Phishing und Social Engineering: Angriffsmethoden, Psychologie und Schutzmaßnahmen

Phishing remains the most effective entry point for cyberattacks: 3.4 billion phishing emails are sent every day (APWG), 91% of ransomware attacks begin with a phishing email (BSI), and the average cost of a Business Email Compromise incident is €125,000. No technical protection can replace a trained team—but both together significantly reduce the risk.

What is phishing?

Phishing is the attempt to trick recipients into revealing login credentials, installing malware, or performing financial transactions through fraudulent communications (email, SMS, phone calls, websites). The term is derived from "fishing"—attackers cast their lines and wait to see who takes the bait.

Current figures (2024):

• 3.4 billion phishing emails are sent daily (APWG)
• 36% of all data breaches begin with phishing (Verizon DBIR)
• 91% of ransomware attacks start with a phishing email (BSI)
• Average cost of BEC: €125,000 per incident

Phishing Taxonomy

Mass Phishing (Spray and Pray)

Untargeted mass attack on millions of recipients. Distinguishing features:

• Generic salutation ("Dear Customer")
• Grammar and spelling errors
• Exaggerated urgency ("Your account will be blocked!")
• Suspicious sender addresses
• Generic fake domains (paypa1.com, amazon-service.de)

Effectiveness: High detection rate by spam filters (99%+). Still dangerous: 1% of 1,000,000 = 10,000 victims.

Spear Phishing

Targeted, personalized attack on a specific person or department. Attackers conduct preliminary research: LinkedIn profiles, company website, social media, OSINT sources (press releases, job postings).

The resulting email contains:

• Correct salutation with name and job title
• Reference to actual projects or colleagues
• Context from daily work life ("regarding your proposal from...")
• Professional presentation

Example:
  "Dear Ms. Müller,
   As discussed in our meeting on Tuesday,
   please find attached the revised contract documents
   for the North-West project.
   Best regards, Thomas Berger, Project Manager"
   [Attachment: Contract_NorthWest_v3.docx]

Recognition rate by employees: under 5% (according to studies on awareness training).

Whaling (CEO/CFO Fraud)

Spear-phishing targeting top management:

Typical scenarios:
  → Fake CEO email to accounting: "Immediate confidential payment"
  → Fake lawyer to CFO: "M&A NDA; requires advance payment"
  → Fake supervisory board member: "Secret acquisition project"

Protection: Dual-control principle for wire transfers, callback procedure

Business Email Compromise (BEC)

BEC is the most costly phishing scenario. Account actually compromised or deceptively imitated:

Variant 1: Account compromise
  Attacker takes over real CEO account
  → Emails come from real address
  → DMARC check: PASS (real account!)
  → Detectable only through behavioral anomalies (UEBA)

Variant 2: Lookalike Domain
  ceo@firma-ag.de → ceo@firmaag.de (hyphen missing)
  → Visually identical at a glance

CEO Fraud: CFO receives an email seemingly from the CEO - "Urgent wire transfer for a confidential transaction. Please execute today."

Potential damage: The FBI IC3 reports over $2.7 billion in losses annually in the U.S. alone.

Smishing (SMS Phishing)

Phishing via SMS:

• "Your package cannot be delivered - please update here: [Link]"
• "Your Sparkasse ID has expired - reactivate now: [Link]"
• Fake two-factor codes

More dangerous than email phishing because:
  → No browser warnings on mobile devices
  → URLs are displayed in shortened form
  → Users are distracted on small screens
  → HTTPS padlock deception (phishing sites also use TLS)

Vishing (Voice Phishing)

Phone scams involving the impersonation of false identities:

• "This is IT Support—we’ve detected a virus on your computer..."
• "Bank Security Team: We’ve noticed suspicious transactions—can you quickly confirm your PIN?"
• Deepfake voice: AI-generated voice of a familiar supervisor

Protection:
  → Never give out passwords over the phone
  → If you receive a call from "Bank/IT": hang up and dial the official number yourself
  → Call back using the official number of the alleged caller

Increase in 2024: AI tools for voice cloning cost less than €10/month. Deepfake vishing attacks are surging.

QR Code Phishing (Quishing)

Relatively new but growing rapidly: QR codes in emails or physically placed redirect to phishing sites.

Why QR codes? They bypass email security gateways, which only scan links in email text. The QR code itself is an image—not recognizable as a malicious link.

