Data Theft on the Internet
, Don’t Give Phishing a Chance

Phishing is one of the most common attack vectors for stealing login credentials and gaining unauthorised access to corporate networks or bank accounts. Learn how to protect yourself and what steps to take if you fall victim to a phishing scam.

Phishing
, At a glance

  • In phishing attacks, cybercriminals use deceptively genuine emails, text messages, or phone calls to steal sensitive data like passwords.
  • Victims are often asked to click on links that either cause malware to be installed or lead to fake websites requiring login with personal details.
  • If you’ve accidentally entered your banking login credentials on a fake website, inform your bank immediately and block your online access.

Definition
, What is Phishing?

Phishing is a specific type of cybercrime. The term “phishing” is derived from the words “password” and “fishing.” In phishing, fraudsters pretend to contact you on behalf of a bank (or another familiar company or organisation). Communication may occur via

  • email,
  • text message (SMS or messenger),
  • letter,
  • social networks, or
  • phone call.

The fraudsters’ main goal is usually to steal confidential information, such as PINs/passwords, specific TANs, or the photoTAN activation graphic, to (or other customer accounts).

In many cases, phishing emails are a precursor to ransomware attacks, often using "double extortion," which combines both data encryption and data disclosure.

Executives and IT personnel are especially vulnerable.

Companies of all sizes, from small craft businesses to multinational corporations, are targeted. In addition to technical protective software, raising security awareness is crucial.

How do phishing fraudsters obtain my email address?

Phishing attacks are often conducted on a large scale, with phishing emails sent to multiple email addresses simultaneously. Fraudsters acquire these email addresses from publicly available sources, such as social media accounts or company websites, as well as from compromised sources like hacked service providers and suppliers that have fallen victim to cyberattacks.

What happens in a typical phishing attack

In most cases, recipients receive phishing messages urging them to click on a link or open a file attachment. Many phishing messages appear deceptively genuine, and even the sender addresses may only be recognisable as fraudulent upon closer inspection. Opening an email attachment can cause malware to be installed on the victim’s computer. Alternatively, the links may lead to fraudulent, seemingly genuine websites (e.g., belonging to banks) where internet users are prompted to log in with their credentials. Once entered, these credentials are stored by fraudsters.

So far, cybercriminals still need to bypass two-factor authentication to execute illegal transactions, transfer funds, or make expensive purchases in the victim’s name. To achieve this, they employ various tricks:

Three ways phishers bypass two-factor authentication in digital banking

Phishing with the photoTAN activation graphic

Fraudsters ask for your credentials along with the photoTAN activation graphic. The sender appears trustworthy, pretending to be a bank or service provider. However, banks will never request your photoTAN activation graphic. Once the attackers have access to your credentials and the activation letter, they can take over your account.

Important: Never share your activation graphic with third parties—whether as a photo, scan, copy, or original. Internally, establish a procedure requiring dual approval (four-eyes principle) for payment transactions or authorisations.

Multi-factor authentication bombing

The attacker already has your credentials but requires a TAN approval. In this tactic, you will suddenly receive numerous TAN requests via your photoTAN app or reader, even though you haven’t initiated any action. The goal is to confuse or exhaust you so that you inadvertently approve one such request, granting the attacker access or authorising a transaction.

Real-time data theft

In real-time phishing, you enter your credentials on a counterfeit banking website that looks authentic. Instead of storing your credentials for later, the fraudsters use them immediately to log into your online banking account. Unknowingly, the victim approves the application with their TAN, granting the attackers full access.

Common types of phishing scams

Phishing comes in many forms. Depending on the target person and the method of contact, there are numerous variations beyond traditional mass-email phishing. Below is an overview of the most common phishing types:
  • Spear phishing: In this method, victims are extensively researched beforehand using publicly available channels such as social media or websites. Based on this information, personalised messages are sent to selected individuals, making the message appear more credible.
  • Whaling: High-ranking executives or key decision-makers within a company are targeted in this type of attack.
  • Smishing: The contact is made via SMS or WhatsApp messages. The content often involves, for example, verifying account data or addressing problems with corporate credit cards.
  • Vishing: In this method, criminals call their victims directly, pretending to be bank employees or similar, and request online banking credentials during the phone conversation.
  • Quishing (QR-code phishing): This phishing variant involves fake QR codes in letters or emails, which lead to fraudulent websites. For example, QR codes on invoices might contain incorrect account information, resulting in funds being transferred to scam accounts. Always exercise caution when scanning QR codes from unfamiliar sources.

Note:

The common thread across all these phishing techniques is that they do not exploit technical vulnerabilities or malware but instead take advantage of humans as the weak link—a principle known as social engineering.

Typical warning signs
, How do I recognise phishing?

Urgency:

With subject lines such as “Your account will be temporarily blocked” or “Final warning,” fraudsters aim to create a sense of pressure and fear, prompting victims to act hastily. Common claims involve supposed updates to account or bank details, new data protection policies, or security checks supposedly necessary to avoid account suspension.

Fake URLs:

Links or URLs displayed in phishing emails can be freely chosen by fraudsters. Hover your mouse over a link to see a preview of the actual URL. Verify it carefully, even if it appears legitimate at first glance. Never log into your online banking account using links in messages or search engines. Instead, enter the bank’s URL manually into your browser (e.g., https://www.commerzbank.com/corporateclients).

Fake sender addresses:

At first glance, phishing email senders might appear trustworthy. Only on closer inspection might irregularities in the sender's address become noticeable, such as misspellings in the company name or an incorrect domain suffix (e.g., “.eu” instead of “.com”). The displayed sender name (e.g., “Commerzbank”) can also be manipulated and is not a reliable indicator of authenticity.

