Warning: dangerous phishing attacks and how to protect yourself

Tanja Beller

Scam: unsuccessful booking

After you have booked a hotel stay or tickets on a portal, one recent scam involves sending a deceptively realistic looking message. According to the message, there has been a problem with your chosen means of payment. They ask you to re-enter your payment data and send you a link for that purpose, or, in a different version of the scam, ask you to move communications to a messenger service such as WhatsApp. They also create a sense of urgency: if you don’t react by a certain deadline, the booking will be cancelled. 

But be wary: the link will take you to a fake website and the messages are sent by the scammers. This is just an attempt to get you to enter your payment data, or make a direct payment, so that the criminals behind the scam can get at your money. A variation on the scam claims that you need to ‘verify’ your means of payment. If the person in question follows the steps to do so, however, they will simply send a payment directly to the fraudster.

How to protect yourself: only ever use the platform you booked through to make payments. Never follow a link to a different website. Often the name of the site will seem very similar to, but not quite the same as, the name of the original provider. 

Do not answer messages from strangers on messenger apps. If you receive a message via a messenger app, remember that this is not a normal way for companies to get in touch with you. Simply looking at the sender can confirm your suspicions. If you are unsure whether or not a message comes from the company in question, use official channels (telephone or email) to contact them directly. 

Scam: cancelling a payment

Fake cancellation websites lurk on the web waiting for new victims with this trick: if you want to delete a booking and use a search engine to search for information on how to do that, you might end up on a fake website. If you call the number you find on the site, you will be getting in direct touch with the scammers, who pretend to be employees of the company and often ask you to provide additional private information. In order to process the cancellation, they will ask you to download a specific app and add your data to it. However, instead of a cancellation and a refund, you will be allowing them to collect additional payments.

Scam: update TAN process

Bank customers are currently once again more likely to receive fake SMS messages asking them to update their TAN process (in Germany, a TAN, or transaction authorisation number, is commonly used as a one-time password to authorise financial transactions). One SMS sent by scammers claims that a customer’s registration for the TAN process offered by a real bank has expired. The message contains a link which the customer can supposedly use to renew their registration. Of course, the link actually takes the victim to a phishing website which requests that a customer enter their online banking or TAN app login information, essentially handing this information to the scammers. Of course, if you are not a customer at the bank in question, you will be immediately suspicious. However, if you happen to be a customer at the bank the message supposedly comes from, it is important not to panic. Simply delete the message immediately. Your bank will never send you an SMS asking you to update any security measures.

QR code phishing bypasses security software

A quick scan of a QR code (quick response code) and you can directly access a restaurant’s menu, a registration form for booking tickets, or even an invoice. It’s a quick, easy way to avoid having to type long strings of information into your smartphone or tablet. But be wary: QR codes can also be used for phishing attacks.

For example, cyber criminals might send an e-mail requesting that you scan a QR code in order to open a document or invoice. However, the link will take you to a fake website, which will request that you enter personal data. Or they attempt to put you under pressure: they might claim that there is a security issue with your smartphone, tablet, or PC. They then tell you to scan the QR code ASAP for more instructions. Of course, the code takes you directly to a fraudulent website. 

This type of cyberattack is particularly dangerous because IT security software, such as anti-virus programmes or firewalls, do not recognise these types of phishing messages as a problem. Anti-virus programmes do scan your e-mail for suspicious attachments. But they won’t recognise a QR code as an attachment; they will classify it as an image. This means that these types of mails don’t end up in your spam folder but are clearly visible in your inbox. 

Security queries via QR code as part of 2-factor authentication have become a part of daily life, so we are unlikely to be sceptical when asked to scan a QR code. But you should also pay attention to security tips when dealing with QR codes: only scan them if they come from trusted sources and, if in doubt, do not open the link or enter the data they are asking for. If you are uncertain, use a different medium to contact the sender. 

Cybercriminals are using AI to optimise their scams

Large language models that use artificial intelligence (AI) to work, say, as chat bots, can edit text modules within seconds. Cybercriminals can use these programmes to correct phishing mails or adapt messages. This makes it even more difficult for the recipient to recognise them for what they are.

If in doubt, check the e-mail address the mail was sent from for discrepancies. One way to do this is to compare it to earlier e-mails. In doing so, pay close attention to the address the mail was sent from – scammers often use e-mail addresses that are only one character off the genuine address. Always exercise caution when it comes to attachments and links sent by e-mail. If in doubt, contact the sender using a different point of access to the official website or app. 

You can check the destination of the link by hovering the cursor over the link text. A pop-up window showing the link will open, or you will be able to view the link in the footer of the window. Make sure that the page begins with https://, and also check that the link uses the spelling you are familiar with for the website in question. Scammers often use web addresses that are very similar to those of well-known sites in order to simulate integrity and trustworthiness.

‘Vishing’ – a portmanteau made up of the words voice and phishing – also makes use of AI. Scammers use the technology to imitate voices, practically perfectly. 

These fake voice messages are designed to convince the victim to provide personal information or even transfer money directly to the scammers: “I was in a car accident, and I need you to send me some money.” “Your account has been hacked.” They can even mimic the voice of a manager to provide instructions to employees who work in the accounting department, telling them to make a very urgent, very confidential bank transfer ASAP. In this case, it is very important to stay calm and not give out any personal information via the phone. If in doubt, ask for the caller’s telephone number and promise to call them back. This gives you time to check the number and whether or not the call was real. 

Scammers hide behind spoofed telephone numbers

‘Spoofing’ (from spoof, another word for parody), is another way that scammers try to fake trustworthy communication with the goal of collecting personal information. Caller ID spoofing is a type of technical manipulation that allows a different number than the one actually being called from to be displayed as the caller ID. This mimics a ‘real’ call, for example from your bank or a government authority.

The most important rule is to never allow yourself to be pressured into taking action while on the phone. Your bank, the Federal Financial Supervisory Authority (BaFin), Europol, or the police will never call you to ask for personal information such as bank account data, and they will certainly never pressure you to provide it! The best thing to do is end the conversation and then call both your bank and the police to clarify the situation and report the crime. Never use the redial function on your phone to do this. Instead, manually dial the number you know to be connected to your bank. It is also important that you never accept an offer to perform remote maintenance on your computer because of a supposed security threat or technical problem. You should also never respond to a demand to make a payment to a ‘secure’ account via the telephone.

Fake messages from LinkedIn and other social media platforms

Anyone who has joined a professional social network knows that these platforms regularly send e-mails. “You appeared in x number of searches”, “You have received a connection request”, “You have received a message”. These mails can also be spoofed, and often look almost identical to the real thing. The goal is to get your personal login data or scam you into clicking on a different, fake website. 

You can recognise these scam e-mails thanks to tiny errors, such as Linkedin instead of LinkedIn, the fact that they are sent from an unusual e-mail address, or small inconsistencies in the text or the logo. If you click on the link, you will be taken to a fake website, which will ask you to enter personal data, such as your telephone number. Once you have given your number to the scammers, they will call you in an attempt to trick you into giving out additional sensitive information. 

These scams also work on other social media platforms: Facebook, Instagram, X, or even messages supposedly sent by your e-mail provider. Every time you receive a message, you should be aware of the possibility that it could be a scam. Be particularly wary of clicking on links in a rush, without stopping to think first.

Tanja Beller
Tanja BellerMedia Spokeswoman