In phishing, attackers lure their victims to fake websites in order to steal login data. Our technology editor Martin Gobbin lists twelve rules to protect you.
It all starts with an email
Almost fell for phishing: test editor Martin Gobbin. © Stiftung Warentest
"Your Apple ID has been blocked for security reasons."I received this message nine times within one week – often with alarming additions like "Important" or "Action required". The mails had no spelling mistakes, contained an Apple logo and appeared authentic in other respects as well. In reality, however, they were attempts to lure me to a fake page that looks like the Apple website, and to get me to enter my Apple access data. The attackers wanted to hijack my account this way.
Honestly: I almost fell for it – even though I deal a lot with data protection and data security in my job. In short: This can happen to anyone, because phishing is becoming more and more sophisticated. Sometimes such mails (or SMS or social media messages) supposedly come from the bank, sometimes from the post office, sometimes from Amazon, Google or numerous other companies. If you actually enter your login data, you risk having your bank account emptied, costly purchases or being locked out of your own user account. But there are ways to recognize phishing messages. I will show you how to protect yourself with twelve rules.
1. Check suspicious mails on the computer
Like many other people, I now read my e-mails mostly on my smartphone instead of on my computer. This is helpful for attackers, because it is more difficult to detect the typical signs of phishing – strange link and sender addresses – on a cell phone. In my mail app it was not possible to display the real email address of the sender. If an e-mail seems suspicious to you, examine the message on your computer rather than on your cell phone. Some indications of phishing are also immediately recognizable on the smartphone: such as spelling mistakes, awkward language, cyrillic letters or the creation of time pressure ("Act immediately")! Otherwise your account is in danger.").
2. Pay attention to the sender extension
© Screenshot Stiftung Warentest
In my case, the supposed Apple mails came from senders like [email protected]. Already the eternally long, cryptic character combination at the beginning does not seem quite kosher. But most of all, the ending "savagex" is a bit strange.com" a clear indication that it is a forgery.
Actual Apple mails usually have senders ending in "apple".com" end. Even if the ending is only slightly different – for example "aplle".com" or "apple-company.cn" – is this often an indication of a fraud attempt?.
By the way, the fact that the displayed sender name is "Apple" has nothing to do with it: It can be easily manipulated. The truth is in the ending of the email address.
3. Check the actual target of links
© Screenshot Stiftung Warentest
The e-mails contained links that were supposed to take me to the Apple website so that I could enter my login data there. But links are sometimes deceptive: For example, I can give you here the address test.de, but tinker the link in such a way that it actually takes you somewhere else (try it out!). If you move your mouse over a link – without clicking on it – you will see the actual destination address in the lower left corner of the browser’s status bar. In my case, the supposed Apple link led to addresses like this: https://me2.do/FMRiIln6. For the research, I then did what you should not do: I clicked on the link. It finally brought me to URLs like https://1wannaplay5 through automatic redirects.xyz/EtA9dRq.
No matter if "me2.do" or "wannaplay": It doesn’t look like Apple – otherwise you would see "apple" somewhere.com" would appear somewhere. However, it is not always that simple: similar to email extensions, scammers often work with more subtle variations for website addresses, such as qoogle.com instead of google.com – or amazoon.ru instead of amazon.en.
© Screenshot Stiftung Warentest
By the way: If you do open the link by mistake, there is no reason to panic. Simply visiting a phishing page does not usually have any negative consequences as long as you have an up-to-date anti-virus program and use browser functions such as "Safe Browsing". Danger is only imminent if you enter your login data on the page.
Independent. Objective. Incorruptible.
4. When in doubt, do not access websites via email
Since links in e-mails are not always trustworthy, if you are in doubt, you should visit websites via other channels. Simply type the URL directly into the address line – or use a search engine to find the relevant page. You can also save important addresses in the bookmark or favorites list of your browser.
How to make sure you really get where you want to go. If there is an actual problem – in my case the temporary blocking of my Apple account – the site will tell you after login. Of course, you can also ask the customer service of the respective provider whether the received mail really originates from the company. Do not use the contact options given in the suspicious mail, but the contact data on the provider’s website.
5. Never hide login data in plain text
Some phishing attacks do not work via deceptively real-looking websites on which you are supposed to enter your login data. Instead, the attackers will ask you to send your user name and password by e-mail (or SMS or Messenger message). You should not do this at all, because serious providers would never ask you to hide login data in plain text.
6. Also be careful with messages from acquaintances
Sometimes attackers manage to take over email accounts or social media accounts and send messages on behalf of the actual owner. Such a message appears to be trustworthy to the recipient. If a friend, relative or colleague asks you for login or payment information via email or social media, take the time to call them or ask them IRL (in real life) if it is really from them.
7. Never open attachments from suspicious mails
None of the nine e-mails I received from the phishers had a file in the attachment. That’s no wonder, because the mails were not intended to foist a virus on me, but to lure me to a fake site. In some cases, however, there are still files in the attachments of phishing mails. Simply opening the email does not usually cause any harm. However, you should never open or download attached files from questionable e-mails. Malware can hide behind this – for example so-called keyloggers, which record all keyboard entries and thus read out your passwords.
8. Keep browsers and antivirus programs up to date
© Screenshot Stiftung Warentest
Fortunately, we are not alone in the fight against phishing attacks. Neither Chrome nor Firefox let me access the pages linked in the alleged Apple mails without warnings and detours. Both browsers warned me with bright red notices or simply refused to open the pages. Even current anti-virus programs often detect phishing attempts and block them or warn against them via a pop-up message.
9. Use pass-word manager
Just as my chain-smoking biology teacher once explained to me why not smoking is a good decision, I regularly write about the advantages of password managers, but don’t actually use any myself. The phishing mails have shown me again that I should finally change this: Because password managers are a very safe method to avoid phishing attacks. Before each password entry, they automatically check whether the called URL matches the originally stored address. If you are lured to a fake site, the program will not spit out the login data.
10. Use multiple login factors
If you are – like me – too lazy to set up a password manager, you should at least protect your passwords against misuse. The best way to do this is with multi-factor authentication (yes, I use it). Even if an attacker manages to steal your password, they would still need the additional factors you use to protect your account to log in – for example, they would need access to your phone or a pretty good copy of your fingerprint.
If you also want to do without multi-factor protection, I really can’t help you any more. Well okay, if you must: At least follow these tips for strong passwords. The most important thing to remember: never use one password for multiple accounts! Otherwise your Paypal account might be in danger, just because your cat forum password was cracked.
11. Use open WLan networks only with VPN
Sometimes phishing is not done via fake websites, but via direct interception of data in the open WLan. The attacker reads the data traffic while he is in the same network as you are. This is becoming increasingly difficult today, as many websites and apps always transmit login data in encrypted form. But a residual risk remains. If you use a WLan network that you don’t control – be it in the train, in a hotel or in a cafe – you should always use a virtual private network (VPN). This ensures that your data will be encrypted with guarantee. This is particularly important for sensitive activities such as online banking or communication with your employer’s network.
12. Do not blindly trust HTTPS
You may have learned that you should only trust pages whose address starts with HTTPS – after all, the "S" stands for "secure". That’s basically right: pages that only start with HTTP are insecure, because they transmit data unencrypted. You should never enter login data here. Unfortunately, the reverse is not always true: the fact that a website uses HTTPS does not necessarily mean that it is trustworthy. Criminals can also equip their fake sites with HTTPS after all.