Macros in files:

Macros are automated scripts that perform pre-programmed actions. They often appear in documents like Excel or Word as seemingly harmless functionalities, prompting users to “enable macros” upon opening. While macros serve legitimate automation purposes, they can also be used maliciously to download malware or execute unwanted actions in the background. Do not activate macros in files received from suspicious sources.

Grammar or spelling errors:

Although not always, phishing emails can sometimes be identified by poor language, such as linguistic or spelling mistakes. These often arise because the attackers operate internationally and automatically translate phishing emails into multiple languages. However, an increasing number of phishing emails are now nearly error-free, making them harder to spot.

Vague messages:

Be cautious of messages with vague content, such as “There is an issue with your account.” Phishing emails often omit personal salutations or specific details like an order number, making them seem less credible.

Requests for confidential information:

Phishing aims to extract sensitive data from internet users. Always be suspicious if someone asks for PINs, TANs, or passwords via email, SMS, or phone.

Phishing attacks made more sophisticated by artificial intelligence (AI)

Using generative artificial intelligence, phishing emails and websites can now be created to appear even more professional and personalised. For instance, AI tools can mimic the writing style of specific individuals or institutions and generate flawless, plausible messages in multiple languages. These advancements also make such phishing attempts faster and easier for criminals to execute. Increasingly, AI tools are being deployed to imitate human voices, enabling fraudsters to convincingly impersonate individuals over the phone.

Avoiding data theft
, How to protect yourself from phishing

Generally, always remain vigilant and handle your sensitive data with care. If you notice any email or message seems suspicious, contact your bank or the given sender through official channels for clarification.

If you receive a suspicious email or text message, follow these guidelines:

  1. Do not click on any links or attachments.
  2. Do not disclose sensitive information.
  3. Never share your photoTAN activation graphic with others — whether via photo, scan, copy, or original.
  4. Do not install unsolicited software.
  5. Avoid responding to emails or messages.
  6. Trust your instincts, and don’t let stress or time pressure override your caution.
  7. Ask yourself if the content of the message makes sense or was initiated by you.

When you receive a suspicious phone call, adhere to the following:

  1. Do not provide personal or online banking credentials over the phone.
  2. Do not install software pushed onto you by the caller. End the call and block the number.
  3. Do not call back if strange voicemail messages are left on your phone.

How can you further protect yourself?

  • Reach out to the alleged sender: If you have received a phishing email, and are unsure whether it is genuine, use official contact methods to check its legitimacy with the supposed sender (e.g., your bank, service provider, etc.). If you have concerns about your account data, contact Commerzbank for assistance. Reach out to your corporate client adviser or call our hotline.
  • Set up internal controls: Introduce a dual-approval process (known as the four-eyes principle) when managing payments or access authorisations, and avoid granting single authorisations.
  • Unique employee logins: Assign each employee a unique login for the corporate client portal. Avoid shared logins or sharing user credentials among team members.
  • Change PINs regularly: Regularly update your PIN code as a precautionary measure. Securely store your PIN and photoTAN activation graphic — do not save them on your computer (even in financial or bookkeeping software) or smartphone.
  • Deactivate unused online access: If you don't plan to use Commerzbank applications for a certain period, deactivate your online access as an additional security measure against unauthorised usage.

Immediate help
, Clicked on a phishing link: What to do now

The most important thing if you’ve fallen for a phishing scam: Stay calm — and act quickly and purposefully.

Block access: If you’ve already clicked on a phishing link in an email and entered your login details for the corporate client portal, you should block your online access:

Security for your online banking | Corporate Clients - Commerzbank
Log in and navigate to the "My Data" tab, then select "Block access."

Over the phone: Call our corporate client portal blocking hotline at +49 69 5050 2786. We’re available 24/7, worldwide. A customer service representative will process your request to block access.

Contact your corporate client adviser or call our hotline at +49 69 1362 6360 (Monday – Friday, 8:00 AM – 6:00 PM).

Block your cards and accounts:

Block your photoTAN system: You can independently block your photoTAN functionality via our Digital Banking system. The blocking is effective immediately. We also recommend blocking your photoTAN procedure in the following situations for additional security: If your smartphone has been lost or sold. If you suspect improper usage.

In Digital Banking:

  1. Log in to your account to access your TAN settings.
  2. In the "photoTAN" section, select "Manage."
  3. Click "Block photoTAN" twice to confirm the blockage.

Important note: If you use multiple participant numbers, follow this process separately for each participant number.

Over the phone:

Contact us directly. Our hotline is available 24 hours a day, 7 days a week, worldwide. A customer service representative will handle the process of blocking your photoTAN functionality.

Commerzbank at your side
, What we do for your security in the corporate client portal?

High-security standards

The corporate client portal and its various applications are regularly tested and reviewed by security teams during development.

Deactivating fraudulent phishing websites

Although we cannot prevent phishing emails from arriving in your inbox, we ensure that the fraudulent websites linked within such emails are deactivated promptly in most cases.

Two-factor authentication

Access to our online portal is secured by a two-factor authentication mechanism (2FA), an extra security measure. Although 2FA cannot completely prevent phishing, it significantly enhances the protection of your account.

Personal advice

If you have any questions or security concerns, please contact your dedicated corporate client adviser directly.

Further information

You might also be interested in

  • Cooperations for corporate clients

    Benefit from attractive partner offers from our cooperation partners. Simply inform yourself and choose.

    Learn more
  • Cybersecurity

    Cybercriminals are systematically using new technologies to bypass security strategies, deceive employees, and paralyse corporate networks. Effective cyber security measures are...

    Learn more