media leading to phishing sites. Particularly tricky: email gateways do not scan QR codes like URLs. The user scans with a personal smartphone that is often less protected than the corporate device. Rapidly growing attack vector since 2023.

Threat Intelligence

Current Phishing Methods 2025/2026

AI-powered attacks, deepfakes and new delivery channels are rapidly transforming the phishing landscape. What was a recognition indicator yesterday no longer works today.

Critical

AI-Generated Phishing Content

2025/2026

LLMs such as GPT-4 enable error-free, stylistically convincing phishing emails in any language. Previous recognition indicators such as spelling mistakes and poor grammar are entirely absent. Attackers automatically personalise content based on LinkedIn, social media and company profiles.

High

Deepfake Voice & Video

2025/2026

Synthetic voices and videos of CEOs or managers for whaling attacks and real-time vishing. In 2024 a company lost USD 25 million through a deepfake video call in which a finance employee failed to recognise the fake identity of their CFO (South China Morning Post, 2024).

Critical

Adversary-in-the-Middle (AiTM)

2024-2026

Phishing frameworks such as Evilginx or Modlishka proxy real login pages in real time and steal session cookies - even behind MFA. The user sees the real website and enters real credentials which are directly captured. MFA provides only limited protection here.

Medium

QR Code Phishing in Documents

2024-2026

QR codes in PDF attachments, invoices or printed parcel labels bypass email scanners entirely. Scanning with a personal smartphone leads to phishing sites outside corporate security controls.

High

Microsoft Teams / Slack Phishing

2023-2026

Collaboration tools as a new attack vector: attackers contact employees via external guest invitations, fake system notifications or compromised partner tenants. Less suspicion than email - higher click rate.

Sources: Verizon DBIR 2024, Proofpoint State of the Phish 2025, IBM Cost of a Data Breach Report 2024, FBI IC3 Annual Report 2024, KnowBe4 Phishing Benchmark 2024.

Protection

Recognising Phishing: Checklist

Phishing emails are becoming increasingly convincing. This checklist helps identify suspicious messages - even when they appear legitimate at first glance.

The 3-Second Rule

Attackers rely on time pressure. If an email demands immediate action - stop for 3 seconds and ask: Would this organisation contact me this way? Does this request make sense in my context? This brief pause prevents the majority of phishing clicks.

01

Check the sender address carefully

Not just the display name but the full email address. Typosquatting like "amazon-service.net" is common.

02

Check link destination before clicking

Hover over links to see the real URL. On mobile: press and hold link for preview.

03

Question urgent calls to action

"Your account will be suspended" or "Immediate action required" are classic panic-inducing tactics.

04

Never open unexpected attachments

Even if the sender appears known - verify context through a separate communication channel.

05

HTTPS is not a security indicator

Over 80% of phishing sites now use HTTPS. The padlock only means encrypted transmission, not legitimacy.

06

Restrict form input to known domains

Only enter credentials on official, directly typed URLs - never via links from emails.

07

Call back on known numbers to verify

For unexpected payment requests or login prompts: call back on the known official number, never the one in the email.

Practical Example

Anatomy of a Phishing Email

This realistic reconstruction shows the typical warning signs of a phishing email. Watch how the 5 most common red flags are revealed step by step.

5 Warnsignale erkennen

1Gefälschte Absenderadresse

Der Anzeigename sagt "Deutsche Kredit Bank AG", aber die echte Adresse ist service@dk-bank-sicherheit.com - eine fremde Domain, die nichts mit der Bank zu tun hat.

2Unpersönliche Anrede

Ihre echte Bank kennt Ihren Namen. "Sehr geehrter Kunde" ist ein Zeichen für eine Massen-Phishing-Kampagne an tausende Empfänger.

3Künstlicher Zeitdruck

"Innerhalb von 24 Stunden" und Kontosperrung - klassische Panikmacher-Taktik. Seriöse Unternehmen setzen keine so kurzen Fristen per E-Mail.

4Gefälschter Link

Der Button verspricht die offizielle Seite, aber die echte URL ist dk-bank-sicherheit.com/verify - eine Phishing-Domain. Immer Linkziel prüfen!

5Abfrage sensibler Daten

Kein seriöses Unternehmen fordert per E-Mail zur Eingabe von Passwörtern, TANs oder Kreditkartendaten auf. Niemals über E-Mail-Links einloggen.

Fahren Sie mit der Maus über die nummerierten Bereiche in der E-Mail, um die Warnsignale zu entdecken.

Technology

Technical Countermeasures

Technical controls significantly reduce the attack surface. No single protection is sufficient - defence in depth is the right approach.

Highest Priority

DMARC (p=reject)

Domain-based Message Authentication, Reporting & Conformance prevents attackers from sending emails with your domain as the sender. Together with SPF and DKIM, DMARC forms the baseline protection. Without DMARC in p=reject, phishers can abuse your brand unchecked.

Highest Priority

SPF & DKIM

Sender Policy Framework (SPF) defines which servers are allowed to send emails for your domain. DomainKeys Identified Mail (DKIM) signs emails cryptographically. Both are prerequisites for a working DMARC implementation.

High Priority

Email Gateway with Sandboxing

Advanced email security solutions (Microsoft Defender for Office 365, Proofpoint, Mimecast) analyse links and attachments in isolated sandbox environments. URL rewriting enables real-time checking even after delivery.

High Priority

Phishing-Resistant MFA (FIDO2)

FIDO2/WebAuthn-based authentication (hardware security keys, passkeys) is resistant to AiTM phishing. The authenticator binds to the origin of the website - on phishing domains authentication automatically fails.

Medium Priority

DNS Filtering

DNS-based filtering blocks access to known phishing and malware domains - including on mobile devices. Solutions such as Cisco Umbrella or Cloudflare Gateway offer threat intelligence-backed categorisation.

