Cybersecurity Glossary

An account takeover is identity theft – the scammers get hold of access details, e.g. to a third-party e-mail account and use it for criminal purposes. This includes changing personal data, such as passwords, sending phishing e-mails and stealing sensitive data.

Tips:

• Always choose a strong password: make sure you use both upper and lower case letters and special characters. Never use personal details, such as birthdays, names or similar information, for your password.
• Regularly check your personal online accounts. Access details are for your eyes only – don’t give them to third parties. Your personal data does not belong on social media either. 
• If you notice any discrepancies with your bank account, then let your bank know as soon as possible and contact the police if you think there has been fraudulent activity.
• Two-factor authentication offers additional security. It works like this: To sign in, users must enter, for example, a transaction number in addition to their password. Alternatively, they might be asked to answer a security question if their log-in attempt was unsuccessful. The account will also be locked after too many unsuccessful log-in attempts.

A boiler room is not just a room with a boiler in it. It’s also a term used to describe a room full of scammers phoning people and trying to pressure them into buying their products. Boiler room fraud is a scam in which unsuspecting customers are put under pressure by the scammers to invest their money in supposedly profitable securities.

Customers are drawn into their web when they click on the search queries on adverts, which are usually deliberately misleading and often use well-known personalities or online magazines which give them a veneer of respectability. The fake adverts take users to fraudulent trading platforms. If you register your details here, you’ll likely get a phone call from a ‘broker’, usually from a telephone number abroad. They’ll try and persuade you to invest a small amount at first. This amount is then used to bet on the price trends of commodities, shares, indices, currencies or cryptocurrencies (for example, using contracts for difference (CFDs) or binary options). In reality, these securities don’t exist and your money will go directly into the fraudsters’ bank account. The scammers pretend these investments are generating profits to encourage victims to invest even greater amounts, until many thousands of euros have been lost.   

Tips:

• Don’t click on fake adverts with unrealistic promises of “big profits with small investments”.
• Carefully check websites that ask you to enter personal data, to ensure they are legitimate.
• Be particularly wary if you suddenly get a phone call from a ‘broker’ or ‘investment consultant’ who tries to get you to invest money. Don’t allow yourself to be put under pressure on the phone. Hang up and, if you are in any doubt, contact the police.
• Never give your personal information to strangers. Don’t give them permission to access your computer or smartphone with remote maintenance software as this gives the criminals access to all your sensitive data.
• Some spam e-mails copy the appearance of well-known TV programmes to make them seem authentic. Check for different spellings or for individual letters replaced by numbers, for example. Be wary of keywords designed to engender trust, such as “your Swiss financial partner” or “special report”. Do not open e-mails from unknown senders. 
• If you realise or suspect you may have been the victim of an online scam, report it to the police immediately. This will help bring the scammers to justice and might prevent others from suffering similar financial losses. 

A botnet is a network of computers controlled by a server. The computers are infected with viruses (Trojans) which can be used to control them and carry out criminal acts without their owners’ knowledge, for example, sending out spam e-mails or carrying out denial-of-service (DoS) attacks.

Tips:

• The best protection against becoming part of a cybercriminal botnet without realising is to use an updated virus scanner and firewall, and the latest browser version. Important: You should also always download and install updates as soon as they are available. 
• It’s very difficult to tell if your PC has been infected by a virus and is part of a botnet, unless you’re an expert. One clue is that your PC is unusually slow when using the internet. If you’re unsure, get the advice of a professional.

This type of scam is designed to manipulate the caller ID that shows up on your display. Criminals call you up pretending to be the employee of a bank, company or the police with a fake caller ID that appears to be from a trusted source. But the caller ID is not real and the caller is actually a fraudster trying to get hold of your sensitive user data, such as account number, PIN, passwords or TANs. In doing so, the caller can be very persuasive and put their victim under pressure. So, it’s important not to give in to this pressure. If you are unsure, make a note for the caller’s contact details and tell them you will call them back later. This gives you time to contact the company, bank or customer service and find out if the call was genuine. In general, A bank employee would never ask you for your full telephone banking PIN, online banking PIN or transaction authentication numbers (TANs).

Tips:

Do not give confidential access data, such as PINs or TANs to third parties. 

• Never send photos or scans of your TAN activation letter via the internet if asked to. It is also important you don’t send this letter to anyone by post either. The activation letter is only for your records.
• Do not give anyone access to your computer or mobile phone, and do not download any remote maintenance software.
• Do not give in to pressure. Instead, write down the caller’s contact information and tell them you will call them back. Then, contact the company’s customer service team yourself using publicly available information, not the information you received from the caller.
• If you suspect that unauthorised users may be aware of your online banking or telephone banking PIN, you should change them immediately. If this is not possible, then block your online banking. You’ll get new access data from your bank. In case of fraud, report it to the police. And make sure to report it to your bank as well.
• Carefully read the content of any TAN messages you receive and check to make sure you really do want to authorise a payment.
• It’s better to err on the side of caution. Having a healthy dose of scepticism may also help others: Be sure to discuss these types of fraud with your family and friends.