Adversary-in-the-Middle (AiTM) Phishing

Modern phishing kits (Evilginx2, Modlishka) act as a reverse proxy between the victim and the legitimate website:

1. Victim enters credentials on a fake login page
2. Tool forwards credentials to the real website in real time
3. Real website sends MFA code to victim
4. Victim enters MFA code – tool intercepts it
5. Attacker takes over session with valid session cookie

Consequence: Standard MFA (TOTP, SMS-TAN) does not protect against AiTM phishing. Only phishing-resistant MFA (FIDO2/Passkeys) is effective.

Social Engineering Psychology

Phishing exploits well-known psychological triggers. Cialdini’s 6 principles of persuasion:

1. AUTHORITY:
   “This is an official notice from the tax authority”
   “Your IT security team informs you...”
   → Commands from authorities are rarely questioned

2. URGENCY:
   "Final warning—your account will be locked in 2 hours!"
   "Act now—only until 3:00 PM today!"
   → Time pressure prevents calm reflection

3. FEAR:
   "Unauthorized access to your account detected"
   "Your bank transaction was declined—confirm your details"
   → Fear leads to impulsive action

4. RECIPROCITY:
   "We’re giving you €50 as a loyal customer"
   → People want to give something back

5. SOCIAL PROOF:
   "1,234 users have already clicked"
   → People follow the behavior of others

6. SCARCITY:
   "Only 3 spots left"
   → Scarce items are more valuable

Additional Social Engineering Vectors

Pretexting

An attacker creates a fictitious situation that prompts victims to disclose information:

Example: An attacker calls the reception desk
  "Hello, this is Florian Koch, an IT security auditor from BSI.
   We are conducting unannounced security audits today.
   Could you please give me the name and extension of the IT manager?
   And where is your server room located?"

Protection:
  → Never confirm identity via incoming calls
  → External inquiries: always verify through official channels
  → "I’ll check that and call you back" is always the correct response

Technical Attack Techniques

Domain Spoofing Methods

Typosquatting:     amazzon.com, microsofft.com
Homograph:         аmazon.com (Cyrillic 'a' instead of Latin 'a')
Subdomain:         microsoft.com.attackersite.de
TLD variant:      amazon.shop, microsoft.net
Look-alike:        rn instead of m (rnicrosoft.com)
Combination:       secure-amazon-account-verify.com

Email Header Manipulation

Attackers use several techniques to spoof the sender:

• Display Name Spoofing: "Microsoft noreply@sketchy-domain.com"
• From/Reply-To Separation: Display "CEO Max Müller" - Reply goes to attacker
• Lack of DMARC Enforcement: Without a DMARC policy set to p=reject, domain spoofing is trivial

This is precisely why DMARC, SPF, and DKIM are so critical.

Phishing Kits and Phishing-as-a-Service

On the dark web, professional phishing kits are available for just a few hundred euros:

• Ready-made copies of bank, PayPal, and Microsoft 365 login pages
• Automatic credential logging via Telegram bot
• AiTM frameworks with dashboard
• "Bulletproof" hosting in countries with no law enforcement

Technical Protective Measures

Email Security:
  Must-Have:
  ✓ DMARC p=reject - prevents domain spoofing
  ✓ SPF -all - only authorized servers may send
  ✓ DKIM - signature validation of outgoing emails

  Recommended:
  ✓ Email gateway with URL rewriting (URLs are checked at the time of delivery)
  ✓ Sandbox for attachments (before users open them)
  ✓ External tag: [EXTERN] in the subject line for external emails
  ✓ Lookalike domain monitoring
  ✓ Email Security Gateway (Proofpoint, Mimecast, Microsoft Defender for Office 365)
  ✓ Anti-phishing filter with URL reputation checks

DNS-based protection measures:
  → Access to known phishing domains → blocked
  → Cloudflare Gateway (free for up to 50 users), Cisco Umbrella
  → Analyze DMARC aggregate reports: Who is trying to send emails on your behalf?

