Cybercrime: how to protect yourself against hacking, phishing, etc.

Alarming cybercrime statistics: The Federal Office for Cyber Security (BACS) received around 63,000 reports of cyber incidents in 2024. This means that the number of reports has risen again compared to the previous year, namely by around 13,000 reports. These crimes caused many Swiss to lose money or important data.

What is cybercrime?

Katrin Sprenger: Cybercrime means illegal activities carried out online, such as phishing in various forms, hacking, ransomware or bullying and identity theft.

Why is cybercrime on the increase?

Katrin Sprenger: It’s safe to assume that the risk of being a victim of cybercrime may increase as the use of computers, tablets and smartphones grows. Browsing, shopping, and using social media are becoming more and more popular and are already part of many people’s daily routine. Whereas people were still very cautious just a few years ago about entering their personal data and information, phone numbers, and credit card details, for example, they now do this quickly, often without a second thought. These aspects play into the hands of cybercriminals: increasing quantities of leaked data are opening the door to many fraudulent schemes. This is why you should learn how to protect yourself against cybercrime.

We’ve seen a spate of warnings about phishing e-mails recently. Lukas Keller, what can happen if I open them?

Lukas Keller: Opening a phishing e-mail isn’t a problem in itself. The danger arises when you click on a link in fraudulent e-mails without thinking and enter confidential information when prompted. Criminals have then achieved their aim, as they have obtained your personal access details. To increase protection against cybercrime, it's best not to click on the link to a website when you get an e-mail from your bank, for instance, but instead manually enter the website address you already know in the address bar.

What’s the difference between phishing e-mails and malware?

Lukas Keller: Both methods are e-mail-based forms of attack. The main difference is that phishing attacks are intended to direct you to a website where you enter details that can then be saved and misused.

Malware e-mails aim to infect systems and end devices, usually computers. Fraudsters do so by placing "hidden" malware in a supposedly harmless attachment such as a PDF or Word document. When recipients click on the attachment, the program installs itself in the background. The aim of this kind of program is either to delete data from your computer or to track down specific data and send it to the cybercriminals.

Doxing, fuzzing, spear-phishing, ransomware, pharming? Our cybercrime glossary explains the major cybercrime offenses.

Do you often get text messages saying that you have to pay a small customs fee so that your package can be delivered?

Lukas Keller: This type of smishing (phishing via SMS text message) has become very common. People sometimes find it hard these days to keep track of all the deliveries they're expecting. Fraudsters are taking advantage of this by sending out text messages with a link to a website that allows you to make small payments with your credit card. But it is ultimately not the loss, usually less than CHF 5, that hurts people, but the damage caused by disclosing credit card details.

The criminals get the cardholder's name, the card number, and the CVV code and can, in the worst-case scenario, use these to "max out" the card by using up the full credit limit.

How can you tell whether a text message you've received is genuine or a smishing attempt?

Lukas Keller: As these messages don't normally differ from other ones, it's more or less impossible to tell the difference based on the message alone. However, the big parcel delivery companies such as DHL and Swiss Post generally notify you by e-mail about deliveries. The e-mail contains a link to a page which gives you a personal overview of the packages you're waiting for and usually shows you any outstanding payments.

Our tip is to set up a customer account with the delivery company. If you receive a text message, log in and check whether there are any amounts still to be paid on the deliveries you're expecting. 

What are the biggest digital threats for people working from home?

Katrin Sprenger: As more and more employees are working from home, there has been a massive increase in cybercrime. Cybercriminals have changed their methods and followed people home. There they are trying increasingly to exploit IT weaknesses, as it's almost impossible to guarantee the same high security standards at your desk at home as in the office. These threats aren't new, but they've taken on much greater significance as a result of large numbers of people making the shift to remote working in a short space of time.

The first threat: end devices. 

Many companies didn't have a laptop for every single member of staff, so they allowed their staff to use their own devices. This has led to many people working on outdated machines and systems with poor security, lacking the latest updates or even a virus scanner, opening the door to hackers seeking unauthorized access to data.