CEO is the abbreviation for Chief Executive Officer. CEO fraud is when criminals look to steal money from companies. They spy on a company over a longer period of time until they are well versed in its internal procedures. Then they strike. They pretend to be the boss of the company to get unsuspecting employees to carry out confidential financial transactions. The scammers make the actions seem plausible by, for example, referencing them to specific business projects or planned investments. There have also been cases where the bank details of the recipient have been replaced with those of the fraudsters (mandate fraud). They send an e-mail falsely informing the company that a business partner has new bank details. 

Tips:

• Always use common sense: As the employee of a company – particularly if you work in accounts or a similar department – you should be particularly careful. In the case of CEO fraud, the scammers will have spied on the company in question over a longer period of time and gathered a lot of internal information. This means they can add lots of correct information to allegedly confidential and very urgent payment orders from the CEO. But you should also beware of phone calls – even if the call is from someone whose voice you think you recognise. Nowadays, there are devices that can imitate people’s voices.
• Ask questions: If you are in any doubt, you should always pluck up the courage to question unusual business transactions. Your gut feeling might prove to be right! Once a payment has been initiated, it cannot usually be stopped. Particularly in the case of large amounts, always stick to the proper procedure (signatures from authorised persons, legitimate power of attorney, have a second person double check).

In the case of a charity scam or fake charity scam, criminals prey on their victims’ willingness to be helpful. The fraudsters will use real events such as floods, earthquakes or conflicts and pretend to be from a new or existing aid organisation. The websites look very similar to those of real aid organisations. Or the scammers think up hard-luck stories, such as illnesses, deaths or animals in distress. They use such stories to tug on the heart strings and trigger an emotional response from their victims. If they achieve their goal, then money from donors willing to help will end up with the criminals and will not go to any aid organisations.

Tipps:

• If you are contacted via social media, then check to see if the organisation in question even exists. Serious aid agencies will have a seal to prove they are genuine. The Deutsche Zentralinstitut für soziale Fragen (German Central Institute for Social Affairs) keeps a list of all aid organisation with a genuine seal of approval. You can look it up on the internet – don’t use a link.
• If someone stops you on the street and you are unsure, take one of their flyers and do some research at home before donating. Do not give in to pressure. Above all, be sceptical if they try and make you feel guilty if you refuse to donate. Direct or indirect accusations of selfishness or cold-heartedness are not unusual in such cases. 
• Never give anyone your bank account details or credit card information in situations such as this.

Cybertrading is a form of fraudulent online trading. Similar to fake online shops, online platforms offer investment products such as cryptocurrencies and shares, but they are not real and do not actually exist. Investment fraud is not a new form of fraud but cybertrading takes it to a new level due to the technical and organisational developments on fraudulent platforms set up by professional and cross-border criminal gangs.

Clicking on advertising banners on social media or in e-mails or even from targeted phone calls purporting to be from financial advisors can sometimes take you to websites that appear genuine. Cybertrading scammers lure potential investors by promising them huge profits from small initial investment amounts. After registering on the fraudulent platform and having bought an investment product, the investor is shown a simulated increase in profit or the scammers may even pay out returns on the initial investment. After their initial success, the investor is encouraged to buy more investment products. The fraudsters then ask for access details to the investor’s online banking and TANs so they can transfer the supposed profits. But, of course, instead of transferring money, they will empty the investor’s account.

To protect yourself from cybertrading, you should always be sceptical of offers of huge profits at little or no risk. Check that they are a licenced company, making enquires at the Federal Financial Supervisory Authority (BaFin) can often be very helpful. BaFin can also provide information as to whether a company suspected of fraud is currently under investigation.

The word deepfake comes from “deep learning” and “fakes” and refers to fake videos, images or voice messages generated on a computer. Using artificial intelligence, these fakes have now become very convincing. They are used, for example, in phishing e-mails to lure internet users into clicking on a link. Fake voice messages from the boss (see CEO fraud) can be used to get employees to transfer money to scammers. 

Tipps:

• Think before you click! It’s a mistake to click on links in e-mails and text messages without thinking. It’s important to first check they come from a legitimate source. Update your anti-virus programme, firewalls and software on a regular basis.
• As the employee of a company – particularly if you work in accounts or a similar department – you should be especially careful. In the case of CEO fraud, the scammers will have spied on the company in question over a longer period of time and gathered a lot of internal information. This means they can add lots of correct information to allegedly confidential and very urgent payment orders from the CEO. But you should also beware of phone calls – even if the call is from someone whose voice you think you recognise. Nowadays, there are devices that can imitate people’s voices.
• Ask questions: If you are in any doubt, you should always pluck up the courage to question unusual business transactions. Your gut feeling may prove to be right! Once a payment has been initiated, it cannot usually be stopped. Particularly in the case of large amounts, always stick to the proper procedure (signatures from authorised persons, legitimate power of attorney, have a second person double check).
• An unusual, monotone-sounding voice can be a sign that it was generated using a computer. But be careful – these fakes are also getting better and better.

Distributed Denial of Service attacks are aimed at webservers and their purpose is to overload them and thereby prevent access to the website either temporarily or permanently. They affect all internet services, but, in particular, websites with customer offers, such as online shopping and online banking. DDoS attacks are controlled by a widely networked botnet.

Tips:

• If you notice you cannot access the internet site of your bank or any other affected company, you can contact them by phone.
• Take note of information on social media. The affected companies often use these channels to inform customers when their services are available again.