Browser protection:
  Google Safe Browsing / Microsoft SmartScreen:
  → Enabled in Chrome, Edge, Firefox
  → Warns of known phishing URLs

FIDO2/Passkeys:
  → Prevents phishing by design:
  → Passkey is domain-bound—does not work on phishing domains
  → Even if the user clicks: Passkey verifies the incorrect domain → no login

Authentication:

• Phishing-resistant MFA: FIDO2 Security Keys (YubiKey), Passkeys
• Conditional Access Policies (only from managed devices)
• Privileged Account Protection: Admin accounts with the highest MFA security level

Organizational Measures

Processes for Money Transfers and Master Data Changes:

• Mandatory callback for changes to bank details via verified phone numbers
• Dual-control principle for transfers exceeding a certain amount
• "CEO Fraud Clause": Email alone is not sufficient authorization for payments

Incident Response for Phishing:

• Reporting channel for suspicious emails (button in Outlook, dedicated email address)
• SLA for processing reported suspicious cases (< 4 hours)
• Clear escalation: Who is notified if the link is clicked?

Phishing Detection for Employees

Warning signs in emails:
✗ Unexpected urgency ("Act NOW!")
✗ Unknown sender with a familiar display name
✗ Generic or incorrect salutation
✗ Suspicious domain in the sender or link (hover check!)
✗ Attachments from unknown senders
✗ Requests for credentials or money transfers via email
✗ "Verify your account" or "Update your information"
✗ Offers that are too good to be true

The most important rule: > "If you're unsure—don't click, don't open any attachments, and don't enter any data. Call the sender back using a known number."

Phishing Simulation and Awareness Training

What Good Simulations Measure

Metrics:
  Click Rate:         % of employees who click the link
  Submit Rate:        % who enter credentials
  Reporting Rate:     % who report the attack
  Time to Report:     How quickly it is reported

Goals after 12 months of training:
  Click Rate:   < 5% (Starting point often 25–40%)
  Submit Rate:  < 2%
  Report Rate:  > 30% (without training: < 5%)

Important: Simulations are learning tools, not punishments!
  → If someone clicks: immediate training, no reprimand
  → Results: communicate aggregated data, no employee blame culture

Industry Benchmarks (GoPhish / KnowBe4 Data):

Without training:     Click Rate ~30%, Credential Submission ~15%
After 12 months:   Click rate ~5%, reporting rate >70%

Training Content (4 Modules)

Module 1: Recognizing Phishing
  → Check sender address carefully (not display name!)
  → Check URL before clicking (hover-to-see)
  → Linguistic indicators
  → Urgency as a red flag

Module 2: What to do if something looks suspicious?
  → DO NOT click, DO NOT open
  → Report the email as phishing (button in email client)
  → Notify IT Security
  → When in doubt: contact them directly (Phone, in person)

Module 3: Passwords and Credentials
  → Passwords are NEVER requested over the phone or via email
  → Password manager for all accounts
  → MFA as a backup if a password is phished

Module 4: If it happens
  → Notify IT immediately (no shame!)
  → Do not attempt to "solve" it yourself
  → The sooner it is reported, the less damage there will be

Simulations should be realistic but ethical: no exploitation of personal crises, clear internal communication about the program.

AWARE7 Phishing Simulation: Industry-specific scenarios, immediate learning module after clicking, quarterly reports for management.

AI and Phishing: The Next Generation

Generative AI is fundamentally changing phishing:

• No more language errors: ChatGPT writes flawless German—the classic detection tip of "poor German" is hardly valid anymore
• Real-time personalization: AI can automatically generate tailored spear-phishing emails from public data
• Voice Cloning: Deepfake voices for vishing attacks
• Video Deepfakes: Fake video calls – first major incidents not expected until 2024

Consequence: Security awareness must go beyond “checking the voice quality.” Processes and technical controls are becoming increasingly important.

Incident Response: Phishing Email Opened

Employee clicked on a link and entered credentials:

Immediate actions:

1. Notify IT Security (even at 2 a.m.!)
2. Change the password for the affected account IMMEDIATELY
3. Terminate all active sessions for the account
4. Reset MFA codes for the account
5. Check and change passwords for other accounts using the same password

IT Measures:

6. Check the account’s login history (any anomalous logins?)
7. What data did the account have access to? (Assess the scope)
8. Generate a SIEM alert for account activity over the last 24 hours
9. Check the context: Was the attachment opened? Run a malware scan!
10. Document for post-incident review

Conclusion

Phishing remains the most effective attack vector because it focuses on people—and people make mistakes. An effective anti-phishing strategy combines technical hardening (DMARC, phishing-resistant MFA, email gateway) with a continuous security awareness program. Neither alone is sufficient—together, they significantly reduce the risk./noreply@sketchy-domain.com