Post a Comment Print Share on Facebook

"In the worst case, one wrong click paralyzes the whole company"

A harmless-looking email from an internal company address, perhaps combined with a request to register for a new mailing list.

- 6 reads.

"In the worst case, one wrong click paralyzes the whole company"

A harmless-looking email from an internal company address, perhaps combined with a request to register for a new mailing list. In fact, however, cyber criminals are the senders. They want to break into the company network in this way. In broad daylight.

Such attacks are called phishing. The neologism is made up of “password” (password) and “fishing” (angling), meaning password fishing. "For example, attempts are made to lure users to fraudulent sites with fake messages, emails or SMS," explains Andy Voss from "Computer Bild".

Phishing attacks are not always immediately recognizable, even for experienced users or even professionals, and are increasingly directed at company employees working from home. “Employees working from home are popular because they are easy victims. While the company admin still has a certain amount of control over the work computers in the company, this is often not the case in the home office," says Ronald Eikenberg from the "c't" trade magazine.

A company is particularly vulnerable when employees use their own computer for home office work, which is also used privately. “If the employee catches a Trojan at home, it can then ravage the company network through the VPN connection. In the worst case, one wrong click can paralyze the entire company,” warns Eikenberg.

The IT industry association Bitkom therefore advises leaving out private computers in the home office. "It is better to only use company devices, on which, for example, access rights are then restricted and only administrators are allowed to install software," says Simran Mann, IT security expert at Bitkom. In addition, it can also be ensured that necessary security updates are actually imported.

If the home office is infected, this is not necessarily immediately recognizable. One goal of the attackers is to remain undetected for as long as possible, explains Eikenberg. "Indications of this are, for example, redirections of website calls, the appearance of programs that you have not installed or a sudden increase in system load." Users should also become skeptical when the virus scanner starts.

Despite all the technical possibilities: in the end it is always the user who is at the center of a cyber attack. “Phishing is a form of social engineering, i.e. an attack on the human vulnerability. Technical protective measures make sense, but cannot prevent such attacks,” says Eikenberg.

Nevertheless, the following always applies: only work with up-to-date software and only with an active virus protection program. The Defender integrated in Windows 10 and 11 is sufficient in many cases, says Eikenberg. Email is still the main gateway for cybercriminals.

"But there have been and are certainly attacks in which employees are foisted with prepared USB storage devices that automatically install malware when they are plugged into the company notebook," says Bitkom expert Mann. Here, however, the effort is of course much higher.

While e-mail attacks used to be relatively easy to detect, for example through bad German in the text block of the e-mail, it is now much more difficult. "Some of these e-mails have been researched very professionally and extensively, right down to the e-mail signatures of the supposed senders," warns Simran Mann.

But criminals are still trying to gain access to computers by telephone. Vishing is also mentioned here, a neologism of “voice” (voice) and “fishing”.

A classic: scammers pretend to be Microsoft support employees on the phone and thus repeatedly manage to get people to install software for remote maintenance. Then they have full control over the computer and access to all data.

Andy Voß advises hanging up on such calls immediately. Neither Microsoft nor other reputable companies ever make unsolicited calls or simply send emails asking for personal information. One of the best protections against cyber attacks and social engineering: common sense and skepticism.

"Of course, if you actively inform yourself about the tricks of the attackers, you will recognize them more easily," says Voss. Under no circumstances should you open attachments in emails from unknown senders just out of curiosity.

Cybercriminals have it relatively easy with home office workers because communication is almost exclusively digital. “There is no personal exchange in private. The probability is much higher that you fall for a fake mail that supposedly comes from the boss or admin,” says Eikenberg.

If you are unsure, it is better to ask too many questions by phone than to open dubious attachments or carry out nebulous instructions.

But it's not just about the employees. According to the IT industry association Bitkom, companies could also do a lot more to make company networks more secure.

"Cyber ​​security must be a top priority," says Simran Mann. "Companies must recognize that protecting IT as a central infrastructure also costs money."

As a guideline, the Federal Office for Information Security (BSI) recommends that companies use 20 percent of their IT expenditure for cyber and information security in its situation report on IT security. But only 16 percent of companies responded to the Corona crisis by increasing their budget for information security.

"Everything on shares" is the daily stock exchange shot from the WELT business editorial team. Every morning from 7 a.m. with the financial journalists from WELT. For stock market experts and beginners. Subscribe to the podcast on Spotify, Apple Podcast, Amazon Music and Deezer. Or directly via RSS feed.

Avatar
Your Name
Post a Comment
Characters Left:
Your comment has been forwarded to the administrator for approval.×
Warning! Will constitute a criminal offense, illegal, threatening, offensive, insulting and swearing, derogatory, defamatory, vulgar, pornographic, indecent, personality rights, damaging or similar nature in the nature of all kinds of financial content, legal, criminal and administrative responsibility for the content of the sender member / members are belong.