Emotet is a particularly nasty piece of malware because it is hidden in an e-mail from someone you know. Victims are easily conned into clicking on an attachment (particularly an Office document). The malware then retrieves your contacts and messages and uses them to spread itself to another unsuspecting user.

Tips:

• Implement all security updates regularly and as soon as possible. And always keep your anti-virus software up to date.
• Be extra careful – even with e-mails from people you know – before you open a file (especially an Office file).
• Once your computer has been infected, the only way to fix it is to completely reinstall the computer’s operating system. That’s why it’s important to regularly save your data on an external hard drive.
• If Emotet has infected your computer, you should let all your e-mail contacts know about the attack. This virus sends infected e-mails to the addresses in your address book, so the virus could target all your contacts as well.

Fake apps are mobile applications that plant malware on unsuspecting users’ smartphones or tablets by pretending to be a harmless application. Such apps are often available from official stores – until their true purpose is exposed and they are removed. 

If a user downloads the app (including the Trojan) to listen to music or for a QR code/PDF scanner, for example, and install it on their mobile device, the scammers can use subsequent updates as a gateway for (additional) malware. Among other things, the malware can record keystrokes and make screen recordings thus accessing registration data, such as usernames, passwords, etc.

Tips

• Only ever download apps from an official app store, never use download programmes or third-party platforms. 
• Be sure to check the name of the app, for example, watch out for spelling errors, colons or alternative spellings or the addition of ‘pro’ at the end of the name. With providers you don’t know, changes to the logo could also be a clue they have been manipulated. 
• You shouldn’t rely solely on the number of downloads. Before you download an app from an unknown provider, you should read its reviews and ratings. 
• Be careful if you are asked to enter detailed personal data or payment details that you have either already entered or that are not required for the application. 
• Check precisely which authorisations your app actually needs to carry out its stated purpose and which can be deactivated. For example, a music app does not need access to your contacts or to location services.

Beware of job offers advertising vacancies for a financial agent. What’s the catch? You are required to use your bank account to accept and transfer payments from third parties. In return you’ll receive a commission. The fraudsters recruit their victims in various ways: with serious-looking job adverts, via personal e-mails or on social networks. Sometimes they even replicate genuine company websites. 

Take note: Even if you commit an illegal act unknowingly, you can still be prosecuted.

Tips:

• Be sceptical if you receive an unsolicited offer to earn ‘easy money’. 
• Cast a critical eye over offers where you are asked to use your own bank account to settle payments for companies or other people.
• Sometimes the offers are so poorly worded and they will often contain grammar and spelling errors. 
• If you’ve received a suspicious e-mail, don’t reply to it or click any links it contains. Do not pass on your account details.
• If you think you might be involved in a case of finance agent fraud, stop making the transfers immediately. Inform your bank and the police.
• Regularly check your account. Unexpected credits to your account should also arouse your suspicion.

Known as bankdrops in the cybercrime scene, this term refers to accounts that criminals use to process fraudulent payments. The accounts are opened with stolen data or even from unsuspecting consumers who provide them with their data under the misapprehension that they have been offered a genuine job, e.g. as a bank app tester.

Tips:

• The fraudsters recruit their victims in various ways: with serious-looking job adverts, via personal e-mails or on social networks. Sometimes they even replicate genuine company websites.
• Be sceptical if you receive an unsolicited offer to earn ‘easy money’.
• And don’t open a ‘test’ account. If you use your personal data to open an account, you are still opening the account in your own name.
• Cast a critical eye over offers where you are asked to use your own bank account to settle payments for companies or other people.
• If you think your account may have been used for fraudulent purposes, inform your bank and the police. If fraudulent payments have been transferred to or from accounts in your name, you could be liable!
• Check your account regularly. Unexpected credits to your account should also arouse your suspicion.

Rooting is the process of attaining privileged control (known as root access) over various subsystems of an Android smartphone or tablet. A similar process on Apple devices is known as jailbreaking. If a hacker has root access over a device, they can deactivate its security software and change its security settings or install malware. 

Tip:

Only use apps from authorised app stores to do your online banking.

Godfather is the name of malware (Trojan) that it is suspected of being able to attack banking and crypto apps. This malware attacks mobile devices via fake apps. Experts suspect that Godfather primarily uses music apps to access devices. In principle, however, malware can be loaded onto a mobile phone via any ‘fake app’ if it has been manipulated accordingly by cyber criminals. Malware could then be used, for example, to record keystrokes made via the smartphone or tablet and be passed on to criminals.

Tips:

• Only download apps from authorised app stores.

It’s important that you only download apps from the official app store. Always make sure your apps are up to date and regularly install the latest update – but only from the official app store, of course. Always check the name of the app very carefully as well. If you notice spelling errors, colons or other odd spellings, such as the addition of ‘pro’ at the end of the name, you should be careful and do more research. 

• Don’t rely on the number of downloads.

Don’t rely on the number of downloads. Irrespective of the number of users who have downloaded or liked the app, these figures are not an indicator that the app is genuine.

• Be careful when asked to enter data.

If you are asked to give personal or account data when logging on to your banking app when you get a new phone then that is a normal part of the registration process. However, you should be suspicious if you suddenly need to log in again even though you haven’t got a new phone, or if you are asked for very detailed personal data that you have already provided. 

