Spam mails clog up your e-mail inbox and attempt to defraud you. But these mails also may infect your system with malware in order to spy on your personal data. Phishing, a portmanteau made up from the words password and fishing, is the name of the game for cyber criminals looking to 'fish' for your passwords.

Fishing for passwords sounds relatively harmless, but is quite serious in reality. Phishing is often the first step criminals take and can range from 'simple' theft of data down to illegal bank transactions and attacks on critical infrastructures. The BSI has previous reported phishing attacks on utility companies, including nuclear power plants, in Europe and the United States, for example.

Spear phishing: Not all phishing mails are sent out as part of a mass spam mailing: spear-phishing specially targets certain companies or organisations. This is why a great deal of effort often goes into painstakingly tailoring the content for the intended recipient. The people behind these schemes are commonly a well-organised group of cyber criminals. Spear-phishing is generally just the beginning of a series of attacks intended to result in financial fraud or to steal trade secrets or military information.

Phishing - don't be fooled!

Spam e-mails use a fake sender to pretend to be a credible bank, Internet service provider or other service provider to convince victims that they must urgently update their personal data, for example. Criminals may mention that the victim's credit will otherwise expire soon, a false pretence to get the victim to confirm account information. Another excuse used is to claim there has been a security incident and passwords must be changed. Criminals rely on enough of the recipients of the wave of spam e-mails actually being customers of the organisation or company named. It is therefore no wonder that the names of large banks like the Royal Bank of Scotland are frequently used for phishing spam.

Phishing: perfect imitations of websites

Both the phishing mail and the website to which any links direct you are carefully designed to imitate the real thing. Cyber criminals know what they are doing. Too often they are successful because their profession imitation of corporate design - the logo, the colours and fonts - of the specific organisation appear so real. It is much easier to convince unsuspecting recipients to click a link in the e-mail, especially if the link is hidden under a perfectly designed button. Con artists like this then have you exactly where they want you to be: on the fake website of a company that is considered to be highly trustworthy.

Phishing on social networks

Like a link in a phishing e-mail, posts on social networks can also take you to a fake website. Rather than a bank or large service provider, the false website might be for a well-known brand. However, the ultimate goal of the phishing fraudster is the same: to gain your trust and steal your personal data.