The second threat: Wi-Fi.

Since internet access is essential for working from home, people tend to use their existing Wi-Fi network. Unfortunately, everyone knows that people deliberately set simple passwords for their home network so they can easily pass them on to their visitors. This makes them easy to crack, allowing hackers to gain access to confidential data or infect computers with viruses and Trojans.

The third threat: e-mails

Staff working from home face a constant barrage of phishing e-mails, most of which are intended to steal secure data and information using malware or false information. Hackers still send links to fake websites or fake e-mails purporting to be from a known sender such as the recipient’s boss. It's often the human factor that's the problem here rather than IT security, as has always been the case: people open phishing e-mails because they're unsure, download harmful attachments to their computer without thinking or obliviously tell people posing as IT support their passwords.

E-mail applications, especially those on mobile devices, frequently have vulnerabilities too, and these allow cybercriminals to hack into them and gain access to data.

How can I protect myself and my company PC from cybercriminals?

Katrin Sprenger: People who work from home have to take more responsibility for security because their company's IT administrators aren't there to help them. It's especially important to make sure each and every employee is aware of this, but putting the right cybersecurity in place in the home working environment is also vital.

The best tip to protect the end device is still the same: install comprehensive anti-virus software that will protect against many of the threats outlined above – although 100% protection can never be guaranteed.

At the same time, unauthorized third parties must not be given access to hardware used to work from home. Ideally, company laptops and cell phones should be put in standby mode and locked with a password when not in use and kept out of the reach of others.

What can I do if I’ve fallen victim to credit card fraud?

Lukas Keller: Online credit card fraud isn’t much different from physically stealing the card itself. That’s why the very first step must be to have the card blocked. The problem on the internet is that  several transactions might have already been booked to the card by the time you realize that your details have been stolen. Look closely at each booking, go to the sites concerned, and try to get the orders canceled.

On some sites, you can see the IP address and location the order was placed from. If, for example, a transaction was made from Brazil, but you can prove that you were in Switzerland at the time, most website operators will show goodwill. It the transactions can’t be canceled, you’ll need to contact your credit card provider. They’ll cover the cost in most cases.

How often should I change my password for e-banking or my favorite online shops?

Lukas Keller: Your first question shouldn’t be "How often should I change my password?" but "How strong is my password?".  If your password is "1234", it can be hacked much more quickly than one made up of eight or more letters, numbers, and special characters. Most devices these days suggest a secure password like this whenever you set up a new account. On top of this, it’s always a good idea to use two-factor authentication where it’s offered. To increase security, you should also change the passwords on all platforms you regularly use every six to eight weeks.

According to an FSO study, the Swiss are very often victims of cybercrime by European standards. Why is this?

Lukas Keller: The FSO believes the main reason is that the Swiss are so lax when it comes to protecting their data. In 2019, only two thirds of users were using security software, down from three quarters in 2014.

I think it can also be explained by a combination of three factors. Firstly, Switzerland was quick to embrace the digital age, so it has a large number of potential targets despite its relatively small population. Secondly, high income levels make the Swiss attractive targets for cybercriminals.

Add in every individual user's general sense of security, which makes them complacent about protecting their own data, and this could be why Swiss people fall victim to cybercrime more often than other Europeans.

In your view, are there any online threats that are being completely underestimated or that people don’t even know about?

Katrin Sprenger: One of the most underestimated threats is identity theft. That’s when criminals steal personal details such as your date of birth, address, and even scans of your ID or birth certificate. They can get hold of these relatively quickly if they succeed in hacking your e-mail account. Most of us have sent a scan of one of these documents by e-mail at some point. The criminals then piece together the victim’s identity and offer it for sale on the Darknet or can use it to conclude contracts in the victim’s name. Their main aim is to make money from these stolen identities. Here it's vital to have the right protection against cybercrime.