• Check app authorisations

Check precisely which authorisations your app actually needs to carry out its stated purpose and which can be deactivated. Here’s an example to clarify: A music app does not need access to your contacts or to location services.

• Keep your access data confidential

When you log in to mobile banking, you will be asked to provide access data to prove your identity – this might be a personal identification number (PIN) or a password in combination with your log-in ID. You may also have to enter a transaction authentication number (TAN). Never save your access data on your mobile device, not even as a photo or in your contacts. These data can not only be accessed if the device is stolen but also via digital means.

In a case of identity theft, the criminals steal your personal details, such as name, date of birth, telephone number, address and access data to your e-mails or social media accounts and use them fraudulently, for example, to purchase items online in your name.

Tips:

• Be particularly careful with your personal data. The rule of thumb here is to limit how much data you give away! Only reveal as much information as is absolutely necessary.
• You can also protect yourself by setting up different e-mail addresses for different purposes.
• Always check all your important accounts and bank statements regularly.

If you are on the lookout for attractive investment opportunities, searching online or using a comparison site on the internet can often yield promising results. But it’s important to be vigilant here. Even company websites for banks, comparison sites and merchant platforms can be perfectly replicated. If you enter your personal data on these fraudulent sites, you’ll effectively be giving them straight into the hands of the criminals. Often, the victims of the scam will then be contacted by phone or one of the many messaging services.

In particular, claims of lucrative offers with unusually high interest or returns are often scams. Instead of getting a return on your investment, you could lose it all. However, it’s also possible that a fraudulent offer doesn’t stand out because it offers a high interest rate or return, in which case you need to look out for other warning signs. 

Tips 

• The Federal Financial Supervisory Authority (BaFin) provides information about unauthorised companies and cases of identity theft and publishes current warnings and information for consumers. Consumer organisation, Stiftung Warentest, provides information about dubious investment offers on its Investment Warning List (in German only). 
• Check websites carefully, particularly if the site is for a bank or company you don’t know. Look at the site’s legal notice and do some research into the company on the internet. Always check the spelling. Often, the spelling is slightly different to the real firms. Do not access the bank or company portal via a link you’ve been sent.
• Some spam e-mails copy the appearance of well-known TV programmes to make them look authentic. Check for different spellings or for individual letters replaced by numbers, for example. Do not open e-mails from unknown sources. 
• Sometimes the company’s website has only recently been registered. This can also be a warning sign. You can use the “WHOIS” query to check when a site was registered. Just enter the phrase “WHOIS” into a search engine and then you can do search on any of the various provider sites. 
• Be particularly wary if suddenly you get a phone call from a ‘broker’ or ‘investment consultant’ who tries to get you to invest money. They will often try and put unnecessary pressure on you. Especially when it comes to investing money, you should not act impulsively and take the time you need to consider your options. 
• If you realise or suspect you may have been the victim of an online scam, report it to the police immediately. This way you can help others

Invoice fraud is a scam in which the perpetrator sends out fake invoices by e-mail, post, fax or telephone to companies or private individuals to obtain illegal payments.  Scammers will often pretend to be suppliers, service providers or business partners. A common method is to ask the invoice recipient to change the account details they have stored for payments. They might also send a fake invoice to get the victim to transfer the invoice amount to their own account. The criminals will often call the victim and pretend to be from the company who issued the invoice to get them to change their bank details. They then ask you to transfer all future payments to the “new” account. This request often appears credible, particularly if the fraudsters pretend to be from service providers or suppliers the victim is expecting an invoice from. The scam usually only comes to light when the real invoicing party discovers that their invoices are not being paid. The fake invoices are so professionally designed that they are hard to distinguish from real ones. 

Tips:

• Checking invoices: Carefully check whether invoices show amounts you were expecting and that the details for the issuer of the invoice are the same as previous payments. It might be useful here to compare the invoice data with the original order.
• Confirming changes: If a supplier or service provider changes their bank details, contact them directly to verify the changes. To do so, always us the contact information you had previously and not any new information in the e-mail or on the invoice.
• Confirmation procedure for larger payments: For payments that exceed a certain threshold, you could set up a procedure for confirming the correct bank account and recipient, e.g. double check by a second person.

A jailbreak is where usage restrictions on Apple devices are removed without the user being authorised to do so. With Android devices this is usually referred to as rooting. After a jailbreak, the device can then, for example, install apps from unauthorised sources. This increases the risk of downloading malware.

Tip: 

• For online banking, only ever use apps from the authorised app store.

Keylogger is a hardware or software that records all the keystrokes made on the keyboard. This allows cybercriminals to identify passwords and access data.

Tips:

• The hardware versions (usually mounted inside the keyboard) are also sometimes so well disguised that users do not notice any difference. That’s why you should never use public PCs for sensitive data. Protect your PC with a password if unknown people have access to it – for example in a room used by several people. 
• Protect yourself from keyloggers by taking the usual security precautions, such as virus scanners and a firewall.

When cybercriminals try to steal data from professional networks, this is known as LinkedIn phishing. To do this, they will often copy messages regularly sent by the platform such as “You have been found in [so and so many] searches” or “You have received a contact request/message” with the aim of obtaining personal data (access data, passwords) or luring you to another fake site via a link in order to obtain further information (telephone number, credit card details).