Medium Priority

Endpoint Detection & Response (EDR)

If a click occurs despite all prevention: EDR solutions detect post-exploitation activities (credential dumping, lateral movement) and can contain attacks before greater damage occurs.

The Human Defence Factor

Security Awareness as the Key

Technical measures alone are not enough. People remain the last safety net - and with the right training also the strongest line of defence.

Security awareness programmes relying solely on classroom instruction fade away ineffectively. Sustainable behaviour change comes from repeated, realistic exercises - exactly what continuous phishing simulation provides.

According to the KnowBe4 Phishing Benchmark Report 2024, the average click rate in companies without training is 34.3%. After 12 months of consistent simulation and accompanying training, it drops to 4.6%.

Security Awareness Services

Effectiveness Comparison

Without training 34.3%
After 90 days training 14.1%
After 12 months training 4.6%

Source: KnowBe4 Phishing by Industry Benchmark Report 2024

Average click-rate reduction

72% after 12 months of continuous simulation

Our Service

AWARE7 Phishing Simulation - Managed Service

Fully automated monthly phishing campaigns with realistic scenarios, real-time dashboard and individual training module for every click.

Monthly Campaigns

Rotating phishing scenarios - email, SMS, QR code, Teams - fully automated.

Real-Time Dashboard

Click rates, reporting rates and departmental analyses viewable live - for security managers and management.

Instant Training

Anyone who clicks immediately sees an educational explanation - no shaming, just targeted micro-learning.

Legally Compliant Setup

Guidance on works council agreements, GDPR-compliant evaluation, anonymised reports on request.

How the Onboarding Process Works

  1. 1 Kickoff call: define goals, technical setup, works council briefing
  2. 2 Template selection: scenarios from over 800 prepared templates or custom creation
  3. 3 First campaign: baseline measurement to establish current security level
  4. 4 Monthly campaigns: automated, with rotating scenarios and difficulty levels
  5. 5 Quarterly review: evaluation call with trend analysis and action recommendations

Phishing Simulation for Which Organisations?

  • SMEs from 25 employees

    Cost-efficient managed service option without own platform licence.

  • Organisations under NIS-2 requirements

    Phishing simulation as evidence for security training under NIS-2 Art. 21.

  • Financial and healthcare sector

    Industry-specific scenarios (SWIFT emails, patient data, banking portals).

  • Organisations after a security incident

    Targeted re-training of affected departments after a phishing incident.

Managed Phishing Simulation

FAQ

FAQ: Phishing & Phishing Simulation

Standard phishing is a mass attack: millions of identical emails are sent hoping a small percentage will fall for them. Spear phishing is targeted: the attacker researches the target in advance (OSINT), personalises the message with real names, titles or current projects and thereby achieves significantly higher success rates. For organisations, spear phishing is far more dangerous - particularly for executives and IT administrators.
Classic MFA (TOTP, SMS code) protects against simple phishing attacks since attackers only have the password but not the second factor. However it does not protect against modern Adversary-in-the-Middle (AiTM) attacks: phishing frameworks proxy the real login page in real time and steal session cookies during the authentication process. Phishing-resistant MFA (FIDO2/Passkeys) is the only reliable protection against AiTM.
According to the IBM Cost of a Data Breach Report 2024, a phishing-initiated data breach costs an average of USD 4.88 million worldwide. Phishing-based social engineering attacks represent the largest share of cyber attack costs. Additional costs include reputational damage, regulatory fines and business interruption costs.
A phishing simulation is a controlled, authorised attack: the company engages a security service provider to send realistic phishing emails to its own employees. Anyone who clicks the link or enters data lands on a training page rather than with real attackers. The results (click rate, reporting rate, departmental analysis) show concretely where training is needed. AWARE7 runs this service as a managed service - monthly campaigns with a real-time dashboard.
One-off simulations provide a snapshot value, but sustainable effect is only achieved through regular repetition. Best practice: monthly campaigns with rotating scenarios (email, SMS, QR code, Teams). Studies show that after 12 months of consistent simulation the average click rate drops by 60-72% (KnowBe4 Phishing by Industry Benchmark Report 2024). AWARE7 offers a fully automated managed service for this.
The most important technical protection mechanisms in descending priority: (1) DMARC in p=reject policy with correctly configured SPF and DKIM prevents email spoofing of your own domain. (2) Advanced email gateway with URL rewriting and sandbox analysis. (3) Phishing-resistant MFA (FIDO2/Passkeys) against AiTM attacks. (4) DNS filtering blocks known phishing domains. (5) Endpoint Detection and Response (EDR) for post-click detection.
Immediate steps: (1) Disconnect the device from the network if an attachment was clicked. (2) Change the password of the affected account immediately - on a different, secure device. (3) Immediately inform the IT security officer or IT department. (4) Notify affected external services (bank, service providers). (5) Document the incident - in the event of a data breach check reporting obligations under GDPR (Art. 33) within 72 hours to the competent data protection authority.
Legal requirements vary by country. In Germany, works council participation (§87(1) No. 6 BetrVG) is required for monitoring measures where a works council exists. A works agreement on phishing simulations is good practice. Anonymised evaluations without attribution to individuals are generally unproblematic. For international companies: always verify local labour law requirements. AWARE7 advises clients on legally compliant design of simulation programmes.

Aus dem Blog

Weiterführende Artikel

Start a Phishing Simulation

Find out how well your team is equipped against phishing - with a realistic, anonymised baseline campaign. No shaming, just genuine learning.

Request Phishing Simulation Now

Kostenlos · 30 Minuten · Unverbindlich

Cookielose Analyse via Matomo (selbst gehostet, kein Tracking-Cookie). Datenschutzerklärung