You can recognise these scam e-mails thanks to tiny errors, e.g. Linkedin instead of LinkedIn, the fact that they are sent from an unusual e-mail address or small inconsistencies in the text or the logo. 

These scams also work on other social media platforms: Facebook, Instagram, X or messages from e-mail service providers. Whenever you receive unexpected messages, you should consider the possibility that it could be a scam. Be particularly wary of clicking on a link quickly, without thinking. 

Log4Shell or Log4j is a software often used for applications in Java. It is used to record programming activity, for example. On 10 December 2021, the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) issued a warning about a vulnerability in the Java library and urgently recommended installing the latest security updates as quickly as possible. 

Malware is any malicious software on your PC or mobile device (see also emotet, trojan, ransomware). They are usually installed when unknown attachments are opened or software is downloaded from manipulated internet sites. In order for the malware to remain undetected, it will sometimes deactivate your personal firewall or anti-virus program. When that happens, the hacker can control all the functions and files on the infected device. 

Tips:

• Make sure your anti-virus program carries out a full check on all your apps, folders and files at least once a week.
• Urgently install updates for your anti-virus program, your firewall and your operating system.
• Install other programs and apps as soon as updates are available.

A money mule is a person who criminals use to carry our their money laundering or other fraudulent activities. In Germany, this is usually referred to as a finance agent. Victims are usually offered a job in which they are ‘just’ supposed to transfer money from their account to other accounts. In return they are offered commission. But, in reality, the criminals want to launder money from illegal activities or online scams. The money usually flows directly into an account abroad. Even if the money mule is unaware and has nothing to do with the criminal activities, they may still be liable.

Tips:

The fraudsters recruit their victims in various ways: with serious-looking job adverts, via personal e-mails or on social networks. Sometimes they even replicate genuine company websites.

• Be sceptical if you receive an unsolicited offer to earn ‘easy money’. 
• Cast a critical eye over offers where you are asked to use your own bank account to settle payments for companies or other people.
• Sometimes the offers are so poorly worded and they will often contain grammar and spelling errors. 
• If you’ve receive a suspicious e-mail, don’t reply to it or click on any links it contains. Do not pass on your account details.
• If you think you might be involved in a case of finance agent fraud, stop making the transfers immediately. Inform your bank and the police.
• Check your account regularly. Unexpected credits to your account should also arouse your suspicion.

Nowadays, you can buy almost anything online – from clothes to electronic devices, furniture, holidays or food. Internet stores are increasing their sales year on year. But this provides plenty of opportunities for cybercriminals. For example, fake shops can earn a lot of money but deliver no goods. Merchants’ databases are hacked and their payment data phished.

But even well-known online marketplaces are targeted with variety of scams which aim to steal money or goods from the seller or buyer.

Pharming is the next stage on from classic phishing. It is a combination of the words ‘phishing’ and ‘farming’. With this particular online scam, the internet user is redirected to a fake website by manipulating their web browser. The fake websites are on large server farms (a group of networked servers) operated by scammers for this purpose. This is where the term ‘farming’ comes from. This method has the same aim as with phishing, which is to obtain personal information, credit card data for example, with the intent to commit fraud.

It is therefore the next stage on from conventional phishing because, in this case, the internet user visits a fake website without realising it. With classic phishing, the user is lured with a link which is sent in a realistic looking e-mail. The fraudster then waits until the recipient clicks on the link. With pharming, malware is installed onto the user’s computer which redirects the address entered to a phishing site in the background.

Tips:

To protect yourself from pharming, be careful when you use the internet and make sure your computer is sufficiently protected.

• You can do this by ensuring your virus scanner, firewall and browser are all up to date and you only download software from reliable sources.
• In order to protect yourself from malicious software that can manipulate your browser, you should familiarise yourself with the general rules on how to deal with malware, trojans and phishing. In particular, you should never click on links from unknown senders or open executable files (.exe, .bat, .com) in attachments. Always check the content and the design of e-mails in order to identify fake e-mails and phishing mails.
• Check that the address of the internet site you are visiting is legitimate (URL): The URL should begin with https or display the locked padlock icon and the spelling should not have been altered in any way. Fake websites often have an additional dash or individual character which is different from the real URL. A fake website URL may also consist of several words that are not in the genuine URL. Also check the design of the website. Different colours, fonts or positioning of webs elements from those of known websites could also indicate the site is fake. If you notice differences such as these, never enter your personal data on the website.
• Security certificates on a website also provide additional protection. If your browser indicates that the server certificate could not be verified then be very careful with this site.

Phishing is a portmanteau made up of the words ‘password’ and ‘fishing’: “fishing for passwords”. Here, scammers try to get hold of access data using fake e-mails or websites, for example. Victims often hand over access data to unauthorised parties without realising it. Known examples include phishing attacks against bank customers who are requested by e-mail to enter their access data on the bank’s website. One particular variant is called ‘spear phishing’. Here, the criminals target an individual victim: With the help of information that they have previously stolen or collected from the internet, they try and get company employees to transfer money to third-party accounts. Oblivious employees are often told that their boss needs the transfer processed urgently and that it’s especially confidential (CEO fraud).

Tips:

• Install and regularly update a virus scanner and a firewall on your PC. You should also make sure your software is always up to date. As soon as an update is published, you should install it straight away and don’t procrastinate. This also applies to tablets and smartphones.
• Never click on links or attachments from unknown e-mail senders. Always check the sender and the e-mail carefully. Don’t allow yourself to put under pressure by the content of the message. Keep calm.
• Do not save any personal data (PINs, passwords) – even encrypted – on your PC, tablet or smartphone.
• Only enter online banking access data if you are sure you are doing so on the correct banking or payment site or app of the relevant bank or payment service provider. You can tell if there’s a secure connection by looking at the address of your bank’s website. It should begin with https:// and you should see a padlock symbol in your browser’s address bar.

“Quishing” or “QR phishing” is a form of phishing in which Quick Response (QR) codes – also known as scan codes – are used to obtain user data or for other fraudulent purposes. Two factor authentication, in particular, makes this form of online fraud especially dangerous. 

QR codes have become widespread and common in our everyday lives. This means people are less sceptical about using QR codes, particularly since the advantages of QR codes are self-evident. Users no longer have to enter website addresses or data manually and they can be used for a wide range of platforms. Phishing attacks using QR codes also exploit a weakness of IT security solutions. QR codes sent by e-mail, for example, are not seen as potential risks by virus scanners and other security programs because the QR code is recognised as an image file only.

The cybercriminals use this to their advantage and get users to visit a fake website – usually by pretending they need to take urgent action – and then enter their personal (access) data where the scammers can access it. But a QR code can also take the user to a download link which infects the user’s mobile device with malware and use that to obtain sensitive data and transfer it to the fraudsters.

Tips

• In order to protect yourself from phishing attacks with QR codes, carefully check the sender or the source of the QR code and, if you’re not sure, contact the sender directly. 
• Always download and install the latest updates for your security software.
• Multi-factor authentication is generally very useful because a second form of authentication makes it more difficult for criminals to get hold of your primary access data.

Ransomware is malware that encrypts data and systems so that you can no longer access them. You can only get access again if you pay the criminals a ransom. It is essentially a case of digital blackmail.

Tips:

• Implement all security updates for operating systems and application programs as quickly as possible. Always keep your anti-virus software up to date.
• Check the sender before clicking on a link or opening an attached file.
• Once your computer has been infected, the only way to fix it is to completely reinstall the computer’s operating system. That’s why, even as a private user, it’s important to regularly save your data on an external hard drive.
• Get the advice of an expert and report the incident or file a complaint with the police.

With romance or love scams, the scammers create a fake identity on social media and on online dating platforms. They quickly try and build up an emotional connection to their victims with false names, fake backgrounds and attractive photos. Once they’ve done this, they only have one aim: to get their victims to part with their money. 

A typical method is to frequently suggest they meet in real life, but then for one reason or another the meeting never actually takes place. Instead, there is suddenly a serious problem and the scammers ask their victim for financial support to help them out. In most cases, they pretend to be in an emergency situation where they need medical treatment, for example. Or they may ask for an advance payment for travelling expenses. But the visit almost never takes place. 

Tips on how to protect yourself 

• Never transfer money to people you meet online with whom you have no personal contact and have never met in person. Be extremely sceptical, don’t let yourself be talked into doing anything and don’t be put under pressure. Tell your friends or family about the situation. There is information on the internet and also image databases of known love scammers. Do some research and break off contact if you are unsure.
• Under no circumstances give personal details or account and credit card information to strangers. 
• Scammers on online dating platforms will also try and get their victims to invest money in ‘lucrative schemes’. Don’t be fooled by ‘hot tips’ on investments, particularly if they promise you big returns on your investment. 
• If you have already transferred money to a scammer, contact your bank immediately. Save the evidence and report it to the police. 

The term scamming refers to any kind of internet fraud in which the scammers try to influence internet users on an emotional level, for example, by exploiting their desire for a dream job, dream flat or romantic relationship. Tempting but fraudulent offers are aimed at getting users to make some kind of ‘advance payment’ by pretending to offer emotional or material benefits. 

For example, when it comes to love or romance scamming, contact is made with victims via online dating sites or social networks. By giving victims continual attention and declarations of love in chats and telephone calls, scammers aim to build up a personal connection and thereby an emotional dependency. Once they've achieved this, the scammers pretend they or their family members urgently require emergency medical treatment or that they've lost their travel documents or credit card abroad and ask their victims to help them out. The scammers continually promise to meet their victims in person or pay back money they’ve borrowed, but never do.

In some cases, scammers lure their victims with promises of money from inheritances, beautiful homes at bargain prices or well-paid dream jobs. In other cases, victims are asked to pay for notaries, taxes, rent, deposits or equipment in advance. Once the money has been transferred, the scammers disappear without a trace.

Tips on protecting yourself against scamming:

The best protection against scamming is to be careful and sceptical in order to recognise the fraudulent intentions of the internet contact or lucrative offers. Here are some things to look out for to help you identify scams:

• When it comes to love scams, scammers will only use a few profile photos, which are often stolen or obviously staged. Profile pics are always of very attractive men or women. The fraudsters behind the fake profiles often pretend to be educated people with professions such as policemen, doctors, architects or engineers for men and doctors, teachers or nurses for women.
• Conversations usually escalate rapidly from excessive declarations of love to discussions of marriage, even though they have never met in person. There are also no video chats as the scammers pretend not to have a working web camera.
• When it comes to real estate offers, before the victim can view the property they have to make an advance payment, in return they’ll be sent a key by post. Scammers offer their victims the chance to cancel the deal if they don't like the property.
• With lucrative job offers, the scammers only provide a telephone number and after a short telephone interview, the applicant is given the job immediately.
• In all cases, check all the details carefully and be on your guard. For example, you can look up names and other information on the internet to check their authenticity.
• The most important rule to protect yourself from such scams is to never make cash or bank transfers to unknown international contacts. You should also never give personal details, such as credit card data or copies of identification documents to people you don’t know, however much emotional pressure you are put under or however attractive an offer appears.

SIM or SIM card swapping is when criminals gain access to your mobile number or SIM card. Scammers will convincingly assume the identity of their victims – any personal information they have found or harvested from the internet or social media can help them do this. If they manage to change the mobile phone provider, they can apply for a new SIM card in the victim’s name. Once the criminals get hold of the SIM, all messages and calls are diverted to another smartphone. They can also takeover online or e-mail accounts as soon as the mobile phone number is linked to the relevant account using the “forgotten password” function. If the criminals even manage to access the victim’s online banking, they can transfer money from the victim’s account to a different account using the TANs.

Tips:

• Set up a special security question with your mobile phone provider so you can verify your identity. This could be a security question or PIN.
• Have your mobile provider confirm any change of SIM card, for example, via push notification.
• Reveal as little private information about yourself as possible on the internet and on social media networks, so that criminals aren’t able to obtain personal details.
• Choose different passwords for different accounts and make sure they are all as strong as possible. The longer the password, the harder it is to hack.
• Don’t open links from unknown senders in e-mails or text messages (see phishing).
• Check your bank statements regularly, at least once or twice per week if possible.

Smishing is basically phishing by text message or SMS. The recipient of the text message is requested to click on a link or call a telephone number in order to ‘check’, ‘update’ or ‘reactivate’ their account. The link then takes the potential victim to a fake website or the call is picked up by the scammers who pretend to be employees from the real company.

Tips:

• In general, don’t be too quick to click on links or call the number given. Take your time and don’t be pressured into doing anything rash.
• Check the sender before clicking on links or opening attachments or image files. This also applies to text messages (SMS).
• Banks will never ask you for online banking passwords, PINs for credit/debit cards or any other security features by text message (or telephone or e-mail) and will never ask you to transfer money to another account.
• If you suspect you may have been the victim of a scam, contact your bank immediately and, if necessary, report the incident to the police.

The term social engineering refers to attacks by criminals where human behaviour is manipulated. The aim of the manipulation is to circumvent technical security measures. The manipulations can be implemented in a number of ways and with the aid of artificial intelligence: Using personal details harvested in advance, the scammers then make up stories which appear credible to their victims. They can also create fake voices, photos and videos using AI. Fake websites can be reproduced and made to look deceptively realistic. They often use psychological tricks to exploit their victims and put them under emotional stress, pressuring them into taking action urgently. 

Social engineering is very dangerous because it is able to get round technical security precautions. Using targeted psychological influence, victims themselves open the door for cybercriminals: by transferring payments themselves, installing remote maintenance software giving criminals access to their devices or by entering their data on fake websites, etc. 

Tips:

• It’s better to err on the side of caution if you get an unexpected call, text or e-mail from someone you don’t know. Keep calm if and especially when you’re put under pressure to act quickly. Don’t reveal any personal information. 
• Never click on links or attachments from unknown e-mail senders. Always check the sender and the e-mail carefully. Don’t allow yourself to put under pressure by the content of the message. Keep calm.
• Install and regularly update a virus scanner and a firewall on your PC. You should also make sure your software is always up to date. As soon as an update is available, you should install it straight away and don’t procrastinate. This also applies to tablets and smartphones.
• Always use strong passwords for your online accounts, use two-factor authentication where available. 
• Don’t reveal personal details on social media channels. Cybercriminals are skilled at harvesting your data and then using them for their scams. 

Spoofing is the practice of sending e-mails or making phone calls etc. that appear to come from somebody else. The aim of the various spoofing attacks is to pretend to be from a reliable source in order to obtain sensitive personal details with the intent of using them for fraudulent purposes. Spoofing is often carried out in advance of a fraudulent act such as phishing or pharming. It is done by faking the caller ID (caller ID spoofing), the e-mail sender (mail spoofing) or internet website (website spoofing).

• Caller ID spoofing is a type of technical manipulation that allows a fake caller ID number to be displayed on your mobile to hide the real identity of the caller or sender of a text message (SMS). This mimics a ‘real’ call, for example from your bank or the police.
• With mail spoofing, the scammers send deceptively genuine e-mails pretending to be from a bank, official authority or well-known mail-order company in order to get hold of the recipient’s personal data or to infect their computer with malware.
• With website spoofing, the fraudsters make fake copies of internet sites (e.g. of a bank or online shop). They then use these sites to fraudulently obtain the internet user’s personal data. The web addresses of the fake sites are often disguised using link titles that appear to be legitimate, thus enticing users to access the fraudulent website.

Tips: 

• Unfortunately there is no technical method of determining whether the caller ID has been manipulated or not. So always stay calm and be careful. Never allow yourself to be pressured into taking action while on the phone. Neither your bank nor the police would ever pressure you into giving them personal information such as bank account data. The best thing to do is end the conversation and then call both your bank or the police to clarify the situation or report the crime. Never use the redial function on your phone to do this. Instead, manually dial the number you know to be from your bank. It is also important that you never accept an offer to perform remote maintenance on your computer because of a supposed security threat or technical problems. You should also never respond to a demand to make a payment to a ‘secure’ account via the telephone.
• Check the e-mail address of the sender. One way to do this is to compare it to earlier e-mails. In doing so, pay close attention to the address the mail was sent from – scammers often use e-mail addresses in which only one character differs from the real address. Always exercise caution when it comes to attachments and links sent by e-mail.
• Always check a link carefully before clicking on it. You can check the destination of the link by hovering the cursor over the link text. A pop-up window showing the link will open, or you will be able to view the link in the footer of the window. Make sure that the page begins with https:// and also check that the link uses the spelling you are familiar with for the website in question. Scammers often use web addresses that are very similar to those of well-known sites in order to simulate integrity and trustworthiness.

“Your account has been blocked for security reasons.” “There’s a problem with your computer.” Criminals use these or similar statements to get their victims to give them their personal data or get them to make payments. The phone scammers claim to be from your bank, from the Federal Financial Supervisory Authority (BaFin) or from Europol or Interpol, or they pretend to be tech support from a software company. Then they might try and get you to give them your account details or other personal data so they can ‘compare’ them for ‘security reasons’ or reactivate your online banking functions. Alternatively, they might offer to ‘help’ you set up a new TAN system. In some cases, the scammers will try and gain access to your computer using remote maintenance software. In all these cases, their aim is to manipulate you into giving them your personal details or even making a direct payment by TAN.

Tips:

• You may see the telephone number of a bank or the customer service of the software company on your phone’s display. But, in actual fact, the caller ID has been manipulated to deceive you. Don’t be misled by the number on the display. Ask the caller for their name and if you are unsure, simply hang up. You can then contact the bank or company directly and ask them if it was a genuine call.
• But make sure you don’t call the telephone number that appeared on your display. Look up the correct number on their website, ask directory enquiries or look them up in a telephone book.
• Never give strangers access to computer or smartphone by installing remote maintenance software. Do NOT click the link and do not download any programs, even if the caller comes across as amiable and trustworthy.
• Do not give in to pressure: It’s important to remain calm and level-headed. Criminals will probably pull out all the stops and, for example, may threaten to block your account or suggest that you will lose money if you don’t comply. 
• Always keep your personal data confidential and keep the amount of data you let others have to an absolute minimum. Sensitive data include card details, passwords, PINs, TANs, address, telephone numbers and date of birth. Always consider whether this information is really necessary for the intended purpose.
• If ever your bank details are misappropriated – or you suspect they may have been – then report it to your bank immediately. Also contact the police and file a criminal complaint. The police can only prosecute the criminals and put a stop to the fraud once you’ve filed a criminal complaint.

Trojans are the oldest and most common form of malware. They are frequently installed by opening unknown file attachments or unintentionally downloading software from manipulated internet websites on to your PC (see also malware, ransomware).

Tips:

• Install all security updates for operating systems and application programs as quickly as possible. And always keep your anti-virus software up to date.
• Check the sender before clicking on a link or opening a file attachment.
• Once your computer has been infected, the only way to fix it is to completely reinstall the computer’s operating system. That’s why it’s important to regularly save your data on an external hard drive. 
• If you suspect you may have downloaded malware, get advice from an expert and report the incident to the police or make a formal complaint.

The word vishing come from the words voice and phishing - scammers aim to get their victims to give them their data or transfer them money. To do this, they use artificial intelligence (AI) to imitate voices that sound very convincing. If they then imitate the voice of a family member saying they’re in trouble and urgently need help, (e.g. “Mum, I’ve had an accident. They won’t let me go until I’ve paid a deposit. Help me!”) these are known as emergency scams. 

Due to further developments in AI, it has now become possible to realistically imitate people’s voices. If you receive a call like this, it’s very difficult to know if the voice is real or fake. Criminals can, for example, use malware to get access to mobile devices and record conversations and then use them as ‘voice templates’.

Tips:

• Don’t allow yourself to be put under pressure on the phone and hang up if you get one of these calls unexpectedly and promise to phone them back. Phone the person back that the caller claims to be on the number you know from your own address book. Do not use the automatic redial or callback function on your phone. Then find out if the story the caller told you is real.
• Listen out for small inconsistencies in the caller’s voice or robotic-sounding words. Individual characteristics in pronunciation, for example a certain dialect, an accent or words that the person you know usually uses or would not use, could also be a clue. 
• Agree a family password that can serve as a codeword. Every member of the family should remember the password so they can repeat it when asked. 
• Alternatively, you can ask them a question on the phone that only a real family member would know.
• Knowing that you could be the victim of such a scam helps you be more careful. Talk to your family and friends about it.

If you suspect you’ve been the victim of such a scam, let your bank and the police